Codesigning and Provisioning Profiles for Apple Platforms

If you’re writing applications for Apple platforms, you’ll likely find yourself acquainted with codesigning and provisioning profile issues sooner or later. I found this an incredibly frustrating part of learning Apple platforms, and I’ve heard the same from others. I think this is because of insufficient documentation and tools, and I think spending 10 minutes with this blog post will give you the information you need to avoid hours of turmoil.

Prerequisites

Now would be a good time to brush up on asymmetric key pairs and understand that the private key can be used to create a signature, and the public key can be used to verify that signature.

Remember that a certificate (AKA an X.509 certificate) is a public key with some metadata, signed by the certificate’s issuer (known as a certificate authority).

Codesigning

A code signature allows the operating system to verify that an app has not been modified since it was signed by the holder of the signing identity. The signature also contains a set of entitlements, which tell the operating system which capabilities the signer grants to the app.

A signing identity consists of a signing certificate (remember: public key + metadata), and the corresponding private key. Any codesigning identity used by Xcode will be pulled from your login keychain.

Provisioning Profiles

A provisioning profile is a signed document from Apple that tells the operating system to allow your app to run with a certain set of constraints. These constraints include:

  • Which devices the app can run on (for development profiles)
  • Which signing identities can be used in the code signature
  • Which entitlements the code signature can include
  • A date range when the provisioning profile is valid

Visualizing Provisioning Profiles

macOS 10.13.3 included a big improvement: the ability to use Quick Look to inspect a provisioning profile. Simply find the profile in Finder, select it, and hit the space bar.

This is a good start, but there’s more important information! Profile Inspector can help with this.

Open Profile Inspector (no window will appear, but the app is running), and select File > Reveal Xcode Provisioning Profiles. The directory that appears in Finder is where Xcode keeps the provisioning profiles it knows about. Drag any of these to ProfileInspector in the dock, and a new window showing that profile will appear. The allowed signing certificates are at the bottom of the window. Double-click on one to see the certificate’s details. The “In Keychains” column tells you whether ProfileInspector finds a matching signing certificate in your keychains. If the certificate and the corresponding private key are not in your login keychain, Xcode will not be able to use them to codesign.

Xcode Build Settings

More information on each of these settings is available in the Utilities panel on the right side of your Xcode window, in the Quick Help inspector.

  • Code Signing Identity (CODE_SIGN_IDENTITY): The “common name” of your code signing certificate
  • Code Signing Entitlements (CODE_SIGN_ENTITLEMENTS): A path to the entitlements file used when signing the app
  • Code Signing Style (CODE_SIGN_STYLE): Specifies whether Xcode should automatically manage this for you. I prefer Manual, so I can better understand which provisioning profiles and signing identities are used for what.
  • Provisioning Profile (PROVISIONING_PROFILE_SPECIFIER): UUID or provisioning profile name
  • Other Code Signing Flags (OTHER_CODE_SIGN_FLAGS): This is where you can add something like -o library to opt into library validation for macOS.

Helpful Command Line Snippets

Also see this post on frequent codesigning-related tasks.

Standard