Understanding Provisioning profiles and certificates in iOS

Question

Is my understanding regarding the provisioning profiles, certificates correct (during development)?

1. Apps are signed with a developer certificate from xcode when installing on the device? The certificate should exist in the provisioning profile (stored in the IPad/IPhone) and the deviceid of the installing device should also be present in the provisioning profile.
2. So when you click on an app when the device is not connected to your developer mac, the app's signed certificate should match one in the provisioning profile (which exists on the device) and the device id should also match one in the provisioning profile, only then the app would run.
3. When the device is connected to mac running the xcode and you want to debug, then the public+private key stored in the keychain comes into play, xcode tries to unlock the public+private key stored in the keychain using the certificate and hence identifies the mac, and also executes the bullet above and if that is true as well, then you can successfully debug

Answer 1

First of all, selecting a provisioning profile in Xcode is misleading; building in Xcode actually has nothing to do with the profiles whatsoever! What actually happens is Xcode just matches the public key certificate in the profile to one in your keychain, then uses the private key to sign the executable. That's bog-standard Mach-O executable signing. This is also why they've changed it in Xcode 5 to be clearer. That's also where the errors on the profiles (Signing identity not found) come from - it means Xcode couldn't find a private key corresponding to any of the public keys in the profile.

Your personal developer certificate is standard PKI stuff; your Mac sends a request to Apple for a certificate in a way that Apple doesn't know your private key (similar to SSL certificate requests). Apple generates the certificate and the keychain matches it up with the original request, giving you the public and private keys for the cert. When a profile is created for an individual developer, that developer's public key is listed. When a team profile is created, the public keys for all the chosen team members are included. This allows the team members to sign the executable, but the name of the signer will be the team name instead of the individual.

When iOS goes to launch any executable, it first checks the signature. If the signature is signed by Apple App Store, then it runs.

If not, it then checks the installed provisioning profiles. The profiles include: 1. A list of developer certificates 2. An app ID 3. Entitlements to grant (e.g. iCloud, Game Center, etc) 4. A list of device UDIDs 5. The whole thing is wrapped up and signed by Apple.

The profile is checked to ensure it was signed by Apple's key (using Apple's public key). It then validates that the current device's UDID is in the list. It also validates that the application ID matches (though wildcards are allowed). Then it checks the Mach-O signature against the list of valid developer certificate public keys. If any of them match, the executable runs and is granted the listed entitlements. If not, it is blocked.

I highly suggest opening up a .mobileprovision file in a text editor; you'll learn a lot!