IOs code signing clarification

Question

As I understand there are 4 possible ways to distribute applications on IOs:

1. Development
2. Ad Hoc
3. Enterprise
4. App Store

I understand how the Development way of distribution works. You need to submit a certificate request to Apple and it issues a certificate for you. Then you use this certificate to sign your applications.

However, it is unclear how Ad Hoc, Entreprise and App Store certificates work. In particular:

• Ad Hoc can be installed on a wide range of divice, however, you do not need to specify the devices in provisioning profiles. Do you need to submit a special request to obtain Ad Hoc certificate, and how the enforcement on the level of device works?
• Similarly, as I understand Enterprise certificate can be used to
  install apps on different device (you do not need to specify them in advance). It seems that Enterprise is very similar to App Store
  certificate, i.e., I do not see the difference between them. How the security check of certificates works for Enterprise?

My intuition that Apple works as a Certificate Authority but signs all these types of certificates with different root certificates, i.e., developer requests are signed with Developer Apple root certificate, and Enterprise is with Enterprise Apple Root certificate. Then, during the installation on the device the type of the root certificate is checked and the corresponding decision is enforced. Am I right?

Answer 1

The answer lies in provisioning profiles and not certificates or their authorities.

There's no such thing as an Ad Hoc certificate. There are only Distribution certificates and Development certificates. This is true for Enterprise accounts too, whose certificates are exactly the same (aside from account of provenance type). So Ad Hoc, App Store and Enterprise are all distribution certificates. All your certificates are signed by the same authority: The Apple Worldwide Developer Relations Certification Authority, and as such they can't have different root CAs.

The differences lie in the provisioning profiles themselves, which are simply plists signed by Apple. iDevices trust some part of the WWDR certificate chain (the root CA?) and if the signature checks out, the provisioning profile is interpreted and a decision is made on whether a given app can be installed or run.

Provisioning profiles say who can run what and on which devices. They're signed by Apple so a device can verify what they say.

The differences between the profile types that I can see are:

Enterprise profiles have

<key>ProvisionsAllDevices</key>
<true/>

Ad Hocs have

<key>ProvisionedDevices</key>
<array>
  UDIDs! You do, in fact, need to specify them for Ad Hoc!
</array>

And App Store profiles appear to have no special provisioning information. In fact I'm not sure they ever actually get installed on a device.

The command security cms -D -i your.mobileprovision is useful for exploring provisioning profiles.

Answer 2

A Venn diagram I created to simplify the understanding of iOS provisioning profiles. See the Google Drawing doc here: https://docs.google.com/drawings/d/1Td19Lf94Lep3h7jFD2mYdO564Y_LiWBaFaartDE8riU/edit?usp=sharing