This article discusses how iOS code signing works under the hood. Readers are expected to have a basic idea of how to create an App ID, certificate, and provisioning profile using the Apple developer portal.
Overview of Creating a Provisioning Profile
First, you create a Certificate Signing Request (CSR) file using the Keychain Access application with an extension of .certSigningRequest.
You’ll upload this file to the Apple developer portal to create a development/distribution certificate based on the need. Once you have downloaded the certificate, you install it by double clicking the downloaded certificate file.
After this, you create a provisioning profile by selecting the appropriate certificate, App ID, and the device identifiers (in the case of a development profile) of the devices on which the build has to be installed and run.
Once the provisioning profile is created, you will download and install the profile. Then, based on the profile you created, either you install and run it on the device or you submit it to the App Store.
Certificate Signing Request (CSR)
Creating a CSR is the first step in code signing. So, what happens when you create a CSR? The keychain access creates a public and a private key and a .certSigningRequest file.
These two keys must be kept safe. If not, then a completely new public and private key have to be generated. You can find these two keys in the “Keys” category of the Keychain Access application. The CSR file contains your Name, Email Id, and the public key signed using your private key.
Apple uses the Asymmetric Cryptography technique for code signing your app. To learn more about asymmetric cryptography, see Wikipedia.
Once you upload the CSR file to the portal, Apple will verify the identities and issue a development or distribution certificate .cer file based on your request. This certificate means that you are trusted by Apple.
In this whole process, you also require an intermediate certificate installed in your keychain to ensure that your certificate is issued only by a certificate authority. But don’t worry, this certificate will be installed in your Keychain automatically when you set up Xcode for the first time.
Provisioning Profile Creation
Development Provisioning Profile: Now your certificate is ready. The next step is to create a provisioning profile. Create your development provisioning profile by choosing the Certificate, App Id, and the Unique device identifiers on which the app has to be installed and run.
Why is the development provisioning profile required even after the creation of the certificate? In order to install an app on the device, you need this provisioning profile. This file links your certificate, App Id, and UDIDs together. A provisioning profile certifies that you are trusted by Apple (by the certificate you have chosen) so this application (by the App Id you have chosen) can be installed on this device (by the UDID you have chosen).
Distribution Provisioning Profile: In the case of a distribution profile, you do the same thing; the only difference is that you don’t choose any UDID. You just link your distribution certificate with your App Id and submit the build to the App Store.
Building and Running the App
Once you have your development provisioning profile ready, you can run the app on any one of the devices whose UDIDs are included in the profile. Now, when you build and run your app, you end up creating a directory that contains all the resources that are required to run your app. In addition to the resource files, the directory contains your provisioning profile and a subdirectory named “_CodeSignature.” Under this subdirectory, you can find a plist file named “CodeResources.” This plist contains hashed references to all the files that are included in the solution.
While installing the app on the device, iOS ensures that the provisioning profile is signed by Apple. Then, it verifies the files listed in the CodeResources plist to the actual files in the directory. If there is any mismatch between the plist and the actual resources, then iOS will not install the app.
Whenever you run your app, iOS ensures that your app was not modified and you have a valid provisioning profile that matches your app. If anything breaks, then the app will crash.
App Store Submission
When you submit your app to the App Store and get your app approved successfully, Apple signs your app with their own signature so that the App can be run on any targeted device.
If you have an enterprise account, then you are allowed to deploy the apps to any targeted device. In order to run the app, the user has to manually trust your organization in the Device Management section of the Settings App. Once an enterprise is trusted, the user can install any number of apps under that.
This is how iOS code signing works under the hood. I hope this article helps you in understanding the code signing.