As I understand there are 4 possible ways to distribute applications on IOs:
I understand how the Development way of distribution works. You need to submit a certificate request to Apple and it issues a certificate for you. Then you use this certificate to sign your applications.
However, it is unclear how Ad Hoc, Entreprise and App Store certificates work. In particular:
My intuition that Apple works as a Certificate Authority but signs all these types of certificates with different root certificates, i.e., developer requests are signed with Developer Apple root certificate, and Enterprise is with Enterprise Apple Root certificate. Then, during the installation on the device the type of the root certificate is checked and the corresponding decision is enforced. Am I right?
The answer lies in provisioning profiles and not certificates or their authorities.
There's no such thing as an Ad Hoc certificate. There are only Distribution certificates and Development certificates. This is true for Enterprise accounts too, whose certificates are exactly the same (aside from account of provenance type). So Ad Hoc, App Store and Enterprise are all distribution certificates. All your certificates are signed by the same authority: The Apple Worldwide Developer Relations Certification Authority, and as such they can't have different root CAs.
The differences lie in the provisioning profiles themselves, which are simply plists signed by Apple. iDevices trust some part of the WWDR certificate chain (the root CA?) and if the signature checks out, the provisioning profile is interpreted and a decision is made on whether a given app can be installed or run.
Provisioning profiles say who can run what and on which devices. They're signed by Apple so a device can verify what they say.
The differences between the profile types that I can see are:
Enterprise profiles have
<key>ProvisionsAllDevices</key>
<true/>
Ad Hocs have
<key>ProvisionedDevices</key>
<array>
UDIDs! You do, in fact, need to specify them for Ad Hoc!
</array>
And App Store profiles appear to have no special provisioning information. In fact I'm not sure they ever actually get installed on a device.
The command security cms -D -i your.mobileprovision
is useful for exploring provisioning profiles.
A Venn diagram I created to simplify the understanding of iOS provisioning profiles. See the Google Drawing doc here: https://docs.google.com/drawings/d/1Td19Lf94Lep3h7jFD2mYdO564Y_LiWBaFaartDE8riU/edit?usp=sharing
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With