IOS certificate management, verification, packaging process

Background

The development and release of iOS software is inseparable from certificates and profiles, and if you want to release the app to the Apple Store or use Apple's push notification feature, you will need a personal developer certificate to sign the app to pass Apple's certification and auditing. Because our company's app is not a single, but a customer corresponding to an app, in the new version, the need to use the push notification function, you need to release the app to the Apple Store, certified to the normal use of the service provided by Apple, while, In order to meet the needs of some customers to publish their apps to the Apple Store, we need to upload their personal developer certificates and related files to customers using this part of the feature. At this point, the certificate needs to be validated and managed, and in the packaging, dynamically import this certificate and signed, this article is mainly to record the relevant principles, certification, packaging and other technical points of implementation details.

Professional vocabulary

Signing Certificate:

A signing certificate is used to sign code after the code is compiled, primarily to illustrate the owner and legality of the Code. When compiling with IOS7 SDK, you need to specify the signing certificate at compile time, of course we can still re-sign after compiling.

Push Certificate:

Push certificate major Our server send push information to the Apple server, the need to use the certification, packaging does not need to use, is only our background and Apple server communication needs.

AppId:

Each application has a unique AppID, the world's only, is the application of an identity. The push certificate requires the specified AppID at build time, so a push certificate corresponds to the unique AppID.

Configuration file:

The configuration file contains almost all of the information above, including the application of the AppID, the application of the corresponding signature certificate, whether the application has launched the push function, the application is the development version or release version, the application can be installed by which mobile phone (for the release version of the application, all mobile phones can be installed). verifying, obtaining information about a certificate

Signing certificate: The suffix is mainly. P12 and requires the user to enter a password to import the certificate

In this signing certificate, you can get UID, certificate name, certificate validity period. Under Linux or Mac, use OpenSSL to get the relevant information, the following command:

(1) OpenSSL pkcs12-in ~/cert.p12-nodes-passin pass: "My password" | OpenSSL X509-noout–text
All the information we need can be exported, but it needs to be retrieved and parsed.

(2) OpenSSL pkcs12-in ~/cert.p12-nodes-passin pass: "My password" | OpenSSL x509-noout–dates
You can output the validity period of a certificate

(3) OpenSSL pkcs12-in ~/cert.p12-nodes-passin pass: "My password" | OpenSSL X509-noout–subject
You can output the UID and certificate name of a certificate

Push certificate (Optional): The suffix is mainly. P12, also requires the user to enter the password for the certificate in this signature certificate, also can obtain UID, certificate name, certificate validity period, and whether the type of push notification certificate. Command Ibid. How to determine if this. p12 file is a push certificate ... The following figure highlights, followed by AppID

Configuration file: suffix is. mobileprovision

From this profile, you can get AppID, expiration, certificate type, development version or release version, and so on. The method is as follows:

(1) First the configuration file into XML, and then parse, command:

OpenSSL smime-inform der-verify-noverify-in file.mobileprovision.

(2) XML node Description:

Date the profile was generated

<key>ExpirationDate</key>
<date>2014-10-28T03:19:05Z</date>
    profile Expiration Time

    < Key>application-identifier</key>
<string>kzv5n634g4.com.mdby.motan2.testforpush</string >
    Application Identifier, the world's only, red part needs to be passed to the packaging program at package time

That's what I'm talking about, AppID.

<key>aps-environment</key>
<string>development</string>

<key> Aps-environment</key>
<string>production</string>
   Determine whether the certificate is a release or a development version, of course, We can judge by other signs.

<key>UUID</key>
<string>855C845A-2E51-414F-A29B-837AD1A67F67</string>

is a unique identifier, we want to use this configuration file in the project, generally double-click, and then in the Xcode project, you can select this configuration file, in fact that is the system to parse the Mobileprovision file, extract the UUID inside, Rename the Mobileprovision file with this UUID and place the file in the ~/library/mobiledevice/provisioning profiles/directory of the Mac system. In Xcode's project, the default is to find available mobileprovision files under this path. So before we compile and package, we need to rename the server-side mobileprovision file through this UUID and put it in the directory above to specify the configuration file directly through the UUID in the package command. Push Certificate Making

In fact, the client uploads the. P12 suffix of the push certificate, and can not be used directly to push information, need to be inside the certificate and private key to a. PEM suffix of the file, use this file to communicate with the Apple server side. The steps are as follows:

Extract certificate from P12 file

OpenSSL pkcs12-in mykeystore.p12-clcerts-nokeys-out mycert.pem-passin pass: "mdby2013"

Extract private key from P12 file

OpenSSL pkcs12-nocerts-out mykey.pem-in push.p12-passin pass: "mdby2013"-passout Pass: "mdby2013"

Merging Cert and key

Cat Pushchatcert.pem Pushchatkey.pem > Ck.pem Compiling, signing, packaging

0, in the lower version of the command line tool, you need to import a parameter

Export codesign_allocate= "/applications/xcode.app/contents/developer/toolchains/xcodedefault.xctoolchain/usr/ Bin/codesign_allocate "

1, unlock the Mac Keychain

Security Unlock-keychain-p $ "~/library/keychains/login.keychain"

is the password for the login system keychain

2, import the signing certificate to the Mac Keychain

Security Import/users/mrghappy/app/mdby.p12-k ~/library/keychains/login.keychain-p "$" –A

$ is the password for importing the certificate, which is the password that the customer fills out when they export their signature certificate-a means that the certificate is available to any application, has a security risk and needs to be cautious, plus this is to not always pop up a warning box to require a password every time you package the certificate for signing.

3. See if you have the imported certificate in your keychain

Security Find-certificate-a-C "$"-Z | grep ^sha-1

$ is the name of the certificate, which enumerates the certificates within the system with that name.

4. Clean Project

Xcodebuild Clean  

5. Build Project

Xcodebuild-target motan-configuration Release Build Platform_name=iphoneos buildsdk=/developer-sdk7
CODE_SIGN_ Identity= "$"  
provisioning_profile= "$"

Where 2 variables are the certificate names corresponding to the signing certificate. The 2 variable is the certificate name that corresponds to the signing certificate. 3 is the corresponding UUID for the configuration file

6. Signature and packing

XCRUN-SDK Iphoneos packageapplication-v  /users/mrghappy/app/build/release-iphoneos/$4.app-  o  /Users/ Mrghappy/app/build/release-iphoneos/$4.ipa--sign "$"--embed/users/mrghappy/app/mdby.mobileprovision

Where $ is the name of the project,--sign is the signature of the specified signature certificate,--embed is packaged to package the configuration file.

7, of course, we can verify that the packaged IPA file is correct

codesign-d-VVV--file-list-/users/mrghappy/app/build/release-iphoneos/$4.app

8, in order to prevent the introduction of the keychain in too many certificates, maintenance difficulties, we can after packing, delete

Security Delete-certificate-c "$" ~/library/keychains/login.keychain