iOS Code Signing & Provisioning

Mar 15, 2021 6:30 AM

我做了三年多的 Apple App 开发,但是有一件事我一直都没搞清楚,那就是 App 的 Code Signing and Provisioning。什么是 Signing Identitie?为什么我作为开发者需要创建和关心类似 Provisioning Profiles 这种东西?如果你也说不清楚,并且不想看一大串的 Apple 文档,希望通过这篇文章在5分钟内向你介绍这整个过程。



  • Xcode
  • Member Center
  • Keychain
  • Signing Identity
  • Private & Public Key
  • Provisioning Profile
  • App ID

Xcode & Member Center

作为 iOS 开发者,对于 Xcode 应该是比较了解了,我们用 Xcode 开发和管理 App 的资源,并将其发布到 AppStore。好了,对于理解本文的问题,Xcode 知道这些就够了。当然,如果你还想查看其它关于 Xcode 的资料,可以点击这里: Xcode

Member Center 就是我们登录 Apple Developer Program 后进入的那个页面。在这个界面你可以创建 Provisioning ProfilesApp IDsCertificates 等等… Member Center 里的部分功能跟 Xcode 是相通的,比如你也可以在 Xcode 的设置里去创建  Signing Identities,以及下载和 refresh Provisioning Profiles

Signing Identity, Public & Private Key, Keychain Application

我们首先要搞清楚的就是什么是 Signing,也就是签名。对你的 App 进行签名可以让 iOS 知道是谁签名的这个 App,并且保证从你签名后这个 App 没有被修改过。签名中用到的就是 Signing Identity,他是由 Apple 给你创建的一对秘钥,由 Public Key (公钥)和 Private Key (私钥)组成。可以把公钥看成一种只锁机制,所以你需要使用私钥才能解开,从而修改数据。

那么,公钥和私钥有时从哪里来呢?以及如果申请到他们呢?这个过程发生在当你通过 Keychain Access Application 创建一个 Certificate Signing Request (CSR)的时候。

此时,Keychain Application 会创建一个私钥和一个 certSigningRequest 文件发给 Apple。Apple 验证后会办法证书,证书包含公钥,下载到系统中。


上图是在使用 iOS App Signer 时获取公钥前要求输入密码的截图,这个过程是全自动的。如果你是在 Xcode 或者是 Member Center 里操作,则会下载到证书文件,通过双击即可保存到钥匙串App里。它使用加密函数来生成一个独特的签名,也就是 Signing Identity。

The certificate will also be available through the Member Center, but it will only contain the public key, so keep that private key safe.

An intermediate certificate is also required to be in your keychain to ensure that your developer or distribution certificate is issued by another certificate authority. I know that sounds a little bit confusing, but this is how it works. It is installed automatically when setting Xcode up the first time, so basically you don't need to care about it that much because it is configured automatically.

Provisioning Profile & App ID

As we know, Apple likes to keep things secure, so it is not possible to install an App on any iOS Device out there using only the certificate. This is where Provisioning Profiles comes in. A Provisioning Profile must be installed on each device your application code should run on. Each Development Provisioning Profile will contain a set of iPhone Development Certificates, Unique Device Identifiers and an App ID. An App ID is a two-part string used to identify one or more apps from a single development team.

Devices specified in the Development Provisioning Profile can be used for testing only by those individuals whose Development Certificates are included in the profile. A single device can contain multiple provisioning profiles. The difference between Development and Distribution Profiles is that Distribution Profiles don’t specify any Device IDs. If you want to release an App which should be limited to a number of registered devices, you need to use an Ad-Hoc profile for that.


Here is the Chart I came up with. If you discover some things I missed or explained the wrong way, please let me know. As is said, this is the first time I really tried to wrap my head around the innards of Provisioning and Code Signing. I know that there is a lot more to talk about but I think this a good start for everything around this topic. I will try to keep this post up to date and fix everything wrong as fast as I can.

  1. Xcode will be installed and the Intermediate Certificate will be pushed into the Keychain
  2. Certificate Signing Request (CSR) will be created.
  3. Private Key will be generated along the CSR creation and stored in the Keychain
  4. CSR will be uploaded to the Member Center
  5. Apple will proof everything and issue the Certificate
  6. Certificate will be downloaded to your Computer
  7. The Certificate will be pushed into the Keychain and paired with the private key to form the Code Signing Identity
  8. The Provisioning Profile will be created using a Certificate, App ID and Device Identifiers and downloaded by Xcode
  9. Xcode will sign the App and push Provisioning Profiles onto the Device
  10. iOS will proof if everything is correctly configured.That means that the Provisioning Profile should include the Certificate you used to sign the App, your Device UDID and the correct App ID.
  11. Your App should be running now!