Code signing is one of the most painful tasks that every iOS dev has to do. In this article, I will explain the whole procedure.
How does code signing work ?
As I mentioned in my previous article, iOS devices can only run apps signed by trusted developers. The commissioning process is just the beginning of a much larger story. Profiles are used in the code signing phase, but what exactly is a code signature, and most importantly, how can I successfully sign an iOS app?
Code signing is the process of digitally signing an app to ensure it comes from a particular developer. It's similar when you sign your contracts in the real world, but it's much safer because a cryptographic hash is far more unique than a splash of ink. Code signing also ensures the integrity of the code, this is a guarantee that the app has not been altered or corrupted since the developer created it. In other words, if you download code-signed apps, you cannot get malware or viruses. 1
The original technology for signing executable apps appeared about when the first iPhone was released when the code signing process was crucial to a mass market product. Apple introduced a way to protect both its customers and the App Store. iOS simply doesn't run unsigned code, but you can disable this security port by jailbreaking your phone. It's a very dangerous process, you shouldn't do it at all.
Now that you know the reasons, it's time to learn how code signing works under the hood. Let's see what tools and files are involved during the signing process.
Certificates, keys and some cryptography
Let's have a quick overview of certificates, private and public keys.
Certificate Signing Request  Certificate Signing Request (CSR) is a file you must submit to a certificate authority (in this case Apple through the Developer Portal) to apply for a digital identity certificate. The process of creating a CSR is part of the Public Key Infrastructure (PKI). The applicant must generate a public and a private key on the local machine, then a CSR file can be generated from the public key file with some extra personal information, such as name, e-mail etc. Searcher keeps the private key secret, this means you should NEVER give out your private key to the public! 196
A certificate is a public key combined with lots of additional information signed by a Certificate Authority (CA), in this case Apple. You can generate a certificate by uploading a CSR file to the developer portal, or today Xcode can automatically manage them for you. The certificate expires at some point, if it happens, renew it. Apple can also revoke your certificate if you break the rules, if that happens, you won't be able to tag your apps anymore. Note that you also need the corresponding private key during the code signing process.
Public key cryptography, or asymmetric cryptography, is a cryptographic system that uses pair keys.
The public key can be shared with everyone, it is usually available under a publicly available directory. A person who has the public key can encrypt any data for a particular recipient. The recipient with the private key can only decode the message. The digital signature process also depends on this basic concept of asymmetric cryptography. Guess what? This is also part of Public Key Infrastructure. 19
The private key is a secret key used to decrypt specific data or messages. You need to use the private key to encode your app, without which you can't use the certificate and the public key to sign anything. You should never share your secret key, but the only exception is if you have more members in your developer team and more than one person is responsible for the signing process. The private key is perhaps the most important component of the entire signing process. You cannot download a private key from the developer portal, so keep it secret. If you lose it, you can still apply for a brand new CC, but it can be quite time consuming.
As you can see, I do not really go into the details of crypto systems like (RSA), do not really need to understand them in order to sign an app. Obviously, it is useful to have some advanced knowledge of cryptography, But it alone can be a topic in a much longer article. Let's just focus on how to create signing keys and the process of obtaining your Apple certificate this time around. 19
Manual signing of your apps
This method requires more work, but if you follow the instructions, you will learn a lot about how automatic code signing works behind the scenes. It is always good to know the basic building blocks. If you have code signing issues, the troubleshooting process will be so much more difficult if you do not understand the basics. 19
Creating a CSR
The Easy Way: Through the Keychain Access Application
Start the Keychain Access Application, from Keychain Access select Certificate Assistant and click Request a certificate from a Certificate Authority … option. If you see the Keys tab and a key is selected in the right panel, the specific key will be used for the new CSR file. If no key is selected, a new one will be created for you.
Enter both your email address and your name and select the Saved to disk option. Press the Resume button and save the CSR file somewhere on the disk. A new public and private key is automatically added to the CSR login keychain.
Generating a CSR file using the command line
If you go with the command line, you can manually generate the CSR and the key pair in a .pem file format. You also need to manually import the keychain keys.
#generates the private key file openssl genrsa -out private-key.pem 2048 #generate the CSR file using the private key opensl-req -new -key private-key.pem -out CertificateSigningRequest.certSigningRequest sub "/emailAddressfirstname.lastname@example.org, CN = My Developer Name, C = US" # pull out the public key from CSR openssl req-in CertificateSigningRequest.certSigningRequest -note -pubkey -out public-key.pem #Import the keys to the login keychain security import private-key.pem -k ~ / Library / Keychains / login.keychain-db security import public-key.pem -k ~ / Library / Keychains / login.keychain-db
Now you're ready to get a certificate! 19
Get a certificate from Apple
Just go to the developer portal (it has a brand new look by the way) and select the certificate menu in the left sidebar. There is a plus button next to the title, you should also tap it and the following screen will appear:
The first two options are also new. From Xcode 11 on, you can submit your apps to all platforms, so a single certificate can do the job for you. For older versions of Xcode you can go with the development certificates iOS / macOS. You must note that iOS certificates were used for both iOS, tvOS and watchOS.
You can choose between development and distribution certificates. The last one is to publish your apps in the App Store, the first being for code signing development versions. There may also be a maximum of two valid distribution certificates at a time per person. Then you need to upload the CSR file to get a certificate.
After pressing the Resume button, you can download the generated certificate. You must double-click the file and add it to the login keychain. If there is a small arrow right next to it on the left that means there is an attached private key file and you are ready to use the certificate to sign your applications … or not? 19
Creating a provisioning profile
Well, it's not that easy, you still need to get a valid sales profile from Apple. As I mentioned in my previous article, deposition plays a key role in the code signing process. Fortunately, everything can be done through the dev portal.
First, you need to select the type of your provisioning profile. I've already explained these types. Read my article about preparation if you want to know more about it.
As another step, you need to select the application for which you are creating a provisioning profile. If you do not have an application identifier, you can register one by using the Identifiers menu item. It's very okay.
On the next screen, select the certificate you want to use during the code signing process with the assignment profile.
As you may already know, developer profiles are associated with device identifiers, so if you have registered test devices in the developer portal, you can link them to the given profile. You cannot install the app on the physical device if UUID is not included in the profile, so it is worth double-checking them. Sometimes this can be quite problematic.
Finally, you will see an overview of your profile. You need to name your profile and if you press the Generate button, you can download it through your browser. That's it.
After downloading both the signing certificate and the provisioning profile, double-click both. The certificate must be imported into the login keychain, and the delivery profile must be stored at a given location so that Xcode can use it during the code signing process.
If you now open the Xcode and go to the Signing and Capabilities tab (it is under General before Xcode 11), you can select or deselect Managing Signing automatically. You must select a valid provisioning profile from the drop-down menu. If you did everything right, Xcode should be able to see both the profile and the associated certificate. This means that all the red error indicators should be gone and you should be able to build and sign your app on your physical test device. 19
Automation: Xcode, Bitrise and codesigndoc
Automatic code signing is a piece of cake. Let me show you what needs to be done to enable this powerful feature of Xcode first.
Automatic code signing using Xcode
The entire manual signing thing I just showed you is the past. Today, you can simply use Xcode to manage all certificates and profiles for you. Simply connect your developer account under the settings menu.
After entering valid developer nutrition information, Xcode can create and download everything you need to sign an app properly. However, sometimes there may be some issues, and there are some actions that you still have to do manually as a Push notification certificate, but forgetting the rest is very helpful if you just want to try your app on a real device.
Oh, and don't forget that you should check Automatically manage signing route for signing and you need to select the developer team you want to use for the signing process.
it, no more manual creation of CSR, certificate or provisioning. 1965
Bitrise & codesigndoc
There are two ways (steps) to sign your app using Bitrise:
If you go with the first one, you need to upload your certificate with the key pair and the provisioning profile to Bitrise . Under the workflow editor, there is a dedicated tab of this specific reason, called: Code Signing. 19
Using codeigndoc to upload code signing files to Bitrise
Fortunately, Bitrise created a fantastic open source tool called codesigndoc, which can help you with the entire upload procedure. You only have to run a code line in the terminal window, and codesigndoc will take care of the rest. If you configure your Bitrise credentials, you don't even need to manually upload the exported code signing files, codesigndoc can make it happen to you as well.
This is how the code signing categorization looks like, there is a separate section for preparing profiles, one for the certificates. There is even a secure generic file storage that can be used during the code signing process if you have any specific needs. Honestly, I have never used it before. 19
Automatic versus manual provisioning on Bitrise
My recommendation is that you only go with the iOS Auto Provision step.
Don't waste your time on exports and unnecessary file uploads. Automatic provisioning is easy because you only need to enter a few configuration features and connect to a developer account. I usually set Distribution Type to Development enter Developer Portal ID and finally put . Would the step try to generate Provisioning Profiles even though Xcode managed signing is enabled in the Xcode project? the alternative to yes.
In most cases, this method works.
Only code registration or should I sign again?
One more thing: it is a standalone code mark command line tool.
Using the code character command, you can check the status of a program, or even better, you can sign or sign the executable again. The code character command can also provide you with signing status information, which can be very useful if things go wrong. You can always check the manual of the code registration tool, and if you want to get some information about your app signature, you can simply enter this command:
# check signing information codeign -vv -d Example.app # Confirm the app's signature, no output is good output code character - confirm example.app # signing tag character -s & # 39; Certificate name & # 39; Eksempel.app # signing again code signal -f -s & # 39; Certificate name & # 39; Eksempel.app
I would not recommend using this tool to sign apps because it is another great tool called XReSign with a proper user interface that can be used to re-sign your apps. If you really need to go this way, it is better to use XReSign because it can update the underlying privilege file automatically based on the given provisioning. It also has a command line interface, so all in all it is more convenient to use. 19
Code signing is definitely difficult to understand and work with, but there are many good tools that can make your life easier. The process nowadays is much easier than it was a couple of years ago, thanks to the Xcode and the automatic code signing option.
If you use Bitrise to automate your buildings, always use the codesigndoc or iOS Auto Provision step if you want to avoid the battle. They can save you a lot of time, especially if the certificates and preparation profiles change a lot. 196
Apple did just some amazing little changes, like the new combined certificate for all the platforms, and reworked the user account interface for the developer account or the dedicated tab in Xcode 11 to handle code signing and features.
I really hope this article will help you understand the whole process better. 1965