Question posted in Xcode
Whether you're new to Xcode or an experienced developer, our archive has everything you need to know about this integrated development environment (IDE). From basic functionalities to advanced features, our archive covers a wide range of Xcode-related questions and answers. Browse our archive now and find solutions to your Xcode questions, and take your app development skills to the next level

Xcode – How does the iOS device retrieve the public key during .ipa installation

Andy
September 27, 2024
89 views
0 votes
2 Answers

After reading the provisioning profile documentation , I wonder where the iOS device retrieves the public key that it will use to decrypt the code signature and verify the app binary during the development process.

The public key is generate on my mac when creating a CSR, and then it is embedded in the certificate, but the ipa file does not contain the certificate itself (the provisioning profile only contains certificate references). So where does it retrieve the certificate that contains the public key? Thanks

Tags: ios xcode

Answers

- evabrown2508
- September 27, 2024 at 6:29 am
- 0 votes
0
The iOS device does not retrieve the public key from the internet during the app verification process. Instead, the public key is embedded within the developer’s certificate, which is stored on the device itself after the app is signed and installed.

Here’s a brief breakdown of how this process works during development:

App Signing: When an app is being built for development or distribution, it is signed using a private key corresponding to the developer’s certificate. This certificate contains the public key, which is used for verification later.

Provisioning Profile: The provisioning profile embedded in the app references the developer’s certificate but does not contain the actual certificate itself. The provisioning profile ensures that only authorized devices and developers can run the app.

Device Verification: When you install the app on the iOS device, the device already has access to the necessary certificate through previous provisioning or installation processes (such as through Xcode or a registered provisioning profile).

Code Signature Verification: Upon running the app, the device uses the public key (from the certificate already on the device) to decrypt the code signature and verify that the app has not been tampered with and is signed by a legitimate developer.

Since the certificate and public key are locally stored on the device as part of the provisioning process, there’s no need to retrieve the public key from the internet during the verification process. This ensures the security of the app signature verification even when the device is offline.

So, in summary, the iOS device retrieves the public key from the locally installed certificate, not from the internet.

Login or Signup to reply.

- Paulw11
- September 27, 2024 at 8:43 am
- 0 votes
0
In your question, you say:

the ipa file does not contain the certificate itself (the provisioning profile only contains certificate references)

This is incorrect. From the document you linked to:

Every profile has a DeveloperCertificates property holding the certificates of each developer who can sign code covered by the profile.

So, the profile does, indeed, contain the developer certificates. The certificates include their public keys.

The developer certificates are signed by the Apple WWDR CA, which is trusted by iOS. The iOS device can, therefore:
- Validate that the developer certificate was signed by the WWDR CA
- Trust the public key in the developer certificate to validate the signed code in the IPA
For example, I followed the steps listed in the Apple Tech Note on the embedded.mobileprovision file from a developer build ipa file.

Dumping the certificate with certtool gives:
```
Serial Number      : 68 D8 D7 27 7D 16 26 37 BD C8 26 2A 1B 45 35 0D 
Issuer Name        :
   Common Name     : Apple Worldwide Developer Relations Certification Authority
   OrgUnit         : G3
   Org             : Apple Inc.
   Country         : US
Subject Name       :
   Other name      : XXXXXX
   Common Name     : Apple Distribution: YYYY (XXXX)
   OrgUnit         : XXXX
   Org             : XXXX
   Country         : AU
Cert Sig Algorithm : OID : < 06 09 2A 86 48 86 F7 0D 01 01 0B >
   alg params      : 05 00 
Not Before         : 02:00:24 Apr 29, 2024
Not After          : 02:00:23 Apr 29, 2025
Pub Key Algorithm  : OID : < 06 09 2A 86 48 86 F7 0D 01 01 01 >
   alg params      : 05 00 
Pub key Bytes      : Length 270 bytes : 30 82 01 0A 02 82 01 01 ...
```
There is the public key required to validate the code signing.
Login or Signup to reply.

Please signup or login to give your own answer.

Click here to cancel reply.