Code signing is among the most painful duties that each iOS dev has to do. On this article, I’ll clarify the entire process.
How does code signing work?
As I discussed in my previous article iOS gadgets can solely run apps which can be signed by trusted builders. The provisioning course of is just the start of a a lot greater story. Profiles are used throughout the code signing part, however what precisely is a code signature, and most significantly, how can I signal an iOS app efficiently?
Code signing is the method of digitally signing an app, to make sure that it comes from a sure developer. It is much like if you signal your real-world contracts, nevertheless it’s a lot safer as a result of a cryptographic hash is far more distinctive than a splash of ink. Code signing additionally ensures the integrity of the code, it is a assure that the app has not been modified or corrupted for the reason that developer made it. In different phrases, you possibly can’t get any malware or virus if you happen to solely obtain code signed apps. 😊
The preliminary expertise for signing executable apps appeared across the time when the primary iPhone was launched because the code signing process was essential for a mass-market product. Apple launched a strategy to defend each their clients and the App Retailer. iOS merely will not run unsigned code, nonetheless, you would disable this safety gate by jailbreaking your cellphone. That is a really harmful course of, you should not do it in any respect.
Now that the explanations, it is time to learn how code signing works under the hood. Let’s examine what sort of instruments and information are concerned throughout the signing course of.
Certificates, keys and a bit of little bit of cryptography
Let’s have a fast overview of certificates, non-public and public keys.
Certificates Signing Request
The Certificate Signing Request (CSR) is a file that it’s a must to ship to a certificates authority (on this case Apple, via the developer portal) to use for a digital identification certificates. The method of making a CSR is a part of the Public Key Infrastructure (PKI). The applicant has to generate a public and a non-public key on the native machine, then a CSR file will be generated from the general public key file with some extra private information, like title, electronic mail and so on. Applicant retains the non-public key secret, which means that you need to NEVER give out your non-public key to the general public! 🤫
A certificates is a public key mixed with a number of extra data signed by a Certificates Authority (CA), on this case, Apple. You’ll be able to generate a certificates by importing a CSR file to the developer portal or these days Xcode can routinely handle them for you. The certificates expires in some unspecified time in the future in time, if that occurs it’s a must to renew it. Apple also can revoke your certificates if you happen to break the foundations, if that occurs, you will not be capable to code signal your apps anymore. Please observe that you will additionally want the corresponding non-public key throughout the code signing course of.
Public-key cryptography, or uneven cryptography, is a cryptographic system that makes use of pairs of keys.
The general public key will be shared with everybody, it is often accessible underneath a publicly accessible listing. An individual who has the general public key can encrypt some knowledge for a particular receiver. The receiver with the non-public key can solely decode the message. The digital signature course of additionally depends on this basic idea of uneven cryptography. Guess what? That is additionally a part of the Public Key Infrastructure. 🔑
The non-public secret’s a secret key that’s used to decrypt some particular knowledge or message. It’s a must to use the non-public key to code signal your app, with out it, you can not use the certificates and public key to signal something. It’s best to by no means share your secret key, however the one exception is possibly when you have a number of members in your developer workforce and a couple of particular person is liable for the signing course of. The non-public secret’s possibly crucial element of your entire signing course of. You’ll be able to’t obtain a non-public key from the developer portal, so all the time hold it secret. Should you lose it, you possibly can nonetheless apply for a model new cert, however that may be fairly time-consuming.
As you possibly can see, I am not going an excessive amount of into the small print of cryptosystems like (RSA)), you do not really want to know them so as to have the ability to signal an app. Clearly, it is helpful to have some superior information of cryptography, however that alone could possibly be a subject of a for much longer article. Let’s simply deal with the way to create your signing keys and the method of acquiring your certificates from Apple this time. 🍎
Manually signing your apps
This technique requires extra work, however if you happen to observe the directions you’ll study rather a lot about how computerized code signing works behind the scenes. It is all the time good to know the elemental constructing blocks. If you’re going through some code signing points, the debugging course of might be a lot more durable if you happen to do not perceive the fundamentals. 🐛
Making a CSR
The straightforward manner: via the Keychain Entry utility
Begin the Keychain Entry utility, from the Keychain Entry menu merchandise, choose the Certificates Assistant possibility and click on the Request a Certificates From a Certificates Authority… possibility. If you’re seeing the Keys class, and there’s a key chosen in the suitable panel, that particular key might be used to your new CSR file. If there isn’t any key chosen, a brand new one might be made for you.
Enter each your electronic mail handle and your title and choose the Saved to disk possibility. Press the Proceed button, and save the CSR file someplace on the disk. A brand new private and non-private keys might be routinely added to the login keychain for the CSR.
Producing a CSR file utilizing the command line
Should you go along with the command line, you possibly can manually generate the CSR and the key-pair in a .pem file format. You additionally need to import the keys to the keychain manually.
openssl genrsa -out private-key.pem 2048 openssl req -new -key private-key.pem -out CertificateSigningRequest.certSigningRequest -subj "/[email protected], CN=My Developer Identify, C=US" openssl req -in CertificateSigningRequest.certSigningRequest -noout -pubkey -out public-key.pem safety import private-key.pem -k ~/Library/Keychains/login.keychain-db safety import public-key.pem -k ~/Library/Keychains/login.keychain-db
Now you are able to get a certificates! 📋
Acquiring a certificates from Apple
Simply go to the developer portal (it has a model new look by the way in which), and choose the certificates menu merchandise within the left sidebar. There’s a plus button subsequent to the title, you need to press that too and the next display screen will seem:
The primary two choices are additionally new ones. From Xcode 11 on, you possibly can submit your apps for all of the platforms, so a single certificates can do the job for you. For older variations of Xcode, you possibly can go along with the iOS / macOS growth certificates. It’s best to observe that iOS certificates have been used each for iOS, tvOS, and watchOS.
You’ll be able to select between growth and distribution certificates. The final one is for publishing your apps to the App Retailer, the primary one is for code signing growth variations. Additionally, there could be a most of two legitimate distribution certificates at a time per particular person. Subsequent, it’s a must to add the CSR file, to be able to get a certificates.
After you press the Proceed button, you possibly can obtain the generated certificates. It’s best to double click on the file and add it to your login keychain. If there’s a little arrow proper subsequent to it on the left aspect which means there may be an related non-public key file, and also you’re prepared to make use of the certificates to signal your purposes… or not? 🤔
Making a provisioning profile
Nicely, it isn’t that straightforward, you continue to must get a sound provisioning profile from Apple. As I discussed in my previous article, provisioning performs a key position within the code signing course of. Fortuitously, all the things will be carried out via the dev portal.
First, it’s a must to choose the kind of your provisioning profile. I already defined these varieties, please learn my article about provisioning if you wish to know extra about it.
As a second step, it’s a must to choose the appliance that you’ll make a provisioning profile for. If you do not have an utility identifier, you possibly can register one by utilizing the Identifiers menu merchandise. It is actually easy.
On the following display screen, it’s a must to choose the certificates that you simply’d like to make use of throughout the code signing course of with the provisioning profile.
As you would possibly already know, developer profiles have related gadget identifiers, so when you have registered take a look at gadgets within the developer portal, right here you possibly can affiliate them with the given profile. You’ll be able to’t set up the app on the bodily gadget if the UUID just isn’t included within the profile, so it is value to double test them. This may be fairly problematic typically.
Lastly, you may see an outline of your profile. It’s a must to title your profile, and if you happen to press the Generate button, you possibly can obtain it via your browser. That is it.
After you’ve downloaded each your signing certificates and provisioning profile, you need to double click on each. The certificates must be imported to the login keychain, and the provisioning profile needs to be saved underneath a given location, so Xcode can use it throughout the code signing course of.
Now if you happen to open Xcode and go to the Signing & Capabilities tab (it is underneath the Basic earlier than Xcode 11), you possibly can test or uncheck the Mechanically handle signing checkbox. It’s a must to choose a sound provisioning profile from the drop-down menu merchandise. Should you did all the things proper, Xcode ought to be capable to see each the profile and the related certificates. Which means all of the crimson error indicators must be gone and you need to be capable to construct and signal your app in your bodily take a look at gadget. 🙏
Automation: Xcode, Bitrise and codesigndoc
Computerized code signing is a chunk of cake. Let me present you what must be carried out to be able to allow this highly effective function in Xcode first.
Computerized code signing utilizing Xcode
The entire handbook signing factor I simply confirmed you is the previous. These days you possibly can merely use Xcode to handle all of the certificates and profiles for you. You simply have to attach your developer account underneath the settings menu.
After getting into your legitimate developer credentials, Xcode can create and obtain all the things for you that is required to correctly signal an app. Nonetheless, typically there will be some points, and there are some actions that you simply nonetheless need to do manually like making a Push notification certificates, nevertheless it’s actually useful to overlook about the remaining, if you happen to simply need to check out your app on an actual gadget.
Oh and do not forget that you need to test the Mechanically handle signing checkbox & it’s a must to choose the developer workforce that you simply’d like to make use of for the signing course of.
That is it, no extra handbook CSR, certificates or provisioning creation. 💫
Bitrise & codesigndoc
There are two methods (steps) to signal your app by utilizing Bitrise:
Should you go along with the primary one, it’s a must to add your certificates with the key-pair and the provisioning profile to Bitrise. Below the workflow editor there’s a devoted tab for this particular cause, it is known as: Code Signing. 😅
Utilizing codesigndoc to add code signing information to Bitrise
Fortuitously, Bitrise made an incredible open supply software known as codesigndoc, that may enable you to with the entire add process. You simply need to run one line of code in your terminal window & codesigndoc will care for the remaining. Should you arrange your Bitrise credentials, you do not even need to add the exported code signing information manually, codesigndoc could make that occur for you too.
That is what the code signing tab appears to be like like, there’s a devoted part for provisioning profiles, one for the certificates. There may be even a secure generic file storage that can be utilized throughout the code signing course of when you have some actually particular wants. Actually talking, I’ve by no means used that earlier than. 🤷♂️
Computerized vs handbook provisioning on Bitrise
My suggestion is that you need to merely go along with the iOS Auto Provision step.
Do not waste your time on the export and the pointless file add. Auto provisioning is simple, since you simply need to enter a couple of configuration properties and join a developer account. I often set the Distribution kind to growth, enter The Developer Portal workforce id and lastly set the Ought to the step attempt to generate Provisioning Profiles even when Xcode managed signing is enabled within the Xcode undertaking? choice to sure.
Normally this technique works.
Simply codesign or ought to I re-sign?
Another factor: there’s a standalone codesign command line tool.
With the assistance of the codesign command you possibly can test the standing of an utility, and even higher, you possibly can signal or re-sign the executable. The codesign command also can provide you with details about the signing standing, which will be extraordinarily useful if issues go unsuitable. You’ll be able to all the time test the handbook of the codesign software, and if you would like to get some information about your apps code signature you possibly can merely enter this command:
codesign -vv -d Instance.app codesign --verify Instance.app codesign -s 'Certificates title' Instance.app codesign -f -s 'Certificates title' Instance.app
I’d not suggest utilizing this software for signing apps, as a result of there may be one other useful gizmo known as XReSign with a correct person interface that can be utilized to re-sign your apps. If you actually need to go this manner, it is higher to make use of XReSign, as a result of it could actually auto-update the underlying entitlements file primarily based on the given provisioning. It additionally has a command line interface, so all in all, it is extra handy to make use of. 😉
Code signing is unquestionably tough to know & work with, however there are many nice instruments that may make you life simpler. The method these days is manner simpler than it was a few years in the past, because of Xcode and the automated code signing possibility.
Should you use Bitrise to automate your builds, you need to all the time use codesigndoc or the iOS Auto Provision step if you wish to keep away from the battle. They’ll prevent a variety of time, particularly in case your certs and provisioning profiles change rather a lot. 👍
Apple simply made some superb little modifications, like the brand new mixed certificates for all of the platforms, redesigning the UI for the developer account or the devoted tab in Xcode 11 for managing code signing and capabilities.
I actually hope that this text will enable you to perceive your entire course of higher. 😊
Leave a Reply