iOS Development - Code Signing explained
This blog post explains iOS code signing & its associated terms – certificates, signing identity, and provisioning profiles – some of which can be confusing in the beginning.
Why sign your code?
Signing of application code packages is done primarily to achieve two important security objectives:
- Verify application identity i.e. to ensure application you are planning to install on your device has been developed by a specific organisation.
- Protect against unauthorised or malicious changes. The application signature will become invalid if any third party tried to tamper with application code.
Security with Certificates & public/private keys
You may be well familiar with HTTPS secure communications protocol. HTTPS uses certificates with public & private keys to encrypt & decrypt information. Public key is available freely on the Internet whereas private key is secured & only available to the entity to which the certificate was issued. Companies keep their private keys highly secured so a disgruntled employee can’t simply release a fake version of the company’s popular app or compromise company website as he/she will not have access to the signing certificate & its keys.
Using HTTPS certificates, you meet both the objectives outlined above. First, all your data is secure over the communication channel because it’s encrypted & thus prevents any third party from seeing or altering it. Secondly the identity of the website is authenticated because your browser is supplied with a certificate issued by an authority it trusts e.g. VeriSign.
In similar vein, when you join the Apple Developer programme, Apple will issue you Developer & Distribution Certificates with public & private keys. XCODE will use these certificates to sign your code to establish app developer/team/company identity & the code integrity.
iOS account is of two types – individual or a Company. Basically if you are a more than one band development team then you will be registering as “Company” with Apple. Company account will allow you to manage multiple developer accounts inside a “Team”. Apple defines various roles for team management & to set security boundaries e.g. Team Agent, Team Admin, Team Member.
A team member is an individual developer who you can invite to join the Team. Each team member will be issued their own Developer Certificate to sign the apps they develop. However, your entire team could share the Team Distribution Certificate.
iOS Signing Identity & Certificates
You can view all certificates in “Applications/KeyChain Access” tool on your MAC. Use the “Category” on left to filter the list. In addition these may also be visible in XCODE --> Preferences --> Accounts --> Details” & member center.
Like HTTPS, “XCODE” uses certificates to sign your application code. When you install XCODE, it comes with Apple “Intermediate Certificates”. These certificates basically establish Apple as trusted root authority or certification authority on your computer i.e. your MAC will trust any certificates that has been issued by Apple. “Apple Worldwide Developer Relations Certification Authority” is this “Intermediate Certificate” & should be visible in KeyChain Access tool.
Developer certificate is issued by Apple to an individual developer. Certificate identifies the individual & thus establishes the fact that code signed with a specific development certificate has come from Developer X.
Developer certificate is used for code signing your app during development & testing on simulators or other test devices e.g. when you build, XCODE signs the app with development certificate.
“iPhone Developer: <Developer name>” is your developer certificate in KeyChain Access tool.
Distribution Certificate is issued by Apple to a company/team. Certificate identifies the team/company & thus establishes the fact that application signed with a specific certificate came from Company PQR.
Distribution Certificates are normally shared within the team & are used for distributing the app to test devices or to release in app stores.
“iPhone Distribution: <Company/Team name>” is your Distribution Certificate in KeyChain Access. If you are a one man shop, then it would be your name.
Public & Private Keys
Your Development & Distribution certificates come with Public & Private key pairs. You can view these keys in KeyChain Access tool under category “Keys”.
Your Development & Distribution Certificates along with Public & Private key pairs create your Signing Identity. You use (or XCODE will use on your behalf) your Development Certificate & private key to sign your code during development & your team’s distribution certificate & its private key during release to app store.
An App ID identifies one or more apps from a single development team. It’s made of two parts – team ID & bundle ID. Team ID is visible in your member center account & is allocated by Apple whereas Bundle ID is your app’s unique name e.g. co.nz.company.<app name>.
App ID can be of two types:
- Wild card app ID: As its name stands, a wild card app ID represents multiple apps & contains an asterisk “*” in bundle ID e.g. <team ID>.* or
- Explicit app ID: An explicit app ID uniquely identifies a single app. E.g. <team ID>.co.nz.XYZ.AppPQR.
A provisioning profile is a collection of your development or distribution certificates, App ID and test devices. It could be a development provisioning profile or a distribution profile. Your Development Provisioning profile basically define that “You can develop, sign & deploy app/s on selected test devices”. Your Distribution Profiles defines that “You can sign & deploy app/s to test devices or release in App Store”.
You can create a provisioning profile in member center or let XCODE take care of it on your behalf. Provisioning profile comprise of the following:
- Type: Development or distribution
- App ID: wild card App ID or explicit App ID
- Certificates: development or distribution
- Real devices for testing – only required if creating a development profile or an ad-hoc distribution profile
You must register a device with a development provisioning profile before you can deploy your app on it for testing. On very first time, you try to run your app on a real device in XCODE, a new development provisioning profile is created for you.
- You connect your device to MAC
- XCODE Window --> Organiser --> Select the device --> Use for development
- XCODE will prompt for a provisioning profile or you could create a new one
To put it all together
- You register with Apple Developer program, get a login for member center.
- Apple assigns you a unique Team ID.
- You download & install XCODE on your MAC
- XOCDE installer installs Apple “Intermediate Certificates” on your MAC
- You create an XCODE project & start coding your App
- You register your Apple ID with XCODE under Window --> Organiser --> Accounts.
- XCODE can now create your signing identities by requesting from Apple development or distribution certificates
- XCODE will associate your new app project to a wild card App ID
- You connect your iPhone to XCODE & go to Window --> Organiser
- XCODE will display the connected device with options such as “Use for Development”. If you click this button, XCODE will prompt for a provisioning profile. XCODE can create a new provisioning profile on your behalf e.g. “iOS Team Provisioning Profile” which will incorporate your development certificate, App ID & your test device.
Apple stores your Development & Distribution certificates in multiple places.
- Developer & Distribution certificates are stored in KeyChain Access tool, iOS Member Center & are also visible in XCODE preferences.
- “REMEMBER: Certificate private keys are only stored on your MAC computer. If you lose them or something happens to your MAC, you can’t retrieve your private keys again. You will have to generate new certificates which mean you will be creating a new signing identity.
Because certificate private keys are stored only on your development MAC, it’s highly recommended that you create backup of your entire “Development Profile”. Furthermore, if you use multiple MACs e.g. a workstation at work & laptop at home then you should use your profile backup to restore your development profile on a new MAC. This is to ensure that you have a single signing identity rather than a new one across different computers.