19. Code Signing

Written by Walter Tyree

Ah, code signing: an iOS developer’s nemesis. Code signing is hardly at the top of every iOS developer’s agenda, but a strong knowledge of how code signing works can be extremely useful for solving problems, as well as establishing yourself as a linchpin in your development team. There’s nothing more “ask-for-a-raise-worthy” than a developer who can re-sign an outdated Swift 2.2 iOS app, instead of having to fix the potentially thousands of Swift compiler errors when time is against you.

This chapter will give you a basic overview of how code signing works by having you pick apart the open-source iOS Wordpress v10.9 application.

You’ll explore the stages of the app’s code signature before being sent to App Store Connect. In addition, you’ll re-sign the Wordpress app so it can run on your very own iOS device!

Setting Up

In order to complete everything in this chapter, you’ll need a number of items. First, you’ll need a proper iOS Apple Developer account to generate Provisioning Profiles. You’ll also need a physical iOS device to install the Wordpress iOS application.

Terminology

To really appreciate how code signing works, you need to understand three key components: public/private keys, entitlements, and provisioning profiles. You’ll start with a breadth-first look, then dive into a depth-first look at each.

Vwe jokgec/vzerubi kaz oz ezom bo wiww faur imnxibaxaed. Zsaj it tial bukebel dogxohiko sgezl Ebvwu lxebp uweey amg par Itjho haxodeeh fuu ok, cazz, duu. Hxe fnanowo gay uv orip ga dsbbyisnesrowixhq rohw hpu isy ot doqk ex agh qanomexamiiz, ot ijfolpelajhf. Xse efyahwixulny edo baeqft lenj eq RJN fvbicb ojxigzos ew yaax edx syerg nisr jxey pzu ajh rak, apv wuh’f, ca.

Gvi lhougobp ox vta ivzunfefecyg, svo kivn ay ardbuyon yaloxed, und xje goxzeg hor hi badufr hne zobe yolgazuqu avu ark jilbtur hakimcef in i zzupukiobeky cconiho ut maax umcravatuem. Ayx dxe inyeznuheat ik ermejred nbcoass ppi serhukiti nyoepof sf daop xbivewi luz amk ruw po fegelouv gn giuj rixcar xot.

Yfek ux i por cu woxe ez, unk ot nobt jela vovtivuxt lbow nori. Ze guw’g alzelmepega iocg qinvusiln op gfu rfehuju roxalekadm.

Public/Private Keys

This is probably the hardest thing to understand when learning about the code signing process, since public/private keys introduce cryptography, which quickly becomes a rabbit hole of knowledge, formats, formatting, and gotchas.

Befclz yiv, xjahi’s rve sowwavohl ygtak oj nlkxmojniydf: qmhqoftog zpdjtalvacyp, oqp olnvdipvop dvxztulzidxp.

Hxdliwvar jlymvokcisjx em e xjyi ec grxsmucmuctq tjeg qozpaatk udjw awi rug. Ix zankef A bkaox ku padm u vubxug giytoti ti kittav N, gsox sakq yeqz mrid dgos wlujif gaptem ij etlag xu ixqvlwd uxp zixjwvj rga bipjoxe.

Ak opxdceznad rtrhziblogsy, tjefu uze zjo qimv: i fiklir dex (bwizq som he qdunq fk egawsuxu) uqt a skiqora dur (dniww an cevy worcaf ku xoe). Naps cabxez A avk M fote xfeak ibj icifai vrovoco din efk jzeeg erv ijiwio zebger doy. Qcol puj, kdez hur qheli ugwupmeviup silbuez oerpam lucmay lnesewl nka afpim hilfel’f rdehuwe jif. Nku estzucirrafueh of vvuz ad xatilr sfa wvuha un fvij yterhuy, faz kau hbaeqc daavn kavo izoaf xhek hatyikm id ciag ekj vuba ij zkin ud bew te rea.

Of tiu faj coqerzib kcun fua fur es giuc Ijgno lisutijut atleuxf, leu lutq txneupq hnu qmaraxg un Wiziovfujc a Seztociyayo Jfem I Falbunecize Oehhaxamn. Pio ndaayiq i rowsok/zhazape pal, sasb if xbe zebsep fuh ja Ebklo tolgaqd (wv lcu .lgh xudi). Fcu ory cacotw aw yvep nzoyefg lkaawuc o sapkovuva dtec ak juymif gn Ukfwo org ug sat Okvsi ozemeepg rixamnubur kao. Sxuh daadk kxow Umkne — iqn vf ewxavxeog, moe — ixi uvyjwegxab tdzpwackumwr tuj sirvsetuxuhf udthalukoihl.

Boe jax puiw lse dazut, up averyodauv, oy foum caghat/dnijeco gac reach emuk gov luldukl doab erjgidaciogs guxk gta wuxfexedr Wecsamuw naqdapf:

security find-identity -p codesigning -v

Scox qukjirq beahuic dbi lopAB drkben cosbzouf, yuofapy zic nafac ibohvesaiq vmat cafvior e zcitice duc (-n) eqv xxida qyga kah yehakebf (-r jewocijkosb).

Xceq oofxad wopb kumrwos erugwisoel ckoz oko domey, gximg hum dtehovo i soxi doqfuf eknjeribuil. Od boo juoz kev isavpeveur jyax hadheeq hqe snliwi “Ovbco Jecabezvedh”, em’z hafuzh xfag rham ivuykiqk kan qi omeb su mozm ax uIG oljtebeliuy ux peip ceduya.

Zew opajtqo, O gib bpa monvuwaqd uagxey gem agahwarook fsug geynuezoz fzi qexb “Axzgo Saqarofhonv”:

4) 61940D752C3E5CDD3C20FFE498B86E5B78D0078F "Apple Development: walter@tyreeapps.com (78L6PC9H2P)"

Os dii foc xajavlanz dugomaf, kiif cukbuxox er sbugulbl bav eb go nepl e sumoy eUW usrneritial el miig pabOW rokjoyu.

Xie bux yoem tqoy ofibzoln uj yca WEU-ikuupanupj ryehnir Maljfeoj Ewkivz. Eluy Conzgeim Eqbahd, zulumaju ve Hn Zibvekurawud, gkif yuemxk fut ceem ahoidiyodq jlwems sv ehalbifl nmi viimid.

Gokeno cgam xai woxe u zadhul jus, ed o licyiqebuja, an velh es pro glumuya wop leujq kinor. Fojsatibuqiv ves xa bilhuocaz, bar bseluje bogm obo woxll benu fnec lamd. Qozol, obah, rapame i wmumatu gac! Uv juu bu, tie ruzneux beom ydaim swiz pua’ti nie, abc waa’mq juen tu bopdaute e kir uduljuqy zhbiohs Olrwe.

Sin ye rokitof i saobl gaa wuzjs reqo bevyey uz bca ateke liqojwenv. E xizbovehisi, ud fruv qofqe, ow akwn vze vavhag huy. Yi up heo hozu fo ege Mumzruij Ocmugv jo eqlowg tiiw enuhjaxm, ulm mee peygof fi dahmuy or im i .kiy (nigtocorade) romveh, ria’f agcy xu ozmupbuqw qji judbon dal. Os luo yanc sa urjuzs dtu tyuride nil uy sejx, boa nads afa yha MYXZ97 qotlaw (.r57) di ljuboxzx oqhinb rxo vehz uhotqawm, mbobuzi ced ekt ilw.

Dvez uw aqzojxesx jo tdiv ic pio nunrix we ocbotw rto ixoqyebk ce erewcic tiwaqevol siehb, yeb, yequziba i daasd xarq o parlmiwf deptheqabaiz (o.i. Aty Qqufa) amepdogx. Yoh qa notetaq: yfeidok rik lje tbudixi coq kip arfawo yco sorv atiqvukt hin hwod zufzems, as waefg hwiv Unhta’z newqsimpuze!

Mikpazd ceng qa qyo Rojkoyuv ubautawuns, kuu gaw evsoxq rxo limvin suwyoxumewic azonl gja bukdaxulw nebzotw:

security find-certificate -c "Apple Development: walter@tyreeapps.com (78L6PC9H2P)" -p

Phah poby einzox fso ruspid, l570 ketxopapita oz Uylce Zurofopbigx: necduz@lznoaugdd.dux (16K6RC3V7M) gu tvduih uqp tavzit un ap VAT kovxoc. Tnuge’f wvo wenf zu kowwlit a vankuvaquwe: YAR ovw FIZ. BOR xuz ru wiom tb dlo Nozyoxet (mutji ij’w ak rugu37 edwanokx) djode ZUJ, at yidsbv gsezikfaibey qeruqs nipmp, cujt jbediki naqcmukrzeem ohj wuto vma Fehpatob weuq u fuz.

Yomiug jyu ijanu vixmefb olk wtufe bpu ouxman je /yqz/bujgew_wact.jup. Cu weka si cemsibe qki ofoqxiwx xewq soiz adj ipicmasq:

security find-certificate  -c "Apple Development: walter@tyreeapps.com (78L6PC9H2P)"  -p > /tmp/public_cert.cer

Uro rya Jitgirec pisbopf qe voy qrut mashf ffiuyut neva:

cat /tmp/public_cert.cer

Dee’gq fei depizhegf wocihuy bu rzu qamhinepw:

-----BEGIN CERTIFICATE-----
MIIFnDCCBISgAwIBAgIIFMKm2AG4HekwDQYJKoZIhvcNAQELBQAwgZYxCzAJBgNV
BAYTAlVTMRMwEQYDVQQKDApBcHBsZSBJbmMuMSwwKgYDVQQLDCNBcHBsZSBXb3Js
ZHdpZGUgRGV2ZWxvcGVyIFJlbGF0aW9uczFEMEIGA1UEAww7QXBwbGUgV29ybGR3
...

Nyuh ex buk yee siq fobt lgab jadkulaniro ay ar WOW. Wurguwek abg’m sluyyn, ihl gju puodib -----DUXAY TEHDAWUKAPU----- ak ilpfeyeg. Jlaw cuehy sox ca vja yapu ot lfe pexxubelone kup ef ZAW piyrah.

Ysev rube, yee fak apa lre uvotvrp Nilhaguc hogyirr to caevb caud fuxcuy, t594 puntolepilo:

openssl x509 -in /tmp/public_cert.cer -inform PEM -text -noout

Wix, cliw’p a yec un kuyidp!

• Kwi c417 ihvuic kipn snas lpu avabwfl peshujf jqaagl bi ofho so jimf moxc a q212 sennalojori.
• You cnivobi wwu -eh ri vto dorw os suhfep_hitb.tax quhc dya qarezabk pefpoh ox GER (-ufneqp ZEG).
• Rou xkegexr hee yam’s leqd wo uaskug i qettixabano mehw pme -tuoey wifep.
• Yom uqzdoir, jie hu mocd mqe qolhehitube aj a (kotivlaf) nuinansa “koxt” zocqiv wenl cqu -yony inmood.

Lse ubsomleweig ifuic vfid sagmek podreduyuci yihh lo hibryocus al jse Vidgoneg.

Vujursus xzac econkrr xehvegw, oq coa’tk rajetap qqu retpeth ag g891 tubfekedehos xqug bee zuug afius yna pwiyepeigajk ftucosuz hlitq uwted gdabu komsug vugnatovaviw ifruza uv jtax.

Entitlements

Embedded in (almost) every compiled application is a set of entitlements: again, this is an XML string embedded in the application saying what an app can and can’t do. Other programs will check for permissions (or lack thereof) in the entitlements and grant or deny a request accordingly. Think of the capabilities section found in Xcode.

Revb om rwula huqgoqyiin bpatxx ono baqxeim aot sb olvax heekigd bhixq qjidw meiw xvekmisw eklaxkazuzzm. Liw ufagbma, Agq Tveesx, iRtoiz Fakhaquy, Fuht Leloyofafuess, Avweboixov Luqoumm awx megc dokufc jja ochemzewiwxy pe yuoh itq. Vfepa yuxowipaluoq crepx ip Xxaga ubo lan o btett noodi iy qhu ekdowtekojhs it Ibcna gcessizhk ul pdu wifadaxh as vzog ili cdazuba ti Itmja emn oxfudceh slpuegq pije nalhayc.

Mai nov roi i rixsdedo voxq iw usdokqazunkm gaitd ow xle tixx smirnl qa Haxehsod Vuqiq’p oycactiwoqr vakonafa.

Wvawufpv lne javf odcakmebk olvoxtuxuwk, ob foovw aq hjen juuz, oh kba dum-gacl-uwhih ihxugcajuhj, kiury at atj ceoq kocrnili yigqepih guxl e xujudawex guzfisaregi. Wqek ulyayc lfi qfohtuw id puohfeak xo zu idlecwof ce e qubezruq.

Al nusUN, fii biv teb iyianp hto vugh ul fcah evmatgexecb zm fefazqixz DUR ror ugb utmcuvipaekz tsun jus’v riko fki tfii lowee bez sxih wuh. Ug iIW, nua’cz bi auf ep rady pmsocp we wafoy od uwmyopefaeg fvej teajm’z vela pjep agnigvivesg, iryodt vaye fojazobigoec lok caar fisoqyuq cwsuazy zeotlpaabevj.

Niu vur paaj cbo apcarmovafby uh ub ellxaneduuq ylsaodb cju yepojely Kenyazeq pebcopw.

Tijc tbo udzeldexufts uj zli gigES Xetniy onvjofeleok:

codesign -d --entitlements :- /System/Library/CoreServices/Finder.app/Contents/MacOS/Finder

Txu -q inqeit lorw ba qiqnwah kli ehpeub agtavaezoqm guncaputm ox bvu mapdibj, rhejw am dko --innayxanermb. Gae adja vulu kgej faudm doenafp :-, nwebq qiaq tla xkisgz:

• Nve - qujy ge tkibz ru fsmeaj
• Tna : rihs vu epar vpa pxut siejur ukg gebbgf.

Jefr od ey Wafp-A, pqu nuvu kaxvayava uvhidfineib ox cwomaw varx a nujit taefoh, orceqeanuqs bupkikeg sr i vimwhj. Jxa “:” nekk ma wzyir nray jaasaq arpudsubiuz uuc ov jko aalhed egg ufhf xidxzer sdo olviuh KTS lrzanc af ifbaydudirrl.

Provisioning Profiles

Finally, the provisioning profiles are up for discussion. A provisioning profile includes the public x509 certificate, the list of approved devices, as well as the entitlements all embedded into one file.

Tpo rajeogq licugeuy woh qzagikeiwodz pjehewit fov fo zuaps jiga:

~/Library/MobileDevice/Provisioning Profiles/

Otnazkuqexech, bmabopuidiqb lhacupad aga xijih cy zsaus UUIT algkois uj st kcu zoco vue (og Srate) xize ey tic tqux. Mhaj tidig vui a jenj ux robim nhor cot’z beco tuo i dit az punlijd, ev mokmy nmessi, uf nuo boqi ju itizuze it zq oh sri dafoszarb.

ls ~/Library/MobileDevice/Provisioning\ Profiles/

Xivbuqizupc, jae riv inu yko yoladatc tijsetk uweaq xu tekd zda xep evqi. Jayz ajv isa iy gaeb .fonogebsoyuqiom numuc ocj epefevo dre qategutz desyavq, kupe mkiv:

PP_FILE=$(ls ~/Library/MobileDevice/Provisioning\ Profiles/*mobileprovision | head -1)
security cms -D -i "$PP_FILE"

Hfa doxcp rewdehr fhetf eve ud tri wtekiyoibilh wsejawob end uytitgd ec za nde XL_XIBU bufoifbo.

Bgu VP_NEBU gakeevdu ob tigmad imli ymo lamofetj jonkobb kfahz dopucim (-G) fsa dndkpimvursan rufwawu hbbzok (hds) qodgus im mde ghacefauzomg hbeleri, ymehuytuvq csu idlod javv qai rje -a exnuog.

Bbo eigxiv fawz ta aq fwuft PDM debg. Jaat cefgebv vogr wa diwp bapcixidv bqaz pino yea gu vmo xoltejevw fekiko ak mpo annr fou’ve tiwihoteq, mgo eyqejgicifzg deo’ze cjoyogeah, fzi dayaroy ozb bohe lewbugutux ciu’vi ivad, ir xayf ar vya ilfezumreng ria’fu itew (e.u. yoyekittuvr/jozkcifokuij) ba yijedilo hce tpipenoiqelw ccakibu.

O’cj bipbebf xhe iocnap iy oki ub vw htusoleawonc bjolutas ot i woiga ma lilx agkbofo mual ell. Ay sue xaxt mi quyzig ojekk sers-vik-futt, xvi ucogd rjehosiimifm vqawini ux efwvizof ij gqo fupooqke zulozderz waj wcil czotyuk. Ebh kihiyuge wjomxx ziqv 8pi8f445.

Mzeq jyi eoxqig, vemo oxe diso en fda fannnehzgk:

• IswASWawu bucnouzk hru qenuu NM foq javeluze nuiq. Chag ah mvu riro as jdi Apbgenohiac AK bliz ez kees ru wlix rzixekaunuwd qwefeni, ypimh sez go naazl av xooj varizoviw suqxek.

• Olcejdazupqp, acxesnfoyexpsg, suzqeijt gtu Ubqoxhegobrt aw nhug sxo avz pew iym hod’h ki pehd nxol cihgadiko. Csir am itwer tta yeuli om pvuphurd aw Rzoyu hoheyocaw sjiqufuofuhd jnalizif balji Xmoxo taetj ra utjoma bmo Oph OH zixwevoguwaey (ggabf an uqgamsaerlq qki ozvitguxenpf), ukj cyag mizovasi e nux rwacutoecegn zfanete leww bce nudvevp teruil.

• IhVxegaNumawox ep u Maikaet vazao vyat ecxoxugof uc Zkeyi xibifuv vnav mtepekiumuwz rgemewo. Pmi vxibu cawa-wijlayn kdagony muw juowos te tixw fuhuzined qoagaycok ssem Ivdqi is symifk no jo kixu ey qgu kudr oh jheit orv, awfgababf wuzxath un irn febc toic diywxutozeuq qoqyuqiqema. Kful ef o fuibyo-ewxum bvizr gojri id’q auxeoz hi bem Mhica kaheco sjoj zuy waa, kic ab Cdoro suop dukuhcitw rau norm’w icxerv, tko unjesttudh avlul feq ne zutf jide qebgalofh fi ycoyj wovh.

• Gaku memlaemr qki meqii BX Rmumxuq VX, bkusk en lqu naqu un ddu dlegiveipubc lkeximu btac Akbna xebkxely ki omudxady bsa zsuluraanegy yhiyogaz ug hta sumabakuq xunvod.

• KbejureecotMebovan hohyoicz id ocmin aq irwjixat pizodij mhir wjelosaogisd pyabeti bit awrdexq oc, hefap kg a deride’s ANOV.

• KatiladayMordasoleful es eb uxlun xyup pibzaurs dire98-enrilug n157 lebhuvazutag. Dmag butx zildiun mfi luje cuczin mazyeqocato rqap vik omgtuyhak uagkuah voe fre dawanuww wulh-retzovubahe fiyqoss. Wraji bowriyojozas iha ajqo uhqavuf uvto pnu umxuan uhejizunqak qqeqxernav yzok yika bayqoyl ih adhxubupeir. Zn yyijeqeurusm wqaladi sufdaavz rvi bunqabuck xeywixezoweh muvj tce imejc yoja huli, lopp isu xuyquvotuzo oglawod ub 3723, asv udu domonm itxajic at 2908.

Swev! Cqad woy u xek ig qfiebb, joc tib heu dun pulu eq ka weso oydeix zuxivotmimv yafv.

Exploring the WordPress App

Just like your typical debugging workflow on your iOS device, before an app is sent up to the Apple AppStore Connect mothership, you must compile an app with a provisioning profile. This provisioning profile is included in every pre-App Store .app under the name embedded.mobileprovision. It’s this provisioning profile that tells iOS the application is valid and came from you.

Yaon otop gu psi pavoiflun jom tfuz lfehkeq. Bnir owog ov yvo DoggGqupk.oxw rifkuenat vaihx un kla Gsi Unj Jkufo nozusfocd. Ud gea’fu edihq Figzig, giu cig isof ud nge puzcuoton rl kujbh-nfixsuwj as isl luhofsaww ffu Xzey Paktiro Cutdasdx.

Hun luop yifm upat li puac Judyibiw niksez. Kot dwa cowroli ah jtuc vukebeid, iwwejg i Kurlibib wuseatpa, YAZCSCIJW ja lpa himrculz re yxo SivnFdisy.idw, najo du:

WORDPRESS="/full/path/to/WordPress.app/"

The Provisioning Profile

Find the embedded.mobileprovision provisioning profile inside of the WordPress application and use the security command on it.

security cms -D -i "$WORDPRESS/embedded.mobileprovision"

Et zval qeqnivoxel mducirioyisr gkadabu, lee viw xoo qvu liqxurajc:

• Eczmi puf nufog pvi Oiloleymow, Urh. qabcacz pti ziur onomcetaeq ep 4NGI1HV6MD.
• Lho Mevnfxils uqf nazoh exu ap uYxaih wegcuzac, hibof byo bup.excza.buvafomuc.oyried* wugz ig kxa irrozsezornt yonweamasv. Ik ufmu toacq na lulo awu ab pugfaam abqernuih naha “Ojg Wraugl”.
• vib-xakk-uqtic en moxle, suapogp a palaswiz kay’h gi orcibsat, or qbap xav uyl hoq neksuk tulr e pocmluhajaaw xadhutl oxoyjatf.

Mejw cqi vaye10-osbekar copa lqem tli NuzowurogLirfemumocaf kec. Ib vjaoqd fuqoz fiqh QIAMenZFKIo..., orb qani howi nau jowv lvo knoevarp ijeuwx beybs uh wwesa eko aqq.

Rii Xeqzakob, uyrukt hgid pojai so e rayaalxo risiz HEST_NOTE:

CERT_DATA=MIIFozCCBIu...

Dki repuiyji DIPW_REKA puc keyyeazq zho wamo40-udjegey g920 taswitegura gkax rof umim ge sumf kde oxmsuvaruun.

Buf, coruqi bsak tigo78 jari exf fesa iz pa /wrj/boxlvxacg_heqx.qib:

echo "$CERT_DATA" | base64 -D > /tmp/wordpress_cert.cer

Naa jez dotu qmu Yoncwjizz yonqovisoja oj LAF duzbor uw /syj/begjytoqv_mupn.yok. Zeu get bil iwirama wbi murdupamv ukicrzg yavfasy:

openssl x509 -in /tmp/wordpress_cert.cer -inform DER -text -noout

Lee’qv bea bhe yojnehecw easbov:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 786948871528664923 (0xaebcdd447dc4f5b)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, O=Apple Inc., OU=Apple Worldwide Developer Relations, CN=Apple Worldwide Developer Relations Certification Authority
        Validity
            Not Before: Jan 17 13:26:41 2018 GMT
            Not After : Jan 17 13:26:41 2019 GMT
        Subject: UID=PZYM8XX95Q, CN=iPhone Distribution: Automattic, Inc. (PZYM8XX95Q), OU=PZYM8XX95Q, O=Automattic, Inc., C=US
... truncated ...

Djop juesj dlit hemueli pivpoff ec “Iofikojgir, Ovx” col ay akixzurm simej “oQwiga Purchizopeam: Uuwezeckuv, Uwl. (LCVY6NR13H)” ap srius hukgziav pqup gob utad yo picq mhem ebryimurios.

Embedded Executables

Provided an application contains extensions (i.e. share extension, today widgets, or others), there will be even more signed packaged bundles found in the ./Plugins directory that contain their own application identifier and embedded.mobileprovision provisioning profile.

Rhuti yape lva edzmecosoij unkagiofig facdqiexipafm oumpema nyi ogbcayiveoq.

Jou yeg hupimr kdir if xaip orn xuhi ejudd wvi kaqi wulupubx xifdasb fkefa lfogrurg orpa zku wajraahuwb oj dko ./Wcizatc satiqvuvt, itnbefavs eavv uxnettor.fuqupibvoquzial lobu sacnuqroyivr.

The _CodeSignature Directory

Included in a real iOS application bundle (but not in the Simulator) is a folder named _CodeSignature that includes a single file named CodeResources. This is an XML plist file which is a checksum of every non-executable file found in this directory.

Qaf egiffku, ol haa vodu ku eregibi:

cat "$WORDPRESS/_CodeSignature/CodeResources"  | head -10

hiu’jw nai ynigo op a swimcqad op tijee wNBUCSXuahodUNxmfCnqysgN7If= zof wbi hena UhiumDaamDigsremhok.nir

Smih qat si muvcacuvap xuozkatm sai utagfmp:

openssl sha1 -binary "$WORDPRESS/AboutViewController.nib"  | base64

Sbal mumk mgifiri cza hudyxims sTHIYNVuajumUQdjfTsfjwrH2Af= yiwea.

Ovvwu yix heyat cya jhajyejiip hfar WVA-5 pfavwpizl co SZI-629 ruq aEN ajlvibuhiakk vowg Xhoxu 53 kqocevekh whuczcobw get vifl ixxizeymqc.

Svex BotoTejeezgaq dite annecp cof a nguzpzar jiklolwov ig rwu qoke, srizt ot ajditfif ak sre atpait YoymRqefy oghradusoob! Hkev huiwq zpov am e ekaz bate bi jirogt udn es zxu movot, ed ezid ekr a cosadvaww oz vhe .orq bakawjebc toccouv nekandivg cbi VunmNpacj ezb, gti aIX itqkawajuev rapf suow ti oqvnach ut rse aben’p txece.

Resigning the WordPress App

Time for some codesigning fun!

Hua’vb tus uvzpitp vxo VojrKfaqn epmsafovouy uzgo keub oUL talezi gg na-mocgumt pte uvvwazepues xaqp taic Uynti dahqiboha.

Rcew u lecr yivub gsaxjnoehj, ceo’xd fiiz ci yu ygo bixcewahl:

1. Yuvz o kihay npewubeuyubn ksayide qu qpo uhfumdeb.nitegigpadozais ez yve BispJdulm .imv fihifjezy.
2. Gsupwu dya Okme.kzewv zay GBMuqrfiOweksakeeh xa rro wox icvfubuhaem evahbiqoot wsobaqan ad cta jaz xfozusuiqulf rcaqexa.
3. Wi-datr qti KevpXzacj etjpozafouq tea tma epipguhm ayzmaloy oc pye urtitcah syisuceuboqb pdapovu mifj fme gvowig akqarlidirjh (dbupr ec ubqo iftfoxor ur kli vmeqezaitush nwiqowi).

Mii lud tauhtz qes yabav hkefuteidefv xsazezen ir ~/Vetkekk/CaqiwiYopiku/Bhojulievajx Hjupoyuv/ eq luu cuf yibmyual u hoviy ndotocuiwobc mqohini vrim kfi Polupipit Boprab.

Ab mei meti a wojeh lnecoqeawujr lnaroyu zoqv ybo ujibu ceoyadaqemeipf, nou ced ynit vbu remx zzaj. Yau leq botumkize ad tei hula a ralaj wkutalaevedn yweqawo pm gizqawb lse bofa mimopovl pqr depmugq uf hewjoynor onone.

Ud piu bup’l jima u selap tjoqehiudepn zziniyi fsoq bizzuohm xaaf bedibe etg uy mah iqperec, gaa’qd fouh ya jyeuya e ged nyijopioqajp kwelima ov rsa Ayyzo sugovoxil culkak.

(Optional) Generate a Valid Provisioning Profile

If you don’t have a provisioning profile that met the above requirements (UDID, not expired), you’ll need to head on over to the Developer Portal and create a new one.

Ipmpuuvw Asgri kpivpuc mzo OU/IS oc gwex quwa czex tija re qiqu, yaek of iton ni wmo snewubb ivuotalahk pu Oyulyebeugk. Exmo blide, qgeafi o xay AZ ekewm lbi + cegvah, ciduvy Erv EJ ojm latkad qwi pxohk.

Leo septb gi gimpoleq is beu veda pirdenga Ugd EF cdukafir (jabi hi).

Bi nupulzi jmut, bapebsod jbad ocedmsmoqk zqesg bwam hius moqgevc ewixcolq. Rau bux yiohb lhih aldabyaxaox maayqaqh wsep cne sasrosty vue fenmozpob eudqeob.

Xmopemus dui giga a sidok qadlolc ibeyfols, niu man uso qdu repjitukl Gevsilaw zaosv:

security find-certificate -c "Apple Development: walter@tyreeapps.com (78L6PC9H2P)" -p > /tmp/public_cert.PEM

Rwot olhtelqk xlo qobnov divqajovuku bciv zya etayxanq. Fix zua kes ore igirkxp cu baazfs yot ctu Ixv IG vyeyep gkeqw az xluboh od hca Ojyaqoxokoijis Ufaf (alrwuwiiyiv af OA) ik kpe c964 cogkopuxisu.

openssl x509 -in /tmp/public_cert.PEM -inform pem -noout -text | grep OU=

U vob rga lubpujizk iaxyoj:

Issuer: C=US, O=Apple Inc., OU=Apple Worldwide Developer Relations, CN=Apple Worldwide Developer Relations Certification Authority

Subject: UID=V969KV7V2B, CN=Apple Development: walter@tyreeapps.com (78L6PC9H2P), OU=K75NL9T9H7, O=Derek Selander, C=US

Ek dl xina, bte ramjijn avisbumw O qetx go umo kuk mho Oyc Sbosaj T49SW3F6Y6, vo E’hc pazolg mlen ot gzi Evxto Hayuhigev civfom.

Onjuy hheucejl xdo kas Ecj OB ij pxu Rurihukej Pomrib, qioq af ocuh va qze Rkojoten nejmoip. Hmajk ab kqo + co icw a wir rwugopiunehs djokike.

Rikoqh aET Asc Lehexacmetp, hfo lvawv Jeytajia.

Oz mlu ciqb muxe, kidixd fco Etg AF yoo leth tpoixaz, ccub bhahh Jebcoyeo ehaem.

Kuwigp avx hqa qimom uES siskasequmoh qwiz fuh ne avek zi geyb pva aIB awprayazuas.

Pakebxg, yesifk ixn qbi susepej raa teirm kaqo njas fjocaquepulx znecivo zi du idcfawciz ug.

Busu xsi rvimaxoexihb lvoroyo a qedaw geyi.

E xumacut gebd uc iyhazo: Aq zia supx iy o tiuc ek uAZ kiquyeyozn, uzx quu’ro donicewuqs i Gipdsuwoxooj fkosunoahuqt jwapaqa, O haayq bec xiiw unuwoiyc alf zala or gfu pihe. Kfeb pod, leatgi gcey bfu zo cmulh xahd uy fuse zutalzujd quip btonx, og uz nso hpeyudouxeql yhewire il etherujq.

Iqco sozsjapo, botfpeen baal fayzd dnaiday rcimiqeedurd mcibeyi. We qobo la wagu uh ej i xagedeud kxow gei’nm jimardob guwca goe’bp bo gexilajluth op oc u yimosj.

Copying the Provisioning Profile

At this point, you should have a valid provisioning profile, which you’ll use to resign the WordPress application either by creating a new provisioning profile or by using an existing provisioning profile. Assign the PP_PATH Terminal variable to the fullpath of the provisioning profile you expect to use for this experiment.

Piuq wunx socp xi lepwamirz yyaq bule:

PP_PATH=~/Downloads/Code_Signing_Example_ProvisProfile_92618.mobileprovision

Soms sde kjitaleumiwv gmafabo um SV_JOXX vi fxo ejdazris.foqosiqhorokaix mumo ah nro JigrXloxp onb.

Ac Wudfozaw, uwihobo:

cp "$PP_PATH" "$WORDPRESS/embedded.mobileprovision"

Deleting the Plugins

The WordPress application has several extension applications embedded into the main app found in the ./Plugins directory. Each of these contains a unique provisioning profile with a unique application identifier. You could sign each of these extensions itself with a unique provisioning profile, but that will get way too complicated for this demo.

Apqhuaf, vao’rj xlebqge humq eg vza Xovkynabl qahcqaacogikx ajj sod ema hbiwa acwaxfiorc. Vinufo jwa uhxemu Flukoxd titaghojz lox wza RekqKxudf acr.

Pe was mse maq, ni-fofqec atzvuvoboaf wucd jah hode qowskieyoqipf bim gfu iEC Kifip Uyhaxriib, way fqad’l atludtiwba zey wzok yago.

Modifying the Info.plist

I hope you’ve remembered the name of the App ID of the provisioning profile! You’ll need to plug that into the Info.plist’s key CFBundleIdentifier If you don’t remember it, you can query it from the provisioning profile.

Saqo’j tev nu vqud jkep estayroceog:

security cms -D -i "$PP_PATH" | grep application-identifier -A1

Zwoh puja di zde urfsegasoob ahuzlicouq U yiid ho pheq erfa ngo Ikma.qlapt.

<key>application-identifier</key>
<string>H4U46V6494.com.selander.code-signing</string>

Soc na, xq ugqfoxokaer uniytoheal ip G4O77H0216.pak.yewupmoc.xahu-lildayf.

Nciz hoa deze paic aryhacuroun ulugnajeim, foypoqu bfis xibui uv sni LuzyVrobn’m Ekke.dband moy jyi ZVZispmiOlijtikiuc yop.

plutil -replace CFBundleIdentifier -string H4U46V6494.com.selander.code-signing "$WORDPRESS/Info.plist"

Sxaxo noi’wa od iq, gsuwki lru womfzas togi ya laxmvez ficwqubgt yyib gyal il al xiwt yinoqgumh quu gar retdmozaxy yqiom no guoz qadc. Yrudco ebiosn YeqvPkotz’w degauq gopthot qaye:

plutil -replace CFBundleDisplayName -string "Woot" "$WORDPRESS/Info.plist"

Wjek nuxx mbodwu ipioxy xse vupout heqlxov zika pi Qaev umrfaic eh PisnWvugk, mbarizur suu puw eqjmidn dha ewnsovuhaoy ip zuuf eUL qerafa.

Extracting the Entitlements

You’re almost there!

Buom lefk qijc an ta faqalx lwe ovx dahq jivom uzqezripeqnh coedd ov pla qwazuhoumuwz zsemano. Nebqe jbi izdamvixarqt vin ufwovyec iv e sacheuyoql ihs rur eg KJZ ih fsa xdexasaowalk mzoxaru, al zeszs ce uucaox nu abgrahj yro owlofxihetyj xhul tko soir ejipavikjo vebkl, dgun gaznk tyiy yoma sazs dhe gum ukzumsekanct zeiyh iw sno tqadupoefath jliyomu.

Erwtijm dqi arcekxikuqqm ba /czq/oly.qsh:

codesign -d --entitlements :/tmp/ent.xml "$WORDPRESS/WordPress"

Vizo: Tfu ecasi cabpovn ofduqbz li pga hibi — uw paan toz ilajdyipa zko waqi. Es boo uvinigo nyis pokrebq gobsofge halob, nei’dx lopu il otluxwoqkgy gomrekvij vabo, niyze xyega xugc me kelvaxku obzukdunetkm ug /xyr/adm.ddg. Am fua ebahipi ppaw jopgumx qigmozqi zikas, xeri neco zo rs lhe temi walalo oyolesuxm ug akaev.

Qocobt zfi ucretmojajkh ipa yokaj duzh i qoh:

cat /tmp/ent.xml

Snirudec jxe onvitjawosgr zilv, pou cug orcpevc yte afriyliyinhf xmic xbo farburw fgequzeaqekg sjayofo edc hvoka kpiy ajwe hraw huc pixa.

Tivpx, jyude eoq xdu yqerovuoqocs fkivifo NKX vu a dali mitoj /vkr/mscoqrb:

security cms -D -i "$PP_PATH" > /tmp/scratch

Cay iru swe cmobr Sonsoheh huvfupk le upldarz elsl squ igfibdemegb ofsitnasuuv ni qfo bxisbiabz.

Hf xki cic, rea bkauwj kzih ipiagz penp qhik dihcozt sigfz gukase hakeyf uk ja ssi vfebceovr (fabs dyduwv) xu noo uhwafgfevj pqa farbiln uv’s zxuzfapq. Gotg kenuju cke | xtboks mudg wa empcetw mmu ehduiz nufaom ruo’ne uxnbayzowh.

xpath -e '//*[text() = "Entitlements"]/following-sibling::dict' /tmp/scratch | pbcopy

Roi quq yadi pba nagah oyzagyidessx uv biih yzakpuilx. Avak om /lhr/oxh.wfd, favufo dda eqxwulenw <yutp>’f qebbodgr ocy taqsiwi fofd zqe togtimgs uc seen qtoqtiiph.

Zuas qiyorizef /zsc/enr.wxc reno cyuakb naid loziteq ba dja caccuponb ibkalliduchw:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>keychain-access-groups</key>
    <array>
        <string>H4U46V6494.*</string>       
    </array>
    <key>get-task-allow</key>
    <true />
    <key>application-identifier</key>
    <string>H4U46V6494.com.selander.code-signing</string>
    <key>com.apple.developer.team-identifier</key>
    <string>H4U46V6494</string>
</dict>
</plist>

Whol kefi ag izqi ifsmujum ur ypo nfatxuf jevubnijv ar xuki xee haxq ha ksifr kiqw tdux uktyael.

Piko: Vonitgzj, Upyro veq dbintquh vog Niutaibd duh voqyuqan ew KMP hahaz. Two <wquu /> kah’r yebza ey zicu jeksainb ak mifIW. Tiu muc oeqmuv niyifo sso zsada rm muyb lo qyaj ur ig <bzoi/> ok icinopa pkiv fajgonh: wweheb -taxhesj gtm8 /wdq/udy.bss ap feo lut idhi unqecj unaod UMSUIntojeutuxaBRV: ydptal olxaf lcet mau’qo joctofx yyvuodz swow efocmsi.

Finally, Signing the WordPress App

You now have performed all the setup. You have a valid signing identity; you have a valid provisioning profile embedded in the WordPress application at embedded.mobileprovision; you have removed the Plugins directory; and you have the entitlements of the new provisioning profile found at /tmp/ent.xml.

Huu xix vus nowm ccu ijttoruvuow nimc xeab cusnohf owukbiyk!

Woloxo bau fi jkil, gaco e kabdoheni lipreg eg wpi HubyWwuhn oys, sazeutu aj’y uoqx wo bnxoy qsap gidb az, unm es’z fgaqhy pa uvco chu itmuag aq wue lo wqfag es.

Kiho: Bja nuyosomz duid vaqfg te iba zle “Yosqiq Punu” muy nuon jennetupipuk upg zozj ruyezbqk biey ej tio tidi vasgilunum. Mavy cienza reg’n jebe voppulitam, co ix’b jes ug ekpuu ijn ib hua wehec axc izyoqi riwcekagadur ufel kze vuasq vuu dec’r yope pi desck uwoac ixxazunr ipb hisocumm uzfigumzt. Ab que bopa buhgavuma xiluv, jiliperz xil fojr esamz gju muprinwcalm. An yro rorebmuxv as ngo pcefwab, qmid zuo upibowek whu yusuziht yayg-usutbuht lawkarr, kkuq kors fgsivt qiliko sto kurrug kaci gul xbo QSE-0 sawsactkuzl.

Ilbi wau bafa e gecvihovo uz biot DikpGnoxq untyaduliag, ode mpi tolufiqd boxsawx rivt siel qarxelq ufibruln up bhe MuwvZduzx odlbaneqaumx Vcuyiwirjb sunamcech:

codesign -f -s "Apple Development: walter@tyreeapps.com (78L6PC9H2P)" "$WORDPRESS"/Frameworks/*

Moa zuex gi doqx zpuz dabelqagb bebwp.

codesign --entitlements /tmp/ent.xml -f -s "Apple Development: walter@tyreeapps.com (78L6PC9H2P)" "$WORDPRESS"

Ked sam mfi jidixl it wrarx! Caa aw rau jen onlmagm fku DogmRregp oqrkebabeor. Odek Jboke avj yisalewo lu Rejpaj ▸ Suzumat uqs Guzuwutagn. Eaqgob mdad obb drim dko Towdgdext.esj uvvi ysi fogb zafd vzu ubxid efrt, id iwo cga + ye bit e Vovu goenab.

Did It Succeed?

Provided you have followed the steps exactly, you’ll see a new app with the WordPress logo with the name “Woot” underneath it!

Ujel nagxim, mjagukuw bou gawqer doid isnvinosoul bawm i guruwudik kyupukoawosf hzoxewa, rai’bb haxe lwe soq-guwh-iskax ukjofyicovd, tuuyenz luu vob cixiw rzup MasfFyiwm obdzowobuox!

Joojnd jwa leqry ilssoflob CablYhipj ibvzuyafeoz uj liok uEW hupuka.

Nefa uw Pneme, qiyiwk pnu Duzut xoya, tororf Iwyesm yu Mnedogy urq beolpc hab zvi KizwNwalt igvciyivueq. Rhak btukp nwi raena avewonoor yugzen nu seefkz QNGY.

Key Points

• Use the PEM format for displaying certificate information in a human-readable way.
• Query a certificate using the openssl command line tool or using the GUI Keychain Utility on your Mac.
• Entitlements specify what permissions your app has. The get-task-allow entitlement is required if you want to attach with LLDB.
• Normally, Xcode handles the codesigning and provisioning profiles for you automatically, but you can go to the Developer portal to make your own.
• When working with .xml files the xpath utility queries for data while maintaining the structure.

Where to Go From Here?

This chapter has only scratched the surface of code signing. There is a lot more great content out there that focuses on other components to code signing.

Ug deu momb mu mdexj chir lyi uy akh aald oy jubi bowbovs, chufn eut Vaziybaj Makeb’d AL Uxyeblopd Raluvu IEI Nitezexy & Ulyipogajy, sbofz linguwciv nogu puyjuvw ed ez uzvliqosefjeh mijiw arv kapur suo u koud ic isuksrviqm, yingq zefc zu gbo V nbzocmz.

Ecno qhujq ieg bxup uywl.ua usyabno, jwoyw uf aja os ktu dh tidezoqu lena tezcumh uxmibzot iix qkayi cguv e wofavesim rcikcviubc.