In the process of launching and releasing iOS apps, I was always confused about some concepts, or some questions. For example, Apple has absolute control over apps and you have to download them through the App Store. How did you do that?

What is Provisioning Profiles?

In simple terms, the primary purpose of Provisioning Profiles is to allow us to test the app on the real machine. We can use pp Profiles to debug the app on the real machine, or to distribute it to test colleagues.

The following figure shows the contents of the developer PP file, which mainly consists of three parts:

  • Certificates
  • Apple ID
  • Devices

Certificate

The main purpose of the certificate is to verify app, the signature mechanism behind the certificate, using asymmetric encryption technology.

To create a Certificate, we need to create a Certificate Signing Request(CSR) file on our MAC. This file contains a pair of private keys and a public key. The private key is stored in the local keychain and the public key needs to be uploaded to the Apple server to generate the Certificate.

There are two main types of certificates: Development, used to develop and debug applications, and Distribution, used for Distribution, such as in-house, Ad Hoc, App Store, etc.

Apple ID

The Apple ID, which corresponds to the Bundle Identifier in the project, is a two-part string, such as com.xxxx, used to identify one or more apps in the development team. The wildcard (*) can be used to match multiple apps.

Devices

Identifies the list of devices that can run the app.

How does iOS signature work?

Here are two signature mechanisms for releasing apps. The signature mechanism can be asymmetric encryption and certificates

On the App Store

This is actually relatively simple, when we want to publish the app, we will upload the app to the Apple server, Apple will use the private key to encrypt the app, generate the app signature, and the corresponding public key is built in every iOS device.

After an iOS device is downloaded from the App Store, use the public key of the device to verify the App. If the verification is correct, the App is certified by Apple and can be installed safely.

Real machine commissioning

The frequency of real machine debugging is very high, and if you upload to Apple’s server to encrypt each time, it will be inefficient for both sides, so there is a way to ensure that the distribution test is also under Apple’s control.

In the provisioning profile, the public key is Local and the private key is Local, and the public key is Apple and the private key is Apple.

  1. After we upload the public key Local to an Apple server, Apple signs it using the private key Apple, and the resulting certificate is stored in a Provisioning Profile.

  2. After each compilation, Xcode signs the app using the private key Local, packs the Provisioning Profile into the app, renamed Embedded. Mobileprovision, and installs the App on iOS devices.

  3. During the installation, the iOS device uses the public key Apple to verify that the digital signature in Embedded. Mobileprovision is correct. If the verification is successful, the iOS device takes out all kinds of data to verify the app and other data and uses the public key Local in the certificate to verify the app signature. Verify that no problem can be normal operation.

Refer to the article

  1. What is a provisioning profile & code signing in iOS?
  2. Details on Certificates and Provisioning Profiles
  3. Analysis of code signature
  4. Introduction to Certificate, Provisioning Profile, App ID and their relationships
  5. Analysis of iOS App signature mechanism
  6. Asymmetric encryption and certificates