This time, I'll explain everything about the mysterious iOS delivery process and the structure of a commission profile.
What is commission?
iOS is a very secure operating system. You can only install apps on your Apple-approved device so that your application must be digitally signed before it is published in the App Store. The signed binary helps Apple to ensure that its content comes from the actual developer (team) so that it is not compromised or altered by a third party hacker. Unsigned apps cannot be published in the App Store, so this process allows Apple to be the gatekeeper for the operating system. Basically, they can only deactivate developer accounts or revoke certificates if they do not follow the rules. If that happens, you will no longer be able to install apps from that developer anymore.
But if you develop a program, you might want to test it on a real device before the submission process. That's what the commission process is for: You can register your application with a special file called commission profile. This file is a collection of digital devices that connect physical devices to authorized developer teams. You can generate a commission profile for your application using the Apple Developer Portal. 1
Now that you know which commission is and why it is so important, let's look at commission profiles and certificates.
What kind of commission profiles are there?
There are 4 types of commissioning profiles:
profile development gives you the opportunity to test your apps on your physical devices. It contains the unique device identifier for each test unit. You can only run your app on the devices included in the development profile.
The distribution distribution has no such limitation because it is used to distribute your app via the App Store. To submit your app for approval, you must sign it with a distribution profile. If Apple approves it, your app may be published in the store, which means it can be installed by anyone. 😊
You can also create an ad hoc profile that is actually a distribution profile with device identifiers. Apps signed with the ad hoc distribution commission profile can be installed on a limited number of designated entities via websites, email, or OTA. It's good for public beta testers, QA teams or client demos.
Internal profile internally is available only to corporate developers, it can also be used for internal distribution for non-registered entities. This means that you are not limited to device identifiers, but should not be used by the public (for your company or employees of a particular company only).
Each profile type must be registered with a certificate and both are required during the code signing process. You can only install your application after the binary is signed correctly. If the certificate has expired or you do not have the associated private key, you will not be able to sign the app. Also, if the commission profile is invalid or if it does not contain your device identifier (see below), you cannot start your app. 19
Anatomy of a commission profile
Each commission profile contains the following:
A bundle ID is just a unique identifier under your developer account, but the app identifier is a widely used unique identifier for the entire App Store ecosystem. . Usually, you should use a reverse domain note when creating a bundle ID.
The team is just basic information about your developer team. If you are part of several developer teams, the building system must find the right one for your commission profile during the code signing process.
Opportunities are (cloud-based) services and features. You can enable them from Xcode. Some of them must be configured inside the developer portal under the App ID section. For example, the Push Notifications feature requires additional certificates and rights to be added to your application.
Rights are simple configurations for accessing various services such as iCloud storage, Push Notifications, Apple Pay and so on. There is a patch file in the application package. You don't have to worry about it too much, Xcode can usually take care of the rights.
Certificates are used during the construction process to sign the app. Each certificate has an associated private key component. To code the binary, you need the private key in your local keychain. Certificates may expire as well, so you'll need to renew them every year or you won't be able to sign apps anymore. 19
Unique device identifiers can be entered into a commission profile. If you are trying to run a test version of your app on a real device, you must register the test device's UUID. You can do it manually inside the developer portal, or if you prefer Xcode, it can also do the work for you. It doesn't matter which method you choose, but if you add a new device to the developer portal, you also need to generate the commission profile.
Expiration and invalidation
Both commission profiles and certificates expire. If a profile expires, the app will fail to start. You will need to renew the profile, rebuild, quit and install the application on the desired device if you want to continue using it.
Except for an internal distribution profile, all profiles expire in one year from the date of creation of the profile. This means that the profiles must be generated annually to continue distributing apps to devices or the App Store. 19
Ad hoc profiles have longer expiration dates. Also, if your application is submitted to the App Store, don't worry too much, you can install it anytime. Distribution profiles expire, but it only affects your code signing process.
However, there is one thing that can happen to your app in the App Store. If you break a rule, Apple can revoke your signing certificate so you can't submit apps any more. They can also remove your application from the store.
If a certificate expires or is revoked, the associated profiles will also be invalid. You can always check the status of your commission profile in the developer portal.
What can go wrong?
Today, you do not need to create commission profiles yourself: you just need to link your developer account under Xcode preferences. If you are ready, you can safely activate the automatic code signing feature below the target so that Xcode can take care of the rest, but you should note that sometimes things can be corrupted. 🤪
You can always use the developer portal to double check everything. Here is a quick list of the most common problems that may arise.
- you have a valid certificate (keychain + developer portal)
- the certificate has an associated private key (keychain)
- an App ID for bundle ID exists (developer portal)
- all options is configured and ready to use (Xcode + developer portal)
- permissions are ready to use (Xcode)
- Physical test device ID is registered (developer portal)
- commission profile is valid (developer portal)
- commission profile contains certificate and the unit ids
How do you check the last one? Well, let me explain this card.
Checking what's in a commission profile
The commission profiles are automatically downloaded by Xcode and stored in the directory
~ / Library / Mobile / Provisioning Profiles . If you navigate to this folder, you will see a number of randomly named files. It's not going to help too much. 19
There are two wonderful QuickLook plugins that allow you to inspect the entire contents of a commission profile directly from the Finder. I really love this approach because these plugins give me even more detail than Xcode itself.
Let me summarize everything again, very quickly. ⚡️
If you want to run a program on a physical device, you must configure a valid commission profile. You can get a profile from the developer portal. The profile, later during the construction process, will be entered directly into the app package, plus the app should be code signed using the developer credentials.
If you try to launch the app on your device, you must first check the commission profile and if it does not match the required criteria, your app will not run at all. If you are lucky enough and everything was ok, the app will start quite well.
This whole process above is called commissioning. I hope you liked this article. Next time I will write about code signing and how to solve code signing issues. 19