Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Validate certificate and provisioning profile

Tags:

iphone

code-signing

jenkins

On our iOS projects, we commit to the version control repository both the signing certificate and the provisioning profiles used to generate AdHoc and AppStore builds. This way, whenever a new developer downloads a new fresh copy of the app, he has everything he needs to create an AdHoc build for testers.

We are using Jenkins for Continous Integration, and I would like to have a script that does some sanity checks on the commited files. In particular, I'd like to check that the commited provisioning profiles were indeed generated with the signing certificate commited in the repository.

Does anyone know how to do this from the command line? I can't figure out the .mobileprovision file format, although it seems to be a signed binary plist file.

like image 664
pgb Avatar asked Jul 15 '11 20:07

pgb

1 Answers

Answering my own question, I hope this helps someone else.

Turns out, the mobileprovision file is a PKCS7 digitally signed message. It is not signed with the developer's certificate, but with Apple's one.

However, the data that's signed is an XML plist that contains the public key of the certificate you use to sign your binaries.

So basically, the steps are as follows:

  1. Extract the data from the PKCS7 file.
  2. Extract the public-key from the p12 file.
  3. Compare the two, and check if they are the same.

I managed to do this easily with Ruby, since it provides nice wrappers to OpenSSL. I left a script in Github, if anyone wants to use.

The relevant parts of the code are as follows:

profile = File.read(@profile_file)
certificate = File.read(@certificate_file)

p7 = OpenSSL::PKCS7.new(profile)
cert = OpenSSL::PKCS12.new(certificate, @certificate_password)

store = OpenSSL::X509::Store.new
p7.verify([], store)

plist = REXML::Document.new(p7.data)

plist.elements.each('/plist/dict/key') do |ele|
  if ele.text == "DeveloperCertificates"
    keys = ele.next_element
    key = keys.get_elements('//array/data')[0].text

    profile_cert = "-----BEGIN CERTIFICATE-----" + key.gsub(/\t/, "") + "-----END CERTIFICATE-----\n"

    @provisioning_cert = OpenSSL::X509::Certificate.new(profile_cert)
  end
end

# Compare @provisioning_cert.to_s and cert.certificate.to_s
like image 117
pgb Avatar answered Oct 14 '22 12:10

pgb
Sign in to Comment

Related questions

How to find instance by hex in XCode console?
Why In-App purchase sandbox always ask "Verification Required"?
Xcode 5 shows the same device twice
Storyboard Auto Layout: "trailing space to container" vs "bottom space to bottom layout"
How to delete a row in UITableView manually?
What OSX/XCode version control system should I use for iPhone development?
UIWebView and local css file
Programmaticlaly moving rows with animation in UITableView
iPhone registerForRemoteNotificationTypes does not generate an error but does not fire delegate that gives device token
iOS download and save HTML file
Windows notepad not supporting newline character '\n'
setting UIButton font
Changing language on the fly in swift
Compute a checksum on the iPhone from NSData
Grouped style setting not taking effect from IB, UITableView
How to handle "Don't Allow" for location manager?
How do you provide labels for the axis of a Core Plot chart?
Weird behavior of UIView frame after rotation in iPhone
UIPopoverController does not dismiss when clicking on the NavigationBar
MKAnnotation, simple example

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!