iOS.CodeSign

Inside Code Signing

1. Code Signing需要的基础组件: 证书,私钥

As an iOS developer, chances are you have a certificate, a public key, and a private key on your development machine.

To use a certificate for signing, you need the private key.

A: 在OS X Keychain Access(钥匙链)中可以看到证书。

B: 下面的命令也可以看证书。

$ security find-identity -v -p codesigning

2. 证书(certificate)

"A certificate is — very broadly speaking — a public key combined with a lot of additional information

that was itself signed by some authority (also called a Certificate Authority, or CA) to state that the

information in the certificate is correct. In this case, the authority is Apple’s authority for developer stuff,

the Apple Worldwide Developer Relations CA. " Ref[1]

2.1 iOS开发中的两个证书: iPhone DeveloperiPhone Distribution 分别为前缀的证书。

This private key is what you use to sign the binaries with. Without the private key,

you cannot use the certificate and public key to sign anything.

代码签名本身使用的是: codesign 命令行工具。

"The signature for any signed executable is embedded inside the Mach-O binary file format,

or in the extended file system attributes if it’s a non-Mach-O executable, such as a shell script." Ref[1]

2.2 使用私钥和证书对app进行签名

If you have a certificate and its private key, it’s simple to sign a binary by using the codesign tool.

Let’s sign Example.app with the identity listed above:

A: 为一个App进行签名

$ codesign -s ‘iPhone Developer: Thomas Kollbach (7TPNXN7G6K)‘ Example.app

B: 替换原来的签名 (即: 重新签名)

$ codesign -f -s ‘iPhone Developer: Thomas Kollbach (7TPNXN7G6K)‘ Example.app

C: 查看App的签名信息

$ codesign -vv -d Example.app

will tell you a few things about the code signing status of Example.app:

D: 确认/查证 App的签名

$ codesign --verify Example.app

2.3 Bunldes 和 Resource

"When signing a bundled application, the resources are signed as well.  " Ref[1]

"the signing process creates a _CodeSignature/CodeResources file inside the bundle. "  Ref[1]

2.4 Entitlements 和 Provisioning

spctl 这个工具是什么?

spctl, which manages the system’s security assessment policy.

2.4.1 Entitlements

"Code signing is used to ensure that the application actually contains only what it says on the box — nothing

more and nothing less. The sandbox restricts access to system resources. " Ref[1]

"Entitlements specify which resources of the system an app is allowed to use, and under what conditions." Ref[1]

.entitlements文件的创建:

"This is the XML generated by Xcode after clicking around in the Capabilities tab and enabling a few things.

Xcode automatically generates an .entitlements file and adds entries to it, as needed. " Ref[1]

Adding Capabilities

"it can help to look at what the signature actually says about the entitlements:

$ codesign -d --entitlements - Example.app " Ref[1]

以上命令显示app的签名中包含的entitlements有哪些。

2.4.2 Provisioning Profile

"A provisioning profile is a container for the information needed by the operating

system to decide if it can let your app run." Ref[1]

Provisioning Profile可以使App在开发机上运行,也可以进行ad-hoc/enterprise发布,

那么正式的发布需要Provisioning Profile吗? 推测是需要的。

"A provisioning profile is a collection of all the components needed to determine if a particular app can

run on a particular device. Provisioning profiles are used to enable app debugging on development devices,

and also for ad-hoc and enterprise distribution. Xcode will embed the provisioning profile you select in

the project settings within the app. " Ref[1]

Provisioning Profiles 在文件系统的位置

"~/Library/MobileDevices/Provisioning Profiles, which is where Xcode keeps all the profiles downloaded

from Apple’s developer portal." Ref[1]

Provisioning Profiles的文件格式:

It is a file encoded in the Cryptographic Message Syntax,该语法由 RFC 3852 来描述。

查看Provisioning Profiles

$ security cms -D -i example.mobileprovision

以上命令的输出是XML形式的Plist。

该Plist文件中的key

DeveloperCertificates key,这个key是证书的列表。

"The certificates are Base64 encoded and in PEM format (Privacy Enhanced Mail, RFC 1848)."

$ openssl x509 -text -in file.pem

ProvisionedDevices key

"If you are looking at a development certificate, you will also find a ProvisionedDevices key,

which contains a list of all the devices you set up for this provisioning profile." Ref[1]


Items

code signing

device provisioning

Entitlements: 权利

Provisioning

Personal Information Exchange format (.p12)

X.509


Reference

1. Inside Code Signing

http://www.objc.io/issue-17/inside-code-signing.html

2. Code Signing Guide (ToRead)

https://developer.apple.com/library/mac/documentation/Security/Conceptual/CodeSigningGuide/Introduction/Introduction.html

3. man codesign

时间: 2024-10-16 22:59:26

iOS.CodeSign的相关文章

iOS CodeSign error: code signing is required for product type Application in SDK iOS

在真机测试的时候往往会突然出现这样一个错误,code signing is required for product type 'Application' in SDK 'iOS 7.0'  ,就是说代码签名证书不对劲. 解决方案, 1.选择工程->Build Settings -> Code Signing -> Code Signing Identity -> Debug -> Any ios SDK 将选项改为:iPhone Developer 2.重新下载你的证书,或

使用Buildozer部署Kivy到移动设备上

在安装好Buildozer软件之后,我们在包含main.py的文件夹下运行buildozer init这个命令,然后我们就会看到在该文件夹下有一个buildozer.spec这个文件,这个文件主要是用来配置一系列设置用的,使用文本编辑器,Linux下使用vim编辑器打开. 下面是个例子: [app] # (str) Title of your application 更改1 title = Test # (str) Package name 更改2 package.name = test # (

CodeSign error: code signing is required for product type 'Unit Test Bundle' in SDK 'iOS 8.2'

在真机测试的时候往往会突然出现这样一个错误,code signing is required for product type 'Application' in SDK 'iOS 7.0'  ,就是说代码签名证书不对劲. 解决方案: 1.选择工程->Build Settings -> Code Signing -> Code Signing Identity -> Debug -> Any ios SDK 将选项改为:iPhone Developer 2.重新下载你的证书,或

IOS随笔-- Command /usr/bin/codesign failed with exit code 1

我今天遇见一个蛋疼的问题,因为本机上装有两个xcode ,分别是xcode5.1.1和xcode6.1,xcode5版本真机测试没一点问题?但是xcode6真机测试的时候问题来了编译不通过,Command /usr/bin/codesign failed with exit code 1 的错误. 于是开始了艰辛的查询工作,再查了多个资料后最终没有解决掉问题,心灰意冷啊! 出去抽了一支烟,整理下思路,回来把证书以及描述文件全部删掉 然后重新创建证书以及描述文件,重新配置,clean一下,运行..

[BEROR]CodeSign error: code signing is required for product type 'Application' in SDK 'iOS 8.1'

解决方法: 选择工程->Build Settings -> Code Signing -> Code Signing Identity -> Debug -> Any ios SDK 将选项改为:iOS Developer [BEROR]CodeSign error: code signing is required for product type 'Application' in SDK 'iOS 8.1'

CodeSign error: code signing is required for product type Application in SDK iOS XXX的解决办法

转自:http://www.tuicool.com/articles/jYRNbm 在真机测试的时候往往会突然出现这样一个错误,code signing is required for product type 'Application' in SDK 'iOS 7.0'  ,就是说代码签名证书不对劲. 解决方案, 1.选择工程->Build Settings -> Code Signing -> Code Signing Identity -> Debug -> Any i

CodeSign error: code signing is required for product type Application in SDK iOS

在真机测试的时候往往会突然出现这样一个错误,code signing is required for product type 'Application' in SDK 'iOS 7.0'  ,就是说代码签名证书不对劲.  解决方案,  1.选择工程->Build Settings -> Code Signing -> Code Signing Identity -> Debug -> Any ios SDK 将选项改为:iPhone Developer  2.重新下载你的证

转 CodeSign error: code signing is required for product type Application in SDK iOS

在真机测试的时候往往会突然出现这样一个错误,code signing is required for product type 'Application' in SDK 'iOS 7.0'  ,就是说代码签名证书不对劲. 解决方案, 1.选择工程->Build Settings -> Code Signing -> Code Signing Identity -> Debug -> Any ios SDK 将选项改为:iPhone Developer 2.重新下载你的证书,或

【iOS】no identity found Command /usr/bin/codesign failed with exit code 1

今天遇到了这个问题,详情如下图: 后来发现是自己脑子短路了……只添加了 Provisioning Profiles, 而忘记添加 Certificates, 就是下面的两个: