AppStore安装
-
Apple使用
私钥A对应用摘要进行RSA签名,iOS设备使用公钥A对签名进行验证,通过后再校验安装包数据有效性和完整性后直接安装;
开发环境打包安装
一、 生成CertificateSigningRequest.certSigningRequest
-
打开Mac 应用程序 ->
钥匙串访问 -
从证书颁发机构请求证书
- 例如输入
testEmail@test.com和TestName到用户电子邮件地址和常用名词; - 生成
CertificateSigningRequest.certSigningRequest文件; - 生成该文件时,keyChain中也会生成一对
新的公私钥; - 新密钥位置:钥匙串访问 -> 登录 -> 密钥 -> 搜索TestName,可以找到该
TestName公钥和TestName私钥;
- 例如输入
-
终端查看文件中的内容:
查看文件内容:$ openssl req -noout -text -in /xxx位置/CertificateSigningRequest.certSigningRequest
查看文件简单信息: $ openssl asn1parse -i -in /xxx位置/CertificateSigningRequest.certSigningRequest
文件主要数据如下:
- 签名数据:使用sha256摘要算法将相关明文生成信息摘要、使用RSA2048私钥对摘要进行签名;
- RSA2048 公钥(即
TestName公钥)
$ openssl req -noout -text -in /xxx位置/CertificateSigningRequest.certSigningRequest Certificate Request: Data: Version: 0 (0x0) Subject: emailAddress=testEmail@test.com, CN=TestName, C=CN Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:b4:0b:2d:9d:b5:91:17:fa:a0:77:e0:fc:6f:a1: cf:56:0e:5f:08:6e:de:9f:e3:3d:01:36:91:5f:1e: 83:6a:e0:28:d3:31:d4:8b:c6:e2:e7:b6:0c:05:c2: f4:11:cf:29:7a:19:de:14:86:da:9c:34:9d:8a:09: 57:b0:b0:fb:cb:fa:f2:ad:93:77:8c:27:4b:52:92: a6:80:4c:c5:3d:4c:68:8d:f7:2f:cb:a4:91:76:de: ed:3c:de:cd:3f:c9:a3:42:ec:8d:d5:3d:1b:7b:b9: 21:41:51:38:6d:94:81:f5:71:47:6c:63:b7:ed:b5: ca:ba:17:c3:75:11:16:cb:c2:2e:55:30:68:4d:75: a5:48:a4:f8:f2:e3:56:9a:92:c4:4a:85:0f:a0:c4: c4:72:f1:31:c8:70:f1:0e:29:2e:77:50:67:c3:4e: e9:11:3b:7f:c6:d1:30:87:f0:73:a4:43:a5:5d:cc: f4:b2:4f:a6:fe:2b:c7:f2:be:e4:04:45:13:df:03: 0f:09:56:09:62:0c:b9:1d:6a:5f:0d:35:e3:13:45: cf:c1:09:73:d6:dc:49:06:a5:ef:17:7c:7d:49:fa: 55:6a:7f:b9:e3:a3:ee:e7:92:50:6d:00:c8:91:45: b4:bd:01:28:4d:38:07:09:66:b2:cd:86:33:71:bd: 48:6f Exponent: 65537 (0x10001) Attributes: a0:00 Signature Algorithm: sha256WithRSAEncryption 65:7c:62:b6:61:69:23:a4:84:44:3b:6c:ef:a1:7a:74:71:da: 4d:ba:b1:80:ef:a8:28:6c:13:4a:e1:3f:45:89:e8:26:a8:92: 03:5f:5a:19:f7:40:1b:bd:8e:6a:5f:e1:e0:a0:f4:51:d2:ab: 71:39:5a:4e:05:e8:b1:dc:84:d6:1a:fc:d8:91:d4:4d:34:b4: 7d:58:a9:12:76:4e:df:84:d2:5b:f4:32:af:09:70:8c:79:59: e3:f2:14:d5:9d:35:60:03:10:12:de:10:42:8b:c6:0d:2c:5a: 33:8b:9c:b4:a6:69:d3:22:e4:4f:84:64:46:44:c7:37:ac:d3: d7:e2:c1:61:98:ee:a4:9f:f4:26:5f:22:71:d5:13:f6:2e:a5: d5:08:3d:6b:c4:cb:b1:c7:7c:bf:37:0c:af:df:22:42:94:9d: a5:14:5a:9a:36:cd:11:bd:1c:d9:02:9e:c2:c3:a3:63:21:65: 87:21:a5:24:af:4c:07:92:5f:5a:ef:fa:61:82:60:99:49:76: ea:0f:83:79:f9:78:05:f5:1c:95:c3:c9:b4:d0:5f:31:f0:2e: 5c:99:86:9a:54:91:81:d6:1b:01:4f:66:a2:c7:a8:91:d4:17: 1b:8d:51:39:dd:df:a5:cc:e9:2e:51:1f:43:6c:e8:66:71:cd: 56:3f:f4:b5
二、生成开发/发布证书.cer
-
使用
CertificateSigningRequest.certSigningRequest到Apple开发者中心,选择创建Apple Development 或 Apple Distribution; -
生成
development.cer或distribution.cer; -
终端查看.cer证书内容
例如:
$ openssl x509 -inform der -noout -text -in /xxx位置/development.cer证书主要数据如下:
TestName公钥Apple私钥A签名数据- 证书发行人信息(Apple公司)
- 使用签名的算法:sha256 + RSA2048
- 证书有效期
- 开发者帐号信息
$ openssl x509 -inform der -noout -text -in /xxx位置/development.cer
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 3769592763042482157 (0x345048a55507c7ed)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, O=Apple Inc., OU=Apple Worldwide Developer Relations, CN=Apple Worldwide Developer Relations Certification Authority
Validity
Not Before: Oct 22 06:17:03 2020 GMT
Not After : Oct 22 06:17:03 2021 GMT
Subject: UID=Y6M594P2Q9, CN=Apple Development: xxx name (xxx), OU=TeamID_XXX, O=xxx xxx Technology Co., Ltd., C=US
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:a5:1f:36:f3:6a:e5:76:8d:09:9f:70:4f:46:6b:
a7:0e:c6:51:a3:ab:3c:25:ce:cf:60:13:3b:f4:0f:
3d:3d:9c:69:96:28:18:ed:77:76:42:03:53:e7:e3:
87:88:9c:00:41:5e:a4:af:14:29:fb:71:57:7e:f5:
80:db:5e:0d:3a:af:7e:88:0e:92:c0:09:c5:9b:12:
26:73:1c:e8:8e:8b:87:01:5c:14:15:9f:36:a3:38:
cb:5c:ec:b2:fb:36:e4:4d:2d:1d:7c:65:43:9b:25:
b3:53:b4:ea:a5:86:0f:c9:da:81:59:5b:0c:b8:a0:
df:1e:f5:cb:9e:a4:3c:3e:dc:cb:18:a4:1e:cf:86:
9e:3e:9b:81:e3:b5:83:92:a3:82:7a:04:65:c7:87:
7b:18:5b:8e:4a:58:93:30:cf:6a:c7:5c:74:0d:00:
68:d4:9f:ee:3d:59:89:1e:75:59:ba:8b:c0:00:9a:
89:2b:cb:d4:28:21:87:5c:11:2d:38:69:ce:4d:3d:
4b:59:fe:d6:0e:af:17:0d:88:f4:47:f1:2c:47:60:
5c:4e:19:5c:c7:21:36:5b:1a:5b:fc:e8:40:6b:c2:
b3:ac:76:07:b0:22:60:03:b0:7b:00:a3:68:f3:e8:
35:5b:5b:b4:b4:6c:16:c1:09:98:d2:a9:ca:dc:b7:
83:df
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Authority Key Identifier:
keyid:88:27:17:09:A9:B6:18:60:8B:EC:EB:BA:F6:47:59:C5:52:54:A3:B7
Authority Information Access:
OCSP - URI:http://ocsp.apple.com/ocsp03-wwdr19
X509v3 Certificate Policies:
Policy: 1.2.840.113635.100.5.1
User Notice:
Explicit Text: Reliance on this certificate by any party assumes acceptance of the then applicable standard terms and conditions of use, certificate policy and certification practice statements.
CPS: http://www.apple.com/certificateauthority/
X509v3 Extended Key Usage: critical
Code Signing
X509v3 Subject Key Identifier:
43:91:DE:0F:09:EA:09:5A:DB:98:9C:58:2B:15:A8:CE:F5:17:61:33
X509v3 Key Usage: critical
Digital Signature
1.2.840.113635.100.6.1.2: critical
..
1.2.840.113635.100.6.1.12: critical
..
Signature Algorithm: sha256WithRSAEncryption
62:35:ea:78:ad:59:cf:47:5f:b5:89:c4:8a:92:ae:7b:8e:5f:
a8:ce:ad:69:0e:ec:83:72:e7:ea:5c:5f:b7:26:f8:1f:a7:02:
e2:cf:d2:a4:af:ac:0f:0b:f8:4d:58:29:85:2b:dd:0b:c0:5d:
30:00:af:e0:b0:ef:b8:0a:e0:73:ee:09:5f:dd:a0:c5:a0:06:
a6:4a:f3:0b:61:22:42:f0:45:ad:c8:fe:cc:54:68:13:80:27:
a7:be:7c:b2:07:63:da:25:74:2d:7e:ff:57:23:27:e7:1f:b9:
68:be:0d:c3:d3:6a:07:9e:7d:00:96:50:4d:c8:66:4d:5e:e8:
40:0b:99:bc:9d:d1:b6:d5:97:ac:a6:0f:54:df:dd:7b:a5:5e:
a4:30:36:d2:95:07:9b:e0:46:3c:c2:0b:2c:2e:ed:ab:d5:8f:
86:34:8b:3c:ed:c4:c9:ec:6a:a4:7d:30:12:6f:03:1b:6c:51:
22:8f:65:4a:1a:6b:c7:ea:1a:2c:62:2b:b1:17:10:41:9d:7a:
35:99:1e:e8:36:64:75:c1:76:eb:23:ed:8c:7b:61:88:f6:8a:
34:15:e9:3d:a8:75:da:ee:83:c2:e0:e1:bd:0f:de:64:f4:98:
93:4e:da:e1:f6:50:c8:84:31:d8:f8:dc:f6:be:d4:20:e4:8c:
36:1f:46:a8
三、生成Provisioning Profile
-
为应用创建一个
Development或Ad Hoc配置文件(Provisioning Profile),- Apple使用摘要算法生成包含App ID、.cer证书、允许安装该App的设备UDID列表等所有数据的摘要,再用Apple
私钥A对摘要进行签名,生成签名数据;
- Apple使用摘要算法生成包含App ID、.cer证书、允许安装该App的设备UDID列表等所有数据的摘要,再用Apple
-
终端查看.cer证书内容
例如:
$ openssl x509 -inform der -noout -text -in /xxx位置/development.cer配置文件中包含:
App ID(Identifier)、.cer证书数据、Apple私钥A签名数据- Entitlements(App 权限开关列表)
- 文件过期时间
- 团队ID
...
$ security cms -D -i /xxx位置/Test_AdHoc_ProvisioningProfile.mobileprovision
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>AppIDName</key>
<string>TestCustomAppIDName</string>
<key>ApplicationIdentifierPrefix</key>
<array>
<string>TeamID xxx</string>
</array>
<key>CreationDate</key>
<date>2021-01-30T04:47:15Z</date>
<key>Platform</key>
<array>
<string>iOS</string>
</array>
<key>IsXcodeManaged</key>
<false/>
<key>DeveloperCertificates</key>
<array>
<data>MIIF8zCCBNugAwIBAgIIP5rgQgtFjgIwDQYJKoZIhvcNAQELBQAwgZYxCzAJBgNVBAYTAlVTMRMwEQYDVQQKDApBcHBsZSBJbmMuMSwwKgYDVQQLDCNBcHBsZSBXb3JsZHdpZGUgRGV2ZWxvcGVyIFJlbGF0aW9uczFEMEIGA1UEAww7QXBwbGUgV29ybGR3aWRlIERldmVsb3BlciBSZWxhdGlvbnMgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMjEwMTI2MTAyMDM1WhcNMjIwMTI2MTAyMDM1WjCB0TEaMBgGCgmSJomT8ixkAQEMClNaS0o5OVA2NkExWDBWBgNVBAMMT0FwcGxlIERpc3RyaWJ1dGlvbjogR3Vhbmd6aG91IEh1aXhpYW5namlhIElPVCBUZWNobm9sb2d5IENvLiwgTHRkLiAoU1pLSjk5UDY2QSkxEzARBgNVBAsMClNaS0o5OVA2NkExNzA1BgNVBAoMLkd1YW5nemhvdSBIdWl4aWFuZ2ppYSBJT1QgVGVjaG5vbG9neSBDby4sIEx0ZC4xCzAJBgNVBAYTAkNOMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAq/hDvRbU0JLLY0J2ExTvUMGtRIv1lDGQhA1Owu3S0HIW4b/zWO/AA0vqLFga3Gt513csrVpBbyc4TAdbFwOdR6Sy2NiRK9gTMPwwMyYoJhDQsPBDQYG5LyFpiTpXE0pnU/uT9eUXZHTPi4KMnVYRenmpmsb3kk//xPnF1uFStI38bZ0wcBgnuGHraCkkvA2AYp9FbAyZch9kxNww1IrjK+8Jxj2MGyECJZxFwiJ1W5rLl8aBbipT0f5Y7BdOw4GRJ2R9dXzfWwQEGDK2SA8FEzIeAV3KzvPSaUOcKwG+mdooUgTWO3S+anev2hFl23K9yLMWZyyETU/QnDFX/y6UeQIDAQABo4ICBjCCAgIwDAYDVR0TAQH/BAIwADAfBgNVHSMEGDAWgBSIJxcJqbYYYIvs67r2R1nFUlSjtzA/BggrBgEFBQcBAQQzMDEwLwYIKwYBBQUHMAGGI2h0dHA6Ly9vY3NwLmFwcGxlLmNvbS9vY3NwMDMtd3dkcjIwMIIBHQYDVR0gBIIBFDCCARAwggEMBgkqhkiG92NkBQEwgf4wgcMGCCsGAQUFBwICMIG2DIGzUmVsaWFuY2Ugb24gdGhpcyBjZXJ0aWZpY2F0ZSBieSBhbnkgcGFydHkgYXNzdW1lcyBhY2NlcHRhbmNlIG9mIHRoZSB0aGVuIGFwcGxpY2FibGUgc3RhbmRhcmQgdGVybXMgYW5kIGNvbmRpdGlvbnMgb2YgdXNlLCBjZXJ0aWZpY2F0ZSBwb2xpY3kgYW5kIGNlcnRpZmljYXRpb24gcHJhY3RpY2Ugc3RhdGVtZW50cy4wNgYIKwYBBQUHAgEWKmh0dHA6Ly93d3cuYXBwbGUuY29tL2NlcnRpZmljYXRlYXV0aG9yaXR5LzAWBgNVHSUBAf8EDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQU9B8XOFJwWaBiHiSM6Yz3Vk9iXlEwDgYDVR0PAQH/BAQDAgeAMBMGCiqGSIb3Y2QGAQcBAf8EAgUAMBMGCiqGSIb3Y2QGAQQBAf8EAgUAMA0GCSqGSIb3DQEBCwUAA4IBAQAmNcx+08jtuX5Vci9xdnplu6eZ04CvWg2RH0/y+7W8g7sYa0M34ZseUSKZVqyvb1JJxcSsoyve2ddOsyKEFUS3OQyBaG8R0kjlanLp1YB0mVn//GXSHv0rGive21L573XfK7mhu7aAB1Pzzv3Lg3TSS1tj6E9AHnCNpIIYVgGtzdCEHdP1kXfzjy1C1h58QDScMTBcHliuCaBaPx0Zc+EQ9ap+ObNz55DZqtfJ1CBa94Aat/rCb7rykPzyijj38gAarCH9W5taF4M+rnbO/kAuep+F9ewk+F3W5Mkef8cFQe2c8BmCOunFpcxioDYSVtBxcp3OJ79oaRI2Knnk/hwD</data>
</array>
<key>Entitlements</key>
<dict>
<key>application-identifier</key>
<string>TeamID_XXX.com.jq.blesdk</string>
<key>keychain-access-groups</key>
<array>
<string>TeamID_XXX.*</string>
<string>com.apple.token</string>
</array>
<key>get-task-allow</key>
<false/>
<key>com.apple.developer.team-identifier</key>
<string>TeamID_XXX</string>
<key>com.apple.security.application-groups</key>
<array>
<string>group.com.jq.blesdkGropu</string>
</array>
</dict>
<key>ExpirationDate</key>
<date>2022-01-26T10:20:35Z</date>
<key>Name</key>
<string>BLESDK_AdHoc_ProvisioningProfile</string>
<key>ProvisionedDevices</key>
<array>
<string>00008030-0002699C0AF9802E</string>
<string>2efc2296d057aece145299b5677988dfc4bdb07e</string>
<string>e0b8aafc6a3b1caa595611194bd9d407a32652a9</string>
<string>1b3ffe9b5864ff03403d065da809258a0dd6436d</string>
<string>150bdfcd02f6bf910f8ce40085e7d1b183b4fb02</string>
<string>09b8bb5e01a11ed5a5c5db00a809cac012d20778</string>
<string>3ad005dad2563b43987bfb503e477af69399d4f8</string>
<string>bb8751160afb83314d29f7583c900146ba5202f1</string>
<string>6e7662a90675e24681deec185c018e69fb3cd128</string>
<string>9b52a9b8ac0218fd1f4661b2d7548f0838e1a7b2</string>
<string>00008020-0001149C3C04002E</string>
<string>cf40b8b413a01994122e2169509d2d3f89479661</string>
<string>00008020-001C38CA3C99002E</string>
<string>a66dd49a60e664219345ce0d252b3f9b713d17c0</string>
<string>62028652e3bd9d9f6022f12002735c789566b580</string>
<string>00008030-000428E02EC0802E</string>
<string>f7214772ef650033e504c545b6fce0d6f46cc31c</string>
<string>a1b5e77da74e46f6beaddf64d64559ad3e72ee36</string>
<string>f0803a199940e0853147cdeb956a5bfb6cbf18c6</string>
<string>263bd980b32c9905d5c77fea62c826136c0b924b</string>
<string>e95f7ae684f3c8d9161c2fc53bd869129697394f</string>
<string>216089f8ddc200319e1598f5b69e551bb9117ad7</string>
<string>7ff854bba5435ef13e355361388d103e9244f34c</string>
<string>48787857c8de3bdc6aa3e3be56ecea621ce9f5fa</string>
<string>754751c553062fec6d98a2302ad4025f45396f45</string>
<string>25aa1b009ae93c1a50441a34d75e0177ea972526</string>
<string>028718698476f94f5469aaa2ad370a1e6e2f749d</string>
<string>80c3f437a7f7243cd86777897925abdcfc14b125</string>
<string>371764b704f340083c637853d70bb5ff46c2ef83</string>
<string>a087699401be0b2a8525aea4c3ccfa9f0d0ae7fe</string>
<string>76e9a2ebdf7fd9d47ee1c9d76ce6e8d9044673b1</string>
<string>00008020-001E48900C68002E</string>
<string>b6134e7cb22f2ba7f730fe2850e068265bcc4af7</string>
<string>00008020-000C59261111002E</string>
<string>5a556bc071f9234a9a5bb98e79cffb66c62aefaf</string>
<string>2b2a4732041e5682b8e8a7e4e361012c1c82bbd0</string>
</array>
<key>TeamIdentifier</key>
<array>
<string>TeamID_XXX</string>
</array>
<key>TeamName</key>
<string>Guangzhou Huixiangjia IOT Technology Co., Ltd.</string>
<key>TimeToLive</key>
<integer>361</integer>
<key>UUID</key>
<string>3e080887-3675-475f-b85a-34c9e9191abb</string>
<key>Version</key>
<integer>1</integer>
</dict>
四、编译打包App
- Xcode生成App安装包,同时把Provisioning Profile文件打包放到App里面,使用Mac中保存的
TestName私钥对App进行签名,生成安装包。 - 生成的ipa包:
- _CodeSignature:包含图片、视频、动态库、静态库等所有文件的签名/hash;
- embedded.mobileprovision:配置文件;
五、安装
- iOS设备使用Apple内置
公钥A对安装包中的描述文件中的签名进行验证,确认.cer证书、设备UDID列表、AppID和Entitlements等数据有效性和完整性; - 判断设备UDID列表是否包含本机的UDID;
- 判断配置文件中的APP ID等信息是否和安装包的一致;
- 使用Apple内置
公钥A对.cer证书中的签名进行验证,确认TestName公钥的有效性和完整性; - 使用
TestName公钥对安装包中的文件签名进行验证,确保安装包的有效性; - 安装App;
