Code signing is likely one of the most painful duties that each iOS dev has to do. On this article, I’ll clarify the entire process.
Bitrise
How does code signing work?
As I discussed in my earlier article iOS units can solely run apps which can be signed by trusted builders. The provisioning course of is just the start of a a lot larger story. Profiles are used in the course of the code signing section, however what precisely is a code signature, and most significantly, how can I signal an iOS app efficiently?
Code signing is the method of digitally signing an app, to make sure that it comes from a sure developer. It is just like if you signal your real-world contracts, but it surely’s a lot safer as a result of a cryptographic hash is far more distinctive than a splash of ink. Code signing additionally ensures the integrity of the code, it is a assure that the app has not been modified or corrupted because the developer made it. In different phrases, you may’t get any malware or virus for those who solely obtain code signed apps. 😊
The preliminary know-how for signing executable apps appeared across the time when the primary iPhone was launched because the code signing course of was essential for a mass-market product. Apple launched a technique to defend each their clients and the App Retailer. iOS merely will not run unsigned code, nevertheless, you might disable this safety gate by jailbreaking your telephone. That is a really harmful course of, you should not do it in any respect.
Now that you recognize the explanations, it is time to study how code signing works below the hood. Let’s have a look at what sort of instruments and recordsdata are concerned in the course of the signing course of.
Certificates, keys and a little bit little bit of cryptography
Let’s have a fast overview of certificates, non-public and public keys.
Certificates Signing Request
The Certificates Signing Request (CSR) is a file that you need to ship to a certificates authority (on this case Apple, by the developer portal) to use for a digital id certificates. The method of making a CSR is a part of the Public Key Infrastructure (PKI). The applicant has to generate a public and a personal key on the native machine, then a CSR file may be generated from the general public key file with some further private data, like identify, e mail and so on. Applicant retains the non-public key secret, which means that you need to NEVER give out your non-public key to the general public! 🤫
Certificates
A certificates is a public key mixed with plenty of further info signed by a Certificates Authority (CA), on this case, Apple. You’ll be able to generate a certificates by importing a CSR file to the developer portal or these days Xcode can mechanically handle them for you. The certificates expires sooner or later in time, if that occurs you need to renew it. Apple can even revoke your certificates for those who break the principles, if that occurs, you will not be capable to code signal your apps anymore. Please notice that you will additionally want the corresponding non-public key in the course of the code signing course of.
Public-key cryptography, or uneven cryptography, is a cryptographic system that makes use of pairs of keys.
Public key
The general public key may be shared with everybody, it is normally out there below a publicly accessible listing. An individual who has the general public key can encrypt some knowledge for a particular receiver. The receiver with the non-public key can solely decode the message. The digital signature course of additionally depends on this basic idea of uneven cryptography. Guess what? That is additionally a part of the Public Key Infrastructure. 🔑
Non-public key
The non-public key’s a secret key that’s used to decrypt some particular knowledge or message. You must use the non-public key to code signal your app, with out it, you can not use the certificates and public key to signal something. You need to by no means share your secret key, however the one exception is possibly you probably have a number of members in your developer workforce and multiple individual is liable for the signing course of. The non-public key’s possibly crucial part of all the signing course of. You’ll be able to’t obtain a personal key from the developer portal, so all the time preserve it secret. In the event you lose it, you may nonetheless apply for a model new cert, however that may be fairly time-consuming.
As you may see, I am not going an excessive amount of into the main points of cryptosystems like (RSA)), you do not actually need to know them so as to have the ability to signal an app. Clearly, it is helpful to have some superior data of cryptography, however that alone may very well be a subject of a for much longer article. Let’s simply concentrate on the way to create your signing keys and the method of acquiring your certificates from Apple this time. 🍎
Manually signing your apps
This methodology requires extra work, however for those who observe the directions you’ll study so much about how automated code signing works behind the scenes. It is all the time good to know the elemental constructing blocks. In case you are dealing with some code signing points, the debugging course of might be a lot more durable for those who do not perceive the fundamentals. 🐛
Making a CSR
The straightforward means: by the Keychain Entry utility
Begin the Keychain Entry utility, from the Keychain Entry menu merchandise, choose the Certificates Assistant possibility and click on the Request a Certificates From a Certificates Authority… possibility. In case you are seeing the Keys class, and there’s a key chosen in the appropriate panel, that particular key might be used on your new CSR file. If there isn’t any key chosen, a brand new one might be made for you.
Enter each your e mail deal with and your identify and choose the Saved to disk possibility. Press the Proceed button, and save the CSR file someplace on the disk. A brand new private and non-private keys might be mechanically added to the login keychain for the CSR.
Producing a CSR file utilizing the command line
In the event you go together with the command line, you may manually generate the CSR and the key-pair in a .pem file format. You additionally must import the keys to the keychain manually.
openssl genrsa -out private-key.pem 2048
openssl req -new -key private-key.pem
-out CertificateSigningRequest.certSigningRequest
-subj "/[email protected], CN=My Developer Identify, C=US"
openssl req -in CertificateSigningRequest.certSigningRequest
-noout -pubkey -out public-key.pem
safety import private-key.pem -k ~/Library/Keychains/login.keychain-db
safety import public-key.pem -k ~/Library/Keychains/login.keychain-db
Now you are able to get a certificates! 📋
Acquiring a certificates from Apple
Simply go to the developer portal (it has a model new look by the best way), and choose the certificates menu merchandise within the left sidebar. There’s a plus button subsequent to the title, you need to press that too and the next display screen will seem:
The primary two choices are additionally new ones. From Xcode 11 on, you may submit your apps for all of the platforms, so a single certificates can do the job for you. For older variations of Xcode, you may go together with the iOS / macOS growth certificates. You need to notice that iOS certificates have been used each for iOS, tvOS, and watchOS.
You’ll be able to select between growth and distribution certificates. The final one is for publishing your apps to the App Retailer, the primary one is for code signing growth variations. Additionally, there generally is a most of two legitimate distribution certificates at a time per individual. Subsequent, you need to add the CSR file, with a purpose to get a certificates.
After you press the Proceed button, you may obtain the generated certificates. You need to double click on the file and add it to your login keychain. If there’s a little arrow proper subsequent to it on the left aspect which means there’s an related non-public key file, and also you’re prepared to make use of the certificates to signal your purposes… or not? 🤔
Making a provisioning profile
Effectively, it is not that straightforward, you continue to must get a legitimate provisioning profile from Apple. As I discussed in my earlier article, provisioning performs a key function within the code signing course of. Happily, every thing may be completed by the dev portal.
First, you need to choose the kind of your provisioning profile. I already defined these sorts, please learn my article about provisioning if you wish to know extra about it.
As a second step, you need to choose the applying that you will make a provisioning profile for. If you do not have an utility identifier, you may register one by utilizing the Identifiers menu merchandise. It is actually easy.
On the following display screen, you need to choose the certificates that you simply’d like to make use of in the course of the code signing course of with the provisioning profile.
As you would possibly already know, developer profiles have related gadget identifiers, so you probably have registered take a look at units within the developer portal, right here you may affiliate them with the given profile. You’ll be able to’t set up the app on the bodily gadget if the UUID shouldn’t be included within the profile, so it is price to double verify them. This may be fairly problematic typically.
Lastly, you may see an outline of your profile. You must identify your profile, and for those who press the Generate button, you may obtain it by your browser. That is it.
After you’ve downloaded each your signing certificates and provisioning profile, you need to double click on each. The certificates must be imported to the login keychain, and the provisioning profile must be saved below a given location, so Xcode can use it in the course of the code signing course of.
Now for those who open Xcode and go to the Signing & Capabilities tab (it is below the Normal earlier than Xcode 11), you may verify or uncheck the Robotically handle signing checkbox. You must choose a legitimate provisioning profile from the drop-down menu merchandise. In the event you did every thing proper, Xcode ought to be capable to see each the profile and the related certificates. Which means all of the pink error indicators needs to be gone and you need to be capable to construct and signal your app in your bodily take a look at gadget. 🙏
Automation: Xcode, Bitrise and codesigndoc
Automated code signing is a bit of cake. Let me present you what must be completed with a purpose to allow this highly effective characteristic in Xcode first.
Automated code signing utilizing Xcode
The entire guide signing factor I simply confirmed you is the previous. These days you may merely use Xcode to handle all of the certificates and profiles for you. You simply have to attach your developer account below the settings menu.
After coming into your legitimate developer credentials, Xcode can create and obtain every thing for you that is required to correctly signal an app. Nevertheless, typically there may be some points, and there are some actions that you simply nonetheless must do manually like making a Push notification certificates, but it surely’s actually useful to overlook about the remaining, for those who simply need to check out your app on an actual gadget.
Oh and do not forget that you need to verify the Robotically handle signing checkbox & you need to choose the developer workforce that you simply’d like to make use of for the signing course of.
That is it, no extra guide CSR, certificates or provisioning creation. 💫
Bitrise & codesigndoc
There are two methods (steps) to signal your app by utilizing Bitrise:
In the event you go together with the primary one, you need to add your certificates with the key-pair and the provisioning profile to Bitrise. Beneath the workflow editor there’s a devoted tab for this particular purpose, it is referred to as: Code Signing. 😅
Utilizing codesigndoc to add code signing recordsdata to Bitrise
Happily, Bitrise made an incredible open supply device referred to as codesigndoc, that may show you how to with the entire add process. You simply must run one line of code in your terminal window & codesigndoc will care for the remaining. In the event you arrange your Bitrise credentials, you do not even must add the exported code signing recordsdata manually, codesigndoc could make that occur for you too.
That is what the code signing tab appears like, there’s a devoted part for provisioning profiles, one for the certificates. There’s even a secure generic file storage that can be utilized in the course of the code signing course of you probably have some actually particular wants. Actually talking, I’ve by no means used that earlier than. 🤷♂️
Automated vs guide provisioning on Bitrise
My advice is that you need to merely go together with the iOS Auto Provision step.
Do not waste your time on the export and the pointless file add. Auto provisioning is straightforward, since you simply must enter just a few configuration properties and join a developer account. I normally set the Distribution kind to growth, enter The Developer Portal workforce id and lastly set the Ought to the step attempt to generate Provisioning Profiles even when Xcode managed signing is enabled within the Xcode venture? choice to sure.
Typically this methodology works.
Simply codesign or ought to I re-sign?
Another factor: there’s a standalone codesign command line device.
With the assistance of the codesign command you may verify the standing of an utility, and even higher, you may signal or re-sign the executable. The codesign command can even provide you with details about the signing standing, which may be extraordinarily useful if issues go improper. You’ll be able to all the time verify the guide of the codesign device, and if you would like to get some data about your apps code signature you may merely enter this command:
codesign -vv -d Instance.app
codesign --verify Instance.app
codesign -s 'Certificates identify' Instance.app
codesign -f -s 'Certificates identify' Instance.app
I might not suggest utilizing this device for signing apps, as a result of there’s one other useful gizmo referred to as XReSign with a correct consumer interface that can be utilized to re-sign your apps. If you really want to go this manner, it is higher to make use of XReSign, as a result of it may auto-update the underlying entitlements file based mostly on the given provisioning. It additionally has a command line interface, so all in all, it is extra handy to make use of. 😉
Conclusion
Code signing is certainly tough to know & work with, however there are many nice instruments that may make you life simpler. The method these days is means simpler than it was a few years in the past, because of Xcode and the automated code signing possibility.
In the event you use Bitrise to automate your builds, you need to all the time use codesigndoc or the iOS Auto Provision step if you wish to keep away from the battle. They will prevent a whole lot of time, particularly in case your certs and provisioning profiles change so much. 👍
Apple simply made some superb little adjustments, like the brand new mixed certificates for all of the platforms, redesigning the UI for the developer account or the devoted tab in Xcode 11 for managing code signing and capabilities.
I actually hope that this text will show you how to perceive all the course of higher. 😊
