Re: Digital Signatures, Certificates, and developer profiles, oh my!
Re: Digital Signatures, Certificates, and developer profiles, oh my!
- Subject: Re: Digital Signatures, Certificates, and developer profiles, oh my!
- From: Kyle Sluder <email@hidden>
- Date: Thu, 27 Feb 2014 18:43:11 -0800
On Thu, Feb 27, 2014, at 04:51 PM, William Squires wrote:
> Several questions:
>
> 1) Are your Certificate Signing request (.csr), WWDR intermediate
> certificate, and developer/distribution provisioning profiles tied to a
> specific machine, a specific version of Xcode, or just to a particular
> Apple ID?
- The CSR is tied to the email address you provide when you generate it.
This email address must be a valid Apple ID for the portal to accept the
CSR.
The CSR itself is disposable once you've converted it into a certificate
by approving it in the portal. The resultant certificate only contains
the public key. It is useless for signing without the private key that
was used to generate the CSR. So the certificate is "tied to the
machine" insofar as you need to copy around your private key to any
machine you want to use to sign things with your developer certificate.
- The WWDR intermediate certificate is not tied to anything particular
to you. Your developer certificate is signed by the WWDR intermediate
CA. Therefore the WWDR intermediate certificate must be installed on the
machine in order for Xcode to validate the trust chain of your developer
certificate.
- Provisioning profiles contain an embedded copy of all the certificates
that can be used to sign software on devices on which the provisioning
profile is installed. As above, the embedded certificates only contain
the _public_ key.
Provisioning profiles also contain an embedded list of all devices that
the profile may be installed on. The provisioning profile itself is
signed by Apple's certificate, so the device can verify that the list
hasn't been tampered with, and it can reject installing software that it
can't find a matching provisioning profile for.
>
> 2) What technical difficulties prevent all this stuff from working across
> all my devices whose OSes support iCloud? (i.e. Why can't all these
> certificates, signatures, profiles, etc... reside in the "cloud", and
> automatically sync themselves across all devices entered (when one logs
> into the specific developer portal on developer.apple.com, and add them)
> once it's verified that payment has been made ($99/yr.)?
Because one of the fundamental aspects of public key encryption is
storing the private key away from the public key. Let's presume someone
guesses your Apple ID password. If they _also_ have your private key,
they can sign whatever code they want and submit it to Apple on your
behalf. Without your private key, Apple will reject any code they
upload.
>
> 3) How do I clear out all the 'cruft' out of my keychain relating to all
> these certificates, so I can be sure that I start with a fresh slate?
> (i.e. which items are safe to delete?)
- You can delete any expired certificates in your keychain. They're
useless for signing anything with.
- Grab Craig Hockenberry's provisioning profile QuickLook generator:
<https://github.com/chockenberry/Provisioning/> It can tell you the
expiration date of the profile itself, the expiration dates of the
embedded copies of any certificates within the profile, and the list of
devices embedded within the profile. If any of these is expired/out of
date, go generate a new provisioning profile in the portal (after
regenerating any expired certificates or approving and adding any new
devices that need to be embedded in the provisioning profile).
Hope that helps,
--Kyle Sluder
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Xcode-users mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden