Detailed explanation of the key points of iOS development certificate, detailed explanation of ios certificate

Detailed explanation of the key points of iOS development certificate, detailed explanation of ios certificate

Regarding the development certificate configuration (Certificates&Identifiers&Provisioning Profiles), I believe that the students who do iOS development are often tossed. For an iOS development novice, half-hearted, or veteran, there will be more or less the following unknowns, questions, doubts or even confusion:

This article will make a systematic combing of related concepts.

First of all, suppose you have used an Apple device (iMac/iPad/iPhone) and registered an Apple ID (Apple Account). 2. you must join the Apple Developer Program (Enroll in iOS Developer Program to become a member) and register a developer account. Only with a developer account can you apply for a development/release certificate and related configuration authorization files, and then develop and debug Apps on the real iOS device or publish to the App Store. Developer accounts are divided into two types: Individual and Company/Organization. If there is no special explanation, the following is based on the $99/Year ordinary individual developer (Individual) account to expand.

####1. App ID (bundle identifier) App ID is used to identify one or a group of apps, and the App ID should be the same or match the Bundle Identifier in Xcode. App ID strings are usually prefixed (Prefix/Seed) with Company Identifier (Company ID) in reverse-domain-name format. App ID full name will be appended ApplicationIdentifierPrefix (usually TeamID.), divided into two categories: Explicit App ID: a unique App ID, this App ID is used to uniquely identify an application. For example, the App ID "" is used to identify the program whose Bundle Identifier is "". Wildcard App ID: Wildcard App ID, used to identify a group of applications. For example, " " (actually ApplicationIdentifierPrefix) means all applications; and " " can mean all applications starting with "".

Users can delete (Delete) the registered App IDs on the website. App ID is configured under [XcodeTarget|Info|Bundle Identifier]; for Wildcard App ID, as long as the bundle identifier contains it as Prefix/Seed.

#### . Device (Device) Device is the device running the iOS system for developing and debugging App. Each device is uniquely identified by UDID . After the iOS device is connected to the Mac, the UDID (identifier) of the iPhone can be obtained through iTunes->Summary or Xcode->Window->Devices. The Devices under the personal account of the Apple Member Center website contains all registered devices that can be used for development and testing . Ordinary personal development accounts can only register up to 100 devices each year, and users can enable/disable (Enable/Disable) registered devices on the website. Apps signed by you or your team run only on designated development devices. Apps run only on the test devices you specify.

The Devices in this article are connected to the iOS devices (iPhone/iPad) that Xcode is authorized to use for development and testing.

####3. Certificates As the name implies, certificates are used to prove the legality and integrity of the content (executalbe code of the App). For applications (App) that you want to install on a real device or publish to the AppStore, only after signature verification (Signature Validated) can you ensure that the source is trustworthy, and that the content of the App is complete and has not been tampered with. Certificates are divided into two categories: Development and Production (Distribution). Development certificate is used to develop and debug applications: A  development certificate  identifies you, as a team member, in a development provisioning profile that allows apps signed by you to ***launch ***on devices. Production is mainly used to distribute applications (It has different functions according to the type of certificate): A  distribution certificate  identifies your team or organization in a distribution provisioning profile and allows you to ***submit ***your app to the store. Only a team agent or an admin can create a distribution certificate.

Ordinary personal development accounts can register up to 2 iOS Development/Distribution certificates each, and users can delete (Revoke) the registered certificates on the website. The following is mainly for the Development certificate during the development and debugging phase. First of all, iOS and Mac OS X systems (when Xcode is installed) will automatically install AppleWWDRCA.cer* (Apple Worldwide Developer Relations Certification Authority) * Intermediate Certificates . It is actually the CA of the iOS certificate, and its public key is used to decrypt the authenticity of the certificate. If the Mac Keychain Access Certificate Assistant has not installed the certificate when applying for the certificate, please download and install it first (Signing requires that you have both the signing identity and the intermediate certificate installed in your keychain).

When manually applying for a development certificate through the Keychain Certificate Assistant (also can be automatically generated by Xcode), keychain will generate a CSR (Certificate Signing Request) file containing the developer s identity information ; at the same time, a pair of Public will be added to Keychain Access|Keys/Private  Key Pair (This signing identity consists of a public-private key pair that Apple issues).

The private key is used for signature (CodeSign) and is always stored in the Keychain Access of Mac OS; the public key is generally distributed with the certificate to verify the signature. The user must protect the private key in the local Keychain to prevent counterfeiting. Keep a secure backup of your public-private key pair. If the private key is lost, you'll have to create an  entirely new  identity to sign code. Worse, if someone else has your private key, that person may be able to * **impersonate ***you.

Upload the CSR file on the Apple development website, and the Apple certification authority WWDRCA will use a private key to encrypt and sign the public key and some identity information in the CSR to generate a digital certificate (ios_development.cer) and record it (Apple Member Center). Download the certificate from the Apple Member Center website and double-click on the Mac to install it. After the certificate is successfully installed, expand the arrow in front of the private key in the Key Pair generated when creating the CSR in KeychainAccess|Keys, and you can view the certificate containing its corresponding public key (Your requested certificate will be the public half of the key pair. ); Expand the arrow in front of the installed certificate (ios_development.cer) in Keychain Access|Certificates, and you can see its corresponding private key.

Certificate is configured under [Xcode Target|Build Settings|Code Signing|Code Signing Identity], drop down and select Identities from Profile "..." (Generally configure Provisioning Profile first).

####4. Provisioning Profiles **The Provisioning Profile file contains all the above content: certificate, App ID and device . A Provisioning Profile corresponds to an Explicit App ID or Wildcard App ID (a group of App IDs with the same Prefix/Seed). When manually creating a Provisioning Profile on the website, you need to specify App ID (single choice), Certificates (multiple choice), and devices (Devices, multiple choice) in sequence. Users can delete (Delete) the registered ProvisioningProfiles on the website. The Provisioning Profile determines which certificate (public key)/private key combination (Key Pair/Signing Identity) Xcode uses to sign the application (Signing Product), which will be embedded in the .ipa package when the application is packaged. When the app is installed, the Provisioning Profile file is copied to the iOS device, and the device running the iOS App also uses it to authenticate the installed program. If you want to package or run an APP on a real device, you generally need to go through the following three steps: 1. you need the private key corresponding to the certificate to sign, which is used to identify the APP is legal, safe and complete; 2. you need to specify its App ID, and verify whether the Bundle ID is consistent with it; then, if it is a real machine debugging, you need to confirm whether the device is authorized to run the APP.

The Provisioning Profile packs all this information together, which is convenient for us to use when debugging and packaging the release program. In this way, as long as you choose different Provisioning Profile files under different circumstances. Provisioning Profile is also divided into Development and Distribution, and the validity period is the same as Certificate. The ProvisioningProfile of the Distribution version is mainly used to submit the App Store for review, which does not specify the Devices (0, unlimited) for development and testing. App ID is Wildcard App ID (*). After the App Store is approved and approved, the App is allowed to be installed and run on all iOS devices (Deployment Target).

Xcode puts all provisioning configuration files (including the Team Provisioning Profile manually downloaded and installed by the user and the Team Provisioning Profile automatically created by Xcode) under the directory ~/Library/MobileDevice/Provisioning Profiles. The following is a brief analysis of the composition of a typical supply configuration file *.mobileprovision :

(1) Name : the file name of the mobileprovision.

(2) UUID : the real file name of the mobileprovision file.

(3) TeamName : Apple ID account name.

(4) TeamIdentifier : Team Identity.

(5) AppIDName : explicit/wildcard App ID name (ApplicationIdentifierPrefix).

(6) ApplicationIdentifierPrefix : The prefix of the complete App ID (TeamIdentifier.*).

(7) DeveloperCertificates : Contains all the certificates that can be used to sign the profile application.

The certificate is based on Base64 encoding and conforms to the PEM (PrivacyEnhanced Mail, RFC 1848) format, and can be processed using OpenSSL (opensslx509 -text -in file.pem).

Extract the content between DeveloperCertificates to the file cert.cer (cert.perm):


Copy the content here


Right-click QuickLook under Mac to view cert.cer (cert.perm), and right-click Get Info in Keychain Access to view the corresponding certificate ios_development.cer. Normal conditions (public and private key KeyPair pairing) should match; there is not enough information (WWDRCA.cer) under Windows. The certificate could not be verified.

If you use a certificate that is not in this list for signing, the application will CodeSign Fail regardless of whether the certificate is valid.

(8) Corresponding to the ***Entitlements*** key:

keychain-access-groups : $(AppIdentifierPrefix), see ** Code Signing Entitlements***(. entitlements).

Each application has a keychain that can be used to safely store some information such as passwords and authentication . Generally speaking, your own programs can only access their own keychain. Through some settings when signing the application, you can also use the keychain to realize the operation of sharing information between different applications under the same developer visa (that is, the same bundle seed). For example, you have a developer account and developed two different applications A and B, and then you can share the contents of this keychain by specifying a common access group for the keychain access group of A and B.

application-identifier : The full name with a prefix, such as $(AppIdentifierPrefix) : App Group ID (group., see ** Code Signing Entitlements***(. entitlements). : Same as Team Identifier.

(9) Provisioned Devices : The UDID of the development device authorized by the mobileprovision.

Provisioning Profile is configured under [XcodeTarget|Build Settings|Code Signing|Provisioning Profile], and then under Code Signing Identity drop-down select Identities from Profile "..." (that is, Certificates included in Provisioning Profile).

#### V. Development Team Provisioning Profile ( Team Provisioning Profiles ) for each Apple developer account corresponds to a unique Team ID, Xcode3.2.3 pre-release version of Team Provisioning Profile added to this new feature. When you add Apple Developer Account in Xcode, it will be blended with Apple Member Center backstage to automatically generate **iOS Team Provisioning Profile (Managed by Xcode).

Team Provisioning Profile includes an iOS Team Provisioning Profile generated for Xcode iOS Wildcard App ID ( ): (matching all applications), all Development Certificates and Devices in the account can be used to debug all on all devices registered with this eam Application (regardless of bundleidentifier). At the same time, it will also create the corresponding iOSTeam Provisioning Profile for the Wildcard/Explicit App IDs created by the developers themselves. Team Provisioning Profile generation/update timing: Add an Apple ID account to Xcode Fix issue "No Provisioning Profiles with a valid signing identity" in Xcode Assign Your App to a Team in Xcode project settings of General|Identity Register new device on the apple development website or Xcode detected new device connected

It is very convenient to use the iOS Team Provisioning Profile generated and managed by Xcode for development. You do not need to go to the website to manually generate and download the Provisioning Profile. Team Provisioning Profile is the same as Provisioning Profile, except that it is automatically generated by Xcode and is also configured under [XcodeTarget|Build Settings|Code Signing|Provisioning Profile].

#### .App Group (ID) ** In addition to the release of OS X v10.10 and switf at WWDC14, iOS 8.0 has also begun to become more open. Speaking of openness, of course, the application extension (App Extension). As the name implies, application extensions allow developers to extend the application's custom functions and content, allowing users to use this function when using other applications, so as to realize the sharing of functions and resources among various applications. The extension can be understood as a nimble and lightweight clone. The extension and its Containing App each have their own sandbox. Although the extension is embedded in the Containing App as a plug-in, they are independent binary packages and cannot visit each other's sandboxes. In order to realize Containing App and extended data sharing, Apple introduced a new concept in iOS 8-App Group, which is mainly used for apps under the same Group to realize data sharing, specifically identified by App Group ID Shared resource area-App Group  Container . Users can edit the App Group Assignment of Explicit App IDs on the website; they can delete (Delete) the registered AppGroup (ID). The Explicit App ID of Containing App and Extension must be assigned to the same App Group to realize data sharing, and the App ID naming of Containing App and Extension must conform to the specification: If the App ID of Garageband is "", it supports The App ID of the plug-in that the voice memo is imported into the Garageband application may be like " extImportRecording ".

Regarding the Provisioning Profile, you can use the one manually generated by yourself, or you can use the Team Provisioning Profile automatically generated by Xcode. The App Group will be configured under the key of the [Xcode Target|Build Settings|Code Signing|Code Signing Entitlements] file (*.entitlements), and will not affect the provisioning profile generation process.

### .Certificate& Signature

The private key corresponding to each certificate (actually a public key) will be used to digitally sign the content (executable code, resources such as images and nib files aren't signed) (CodeSign)-use a hash algorithm to generate a content digest (Digest). As mentioned above, the public key is included in the digital certificate, and the digital certificate is included in the provisioning file. The description file will be copied to the iOS device when the application is installed. The ios_development.cer on the iOS/Mac machine can be decrypted by the public key in AppleWWDRCA.cer to obtain the trusted public key in each development certificate. 1. The iOS/Mac device (system) uses the CA certificate (WWDRCA.cer) to determine the legitimacy of the App Provisioning Profile (Code Signing Identity): if the WWDRCA public key can successfully decrypt the certificate and get the public key (Public Key) and The content summary (Signature) proves that the certificate is indeed issued by AppleWWDRCA, that is, the source of the certificate is credible; the hash algorithm is used to calculate the digest for the certificate itself. If it is consistent with the digest obtained in the previous step, it proves that the certificate has not been tampered with The certificate is complete.

2. iOS/Mac devices (systems) use the AppProvisioning Profile (Code Signing Identity) certificate to determine the legitimacy of the App: if the certificate public key can successfully decrypt the App (executable code) content summary (Signature), it proves that the App is correct It is issued by a certified developer, that is, the source is credible; then the App (executable code) itself is used to calculate the digest using a hash algorithm. If it is consistent with the digest obtained in the previous step, it proves that the App (executable code) has not been tampered with, that is, the content complete.

### to achieve eight development account/certificate on multiple machines to share if added to the Accounts in the Xcode Preferences, select the Team Entries | ViewDetails: You can view Signing Identities and Provisioning Profiles. Selected to be exported Account, click the + - after | ExportAccounts, can be derived include account/code signingidentity/provisioning profiles information . Developerprofile (Exporting A Developer Profile) file for Xcode developers to use (Import the Account) on other machines. Select the Signing Identity entry you want to export, click |Export after the + at the bottom of the column, you must enter a password, and you need to authorize exportkey "privateKey" from keychain to export Certificates.p12; or select the certificate you want to export in Keychain Access|Certificates Or under the private key, right-click Export or export Certificates.p12 * through the menu File|Export Items .

Double-click Certificates.p12 on other Mac machines (if you have a password, enter the password) to install the shared certificate, register the iOS device you want to debug under the developer account name on the developer website, and download the corresponding certificate to authorize iOS The Provisioning Profile file of the debugging device can be developed and debugged on the real iOS device.

### . Common errors in certificate configuration

  1. Xcode Target|Genera|Identity Team prompts "Your build settings specify a provisioning profile with the UUID "xxx",howerver, no such provisioning profile was found." Xcode Target|BuildSettings|Code Signing|The currently configured provisioning profile of the specified UDID is in The local does not exist, and the Provisioning Profile needs to be changed at this time. If necessary, manually go to the website to download or regenerate the Provisioning Profile or solve it directly in the Fix issue in Xcode (the iOS Team Provisioning Profile may be automatically generated)! 2. After selecting the locally installed provisioning profile in the Provisioning Profile of Build Settings|CodeSigning, the drop-down prompt No identities from profile "..." or No identities from keychain in Code Signing Identity. Xcode configuration specifies the Developer Certificates in the provisioning profile of the UDID in the local KeyChain No identities are available or inconsistent (Private Key in KeyPair is missing), you need to go to the website to check whether the App ID-Certificate-Device configuration in ProvisioningProfile is correct. If it is a shared account provided by others ( .developerprofile) or a shared certificate (.p12), please make sure to export the Private Key in the corresponding Key Pair. If necessary, it can also be solved directly in Fix issue in Xcode (iOS Team ProvisioningProfile may be automatically generated). 3."Invalid application-identifier Entitlement"or "Code Signing Entitlements file do not match those specified in your provisioning profile.(0xE8008016)." **(1)* Check the " Whether the key value of Keychain Access Groups is consistent with the Entitlements item in ProvisioningProfile (the latter is generally the Prefix/Seed of the former). (2) You can also leave the Entitlements of the corresponding version (Debug) in the Provisioning Profile of Build Settings|Code Signing blank. 4. Xcode configuration response is sometimes not so timely, you can refresh, reset the relevant configuration item switches (if any) or restart Xcode to try.


"IPhone real machine debugging application" "iOS Developer: real machine test" "iOS Development--Certificates, Provisioning Profiles" "About the introduction and relationship of Certificate, Provisioning Profile, App ID"

"IOS keyChain Research" "Digital Signatures and Digital Certificates" "Apple Developer Accounts" "iOS Code Signing Study Notes" "Code Signing Analysis/Inside Code Signing" "iOS Code Signing: Puzzles/iOS Code Signing: Under "The Hood" reprinted: Detailed explanation of the key points of iOS development certificate, detailed explanation of ios certificate