iOS.CodeSign
Inside Code Signing
1. Code Signing需要的基礎組件: 證書,私鑰
As an iOS developer, chances are you have a certificate, a public key, and a private key on your development machine.
To use a certificate for signing, you need the private key.
A: 在OS X Keychain Access(鑰匙鏈)中可以看到證書。
B: 下面的命令也可以看證書。
$ security find-identity -v -p codesigning
2. 證書(certificate)
"A certificate is — very broadly speaking — a public key combined with a lot of additional information
that was itself signed by some authority (also called a Certificate Authority, or CA) to state that the
information in the certificate is correct. In this case, the authority is Apple’s authority for developer stuff,
the Apple Worldwide Developer Relations CA. " Ref[1]
2.1 iOS開發中的兩個證書: iPhone Developer 和 iPhone Distribution 分別為前綴的證書。
This private key is what you use to sign the binaries with. Without the private key,
you cannot use the certificate and public key to sign anything.
代碼簽名本身使用的是: codesign 命令行工具。
"The signature for any signed executable is embedded inside the Mach-O binary file format,
or in the extended file system attributes if it’s a non-Mach-O executable, such as a shell script." Ref[1]
2.2 使用私鑰和證書對app進行簽名
If you have a certificate and its private key, it’s simple to sign a binary by using thecodesigntool.
Let’s signExample.appwith the identity listed above:
A: 為一個App進行簽名
$ codesign -s 'iPhone Developer: Thomas Kollbach (7TPNXN7G6K)' Example.app
B: 替換原來的簽名 (即: 重新簽名)
$ codesign -f -s 'iPhone Developer: Thomas Kollbach (7TPNXN7G6K)' Example.app
C: 查看App的簽名信息
$ codesign -vv -d Example.app
will tell you a few things about the code signing status ofExample.app:
D: 確認/查證 App的簽名
$ codesign --verify Example.app
2.3 Bunldes 和 Resource
"When signing a bundled application, the resources are signed as well. " Ref[1]
"the signing process creates a_CodeSignature/CodeResourcesfile inside the bundle." Ref[1]
2.4 Entitlements 和 Provisioning
spctl 這個工具是什么?
spctl, which manages the system’s security assessment policy.
2.4.1 Entitlements
"Code signing is used to ensure that the application actually contains only what it says on the box — nothing
more and nothing less. The sandbox restricts access to system resources." Ref[1]
"Entitlements specify which resources of the system an app is allowed to use, and under what conditions." Ref[1]
.entitlements文件的創建:
"This is the XML generated by Xcode after clicking around in theCapabilitiestab and enabling a few things.
Xcode automatically generates an.entitlementsfile and adds entries to it, as needed." Ref[1]
Adding Capabilities
"it can help to look at what the signature actually says about the entitlements:
$ codesign -d --entitlements - Example.app " Ref[1]
以上命令顯示app的簽名中包含的entitlements有哪些。
2.4.2 Provisioning Profile
"A provisioning profile is a container for the information needed by the operating
system to decide if it can let your app run." Ref[1]
Provisioning Profile可以使App在開發機上運行,也可以進行ad-hoc/enterprise發布,
那么正式的發布需要Provisioning Profile嗎? 推測是需要的。
"A provisioning profile is a collection of all the components needed to determine if a particular app can
run on a particular device. Provisioning profiles are used to enable app debugging on development devices,
and also for ad-hoc and enterprise distribution. Xcode will embed the provisioning profile you select in
the project settings within the app." Ref[1]
Provisioning Profiles 在文件系統的位置
"~/Library/MobileDevices/Provisioning Profiles, which is where Xcode keeps all the profiles downloaded
from Apple’s developer portal." Ref[1]
Provisioning Profiles的文件格式:
It is a file encoded in the Cryptographic Message Syntax,該語法由RFC 3852來描述。
查看Provisioning Profiles
$ security cms -D -i example.mobileprovision
以上命令的輸出是XML形式的Plist。
該Plist文件中的key
DeveloperCertificates key,這個key是證書的列表。
"The certificates are Base64 encoded and in PEM format (Privacy Enhanced Mail,RFC 1848)."
$ openssl x509 -text -in file.pem
ProvisionedDevices key
"If you are looking at a development certificate, you will also find aProvisionedDeviceskey,
which contains a list of all the devices you set up for this provisioning profile." Ref[1]
Items
code signing
device provisioning
Entitlements: 權利
Provisioning
Personal Information Exchange format (.p12)
X.509
Reference
1. Inside Code Signing
http://www.objc.io/issue-17/inside-code-signing.html
2. Code Signing Guide (ToRead)
https://developer.apple.com/library/mac/documentation/Security/Conceptual/CodeSigningGuide/Introduction/Introduction.html
3. man codesign
4.How to Show & Verify Code Signatures for Apps in Mac OS X
https://osxdaily.com/2016/03/14/verify-code-sign-apps-mac-os-x/
5.How to check signatures on apps, installers, andpackages
https://eclecticlight.co/2019/10/25/how-to-check-signatures-on-apps-installers-and-packages/
6.Checking Code Signing and Sandboxing Status in Code
https://oleb.net/blog/2012/02/checking-code-signing-and-sandboxing-status-in-code/
7.How to verify app signatures
https://medium.com/@andrew.perfiliev/how-to-verify-app-signatures-43fd5cd1bd3d
總結
以上是生活随笔為你收集整理的iOS.CodeSign的全部內容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: 基于imx6ull的Linux-4.9.
- 下一篇: 如何制作Excel超级表