Details about the iOS certificate, App ID, device, Provisioning profile

First, open developer.apple.com, open certificates in iOS Dev Center, Indentifiers & Profiles understand the basic structure. The list contains everything you need to develop, debug, and publish iOS apps: Certificates, Identifiers, Devices, Provisioning Profiles.

Certificate

A certificate is used to sign an application, and only a signed application can guarantee that his source is trustworthy, and that the code is complete and unmodified. In the code Signing identity of Xcode Build setting, you can set up a certificate for signing code.

As we all know, before we apply for a certificate, we need to apply for a certificate Signing request (CSR) file, and this process actually generates a pair of public and private keys, saved in the keychain of your Mac. Code signing is using this encryption method based on asymmetric secret key, signing with the private key, validating with public key . As shown, the associated public key and private key are stored in the login of your Mac's keychain, and the certificate contains the public key. You can only use the private key to sign, so if you do not have a private key, it means that you can not be signed, so you can not use the certificate, at this time you only revoke the previous certificate to apply for one. Therefore, it is a good idea to export and save your private key when you are finished applying for the certificate. when you want to share a certificate with other people or other devices, pass the private key to it . The private key is saved in your Mac, and the Apple-generated certificate contains the public key. When you sign your code with your private key, Apple can use the public key in the certificate to verify that you signed the code, not someone impersonating you, but also ensuring the integrity of the code.

Certificates are divided into two main categories: development and production,development certificates for developing and debugging applications ,production primarily for distributing applications (depending on the type of certificate), The following is the classification information for the certificate: (the certificate validity period is in parentheses)

• Development
  • App development (1 years): Used to develop and debug applications on the real machine.
  • Push Development (1 years): Used to debug Apple Push Notification
• Production

  • In-house and Ad Hoc (3 years): Applications that are used to publish in-house and adhoc.

  • App Store: Used to publish apps that submit the App Store.

  • MDM CSR
  • Push Production (1): Used to use Apple Push Notification in release builds.
  • Pass Type ID Certificate: For Pass class certificate
  • Website Push ID Certificate

There are some types of certificates I have not used, so I do not understand the specific role.

APP ID

The APP ID is used to identify one or a set of App,app IDs that should be consistent or matched to the bundle IDs in Xcode. The APP ID has the following two main types:

• Explicit App ID: a unique appID that uniquely identifies an application, such as COM. ABC.DEMO1, identifies the program with bundle ID com.ABC.demo1.
• Wildcard App ID: a wildcard app IDthat identifies a group of applications. For example * can represent all applications, while COM. Abc.* can be expressed as COM. All applications that start with ABC.

Each time you create an app ID, we can set up the app services that the app ID uses, which is the extra service it uses. Each additional service has different requirements, for example, if you want to use Apple Push Notification Services, you must be a explicit app IDso that you can uniquely identify an application. The following are all currently optional services and the corresponding configuration requirements.

If your app uses any of the above-mentioned service, it needs to be configured as required.

Device

Device is the simplest, the iOS device. The devices contains all the devices available for development and testing in this account. Each device uses UDID to uniquely identify it.

The number of devices in each account is limited to 100. Disable a device will not increase the number of places, only the beginning of membership year to remove the equipment to increase the quota .

Provisioning profile

A provisioning profile contains all of the above: certificates, App IDs, devices.

Imagine that if we were to pack or run an application on a real machine, we would first need a certificate to sign it to identify the application as legitimate, secure, complete, and so on, and then need to indicate its app ID and verify that the bundle ID is consistent; You need to confirm that the device can be used to run the program. and provisioning Profile packs all this information together so that we can use it when debugging and releasing the program, so we just choose different profiles for different situations. And This provisioning profile file is embedded in the. IPA package when it is packaged.

For example, as shown in, a provisioning profile for development contains the app ID for that provisioning profile, the certificates and devices that can be used. This means that using this provisioning profile wrapper must have the appropriate certificate and that the program that corresponds to the app ID be run to the device contained in devices.

As mentioned above, the process of running an application on a single device is as follows:

As with certificates, Provisioning profile is divided into development and distribution two types:

(Note: The types of certificates that can be created by different account types are different, obviously the type of profile is related to the kind of certificate you can create)

• Development (1 years)
• Distribution (1 years)
  • In house
  • Ad Hoc
  • APP Store

The difference between House and ad hoc is that in housethere is no device limit , and ad hoc is used for testing, ad hoc packages can only run on the registered available devices in that account . There is obviously a limit of up to 100 devices. So the difference between the two provisioning profiles is that the device limitations are different, and the certificate they use is the same.

2. Development/Release Process

Understanding the above concepts, and then look at the development and release process is very simple, and I believe that you do not have to see the tutorial can be done in one step to complete all the operations.

Development/real-machine commissioning process

According to the above introduction, we can know that the following steps are mainly development:

• Request a Certificate
• Join the device
• Generate Provisioning Profile
• Set up Xcode Code sign Identifer

In fact, the third step is usually unnecessary because we are usually developing with the iOS Team Provisioning profile generated and managed by Xcode because it is very convenient, so you do not need to manually generate the Provisioning profile yourself.

IOS Team Provisioning profile is the first time you add a device using Xcode, Xcode automatically generates a wildcard App ID (*, matching all applications) generated by Xcode. The account contains all the devices and all development certificates as shown. As a result, all members of the team can use this iOS Team Provisioning profile to debug all applications on all the devices in the team. And when a new device is added, Xcode updates the file.

Release process

Whether it's the app Store, in-house or AD-HOC, the packaging process is similar and includes the following key steps:

• Create a publishing certificate
• Create App ID
• Create a corresponding provisioning profile
• Device bundle ID and app ID match
• Set up Xcode Code sign identifer, select the appropriate profile and certificate for signing, packaging

Speculate on how iOS devices verify that apps are legitimate

A few key points:

1. Unzip IPA

2. Removed embedded.mobileprovision , verified by signature Check whether it has been tampered with

   1. There are several certificates for the public key, where the development certificate and the publishing certificate are used to verify the signature

   2. Bundleid

   3. Authorization list

3. Verifies the signature of all files, including frameworks

4. Compared to the info.plist inside the Bundleid whether the document is consistent with embedded.mobileprovision

Details about the iOS certificate, App ID, device, Provisioning profile