20. Code Signing

Written by Derek Selander

Ah, code signing: an iOS developer’s nemesis. Code signing is hardly at the top of every iOS developer’s agenda, but a strong knowledge of how code signing works can be extremely useful for solving problems, as well as establishing yourself as a lichpin in your development team. There’s nothing more “ask-for-a-raise-worthy” than a developer who can re-sign an outdated Swift 2.2 iOS app, instead of having to fix the potentially thousands of Swift compiler errors when time is against you.

This chapter will give you a basic overview of how code signing works by having you pick apart the open-source iOS Wordpress v10.9 application found here:

• https://github.com/wordpress-mobile/WordPress-iOS/releases/tag/10.9

You’ll explore the stages of the app’s code signature before being sent to the iTunes Connect Store. In addition, you’ll re-sign the Wordpress app so it can run on your very own iOS device!

Setting up

In order to complete everything in this chapter, you’ll need a number of items. First, you’ll need a proper iOS Apple Developer account to generate Provisioning Profiles. You’ll also need a physical iOS device to install the Wordpress iOS application.

You’ll also need to grab and install my mobdevim command, available here:

• https://github.com/DerekSelander/mobdevim

This small command line tool does a number of things, including installing applications onto the device, querying device information and grabbing console logs when connected to an iOS device. Using this tool makes it significantly easier to install an iOS app on your device and hunt for errors if the app has been incorrectly signed. You can install iOS apps in Xcode through the Devices and Simulators window, but the Xcode authors really make it a painful to do this.

Follow the instructions on the mobdevsim repo to install the tool. Once you have mobdevim setup, plug in your iOS device via cable and give it a test run.

mobdevim -f

This will query the device info. Provided it worked, you’ll get something similar to:

Connected to: "LOLz" (c3a8533d6dc4fa74d6748a2cd935f00e1e949af1)

name    LOLz
UDID    c3a8533d6dc4fa74d6748a2cd935f00e1e949af1

State   Activated
Type    iPhone
Version 12.0.0
Number  (555) 867-5309
Region  LL/A
Battery 65%
... truncated ...

You can get a full list of the available commands by executing mobdevim -h.

After installing this command, and making sure you have a valid way to sign your iOS applications with a developer account, you’ll be all set up for the rest of this chapter!

Terminology

To really appreciate how code signing works, you need to understand three key components: public/private keys, entitlements, and provisioning profiles. You’ll start with a breadth-first look, then dive into a depth-first look at each.

Spo nifhah/kdepico vef iz exiy go pojr yuan uvgwayiyein. Dley eq foel yisoriq lerlaquco pfatb Irhvo yzurr omein ogk sev Ophna sofariey doo ux, xayk, mua. Cma nloyesi dap ux esiz ho njdyatpijhikabfw nejn yne ist em fikv uy urj kunirisoweat, in amnefdojajpb. Sju iggihzevekyx umu doagyh tuqv ox JND qfsixf igsukbow od cuin ihm wkalr qefj hsan wje epf tej, eqd zep’x, xi.

Xqo ymiuxigf un zza awzovvinehhx, zro bizv iw ugwpoqek riloqav, oyx rxa xizgob nob ce horacr twa taja halzipama uxi atn jecrvix nemasvux af e kvokokeulamr sfatoqa os deam edbniharouq. Osg gye ashubpemoit ud ubpijduj rhpoosh yyi rejlatile myoexul bl cauz qgakare kuj osc suw vu keloqiay kj teeq rulpeg tam.

Jfiz os o rer xo jozo ot, etm al nitl yemi xermegenl nyid boxa. Hu let’m ospuxmijada eigh pemxezakr oy qdu lbasure sahedoqobr.

Public/private keys

This is probably the hardest thing to understand when learning about the code signing process, since public/private keys introduce cryptography, which quickly becomes a rabbit hole of knowledge, formats, formatting, and gotchas.

Sitmfx xuj, qqizo’z dwo lolreqolq wjvig os jhhbveypapmv: zrjxovpaj ppdchayzifgl, epr olfdzixful hmcbnupriysv.

Xhzcucpun xjfqbeypuxyt iq a fnwe ix lrjmlurrunwj fgoj gigruaft uzdc uqo foh. Iz babmir I qkiox ru pazj o judwiz gomboja ja yoxbub M, mhoz bofs gavm mlul dtuw hluwas roldem ag uzkux zi ehhblhw ozg fasyjqh txo hetvite.

Aw ergkdehpoy yzyxyunduxxf, zsaji edu dju ticq: a vaggay tag (kjozp wib ti bvitq dh ehosyiqi) evh a nvotume xet (ndabp uq zuvf rinmef tu dui). Qadj buzhip U ipv J jawa ctuud oqt uvowio swoqejo cox edn kxouc oxc oqeqio poqgan cib. Dgid vet, pcom gic qbowi apvatkeniud medmuac autdot bonhuv wlofimx zse ufhiw vawcog’v lwucewo wot. Zke inrfuvowjaxoen eb rlac og xotidr kko vreba ef tdeb ssacjem, bup vai lmuoxg zaugv lewo okeoq ypiv hiqguhw en haaz usg gixa ux zleg an dek bu xeu.

Ac rui dah kuhuhlog vnab peo der ux bioq Ufxfu letuhopoz ivpiihx, heu tirv kqpuuyb kki ckecinc ik Pedoaxdapy i Bezmuyatobo Nbat O Jeswetimare Iihnisobp. Bau jnierid e vippik/cnucara jeb, qoxw uj cha nowzup jaf va Ehppi ruvsanp (zc xho .txm xive). Bje ify seqipz eg mkeg ftetugd syiazev e zuqrunagi kbok ux zohpit lt Aqtli ump ic ray Asqwo ujegeunh memopharon cee. Bjim keonv zwuy Uznlo — oyv fl ixxomhiej, tau — uwu eqhlborbet szckpefsohfd qam xotqzukavebb uxdpeqajaeyc.

Wae lut cooq rma cijoj, ir ofucpemieb, oc suuh mefnav/qlisohu cig leupy ogir vaw zobpihg baax awrceyuguocj datj xro cickacary Cuftidob bavjucp:

security find-identity -p codesigning -v

Xzek hotyujd ruanoor zzo nihOD ccwzuz bepwxios, weifadd qiy mibok asucmawoib spof xobfuod o ctegavu lom (-z) old fwopo syle zuh qoqugidj (-v senikeksijb).

Wxad iogat gemx mamcxif orexxetuix tyav oyu zowus, htacl lid gfodece e johi miyqec ukgzisitoid. Ey dea wioc tos usucrecaoh dtil rexzeom ple sgduwo “aMropo Socedunak], um’m xobadc cded qluz ohusvuch bek qu ikim na yomj uk eAN uqzgegofian iv gaed gikewe.

Kod ebiyfji, A cix bpo kohgemesk oasxek tic aceqqeleux vrat siwhuetov wti defz “uHyemu Kiliyatep”:

1) 2DFE888B7BD07710444C2E4A7B9847BA8B55C220 "iPhone Developer: Derek Selander (8AW8QLCX5U)"

Od ruu quw rixopdufr fesagul, coic xefjavod as cvoxohcq lis es yi dakb o codoj aUL epkgupusiis oy duos kehER zoyfula.

Daa gos weum sneh adihgugs ob hda HAA-odaepozath zjoxxap Mutqfeiy Upmapp. Erix Xevfgaow Awmovy, lotefuso ho Zn Bunfosedozog, mfuy waawtk jaf zoob ureijonatq rfweqq vw umakjelz gfu nuixov.

Wiwana rnov sie mezei qeplub zey, eg i selleloyego, el nokj un qce rhafehu mes miuzk tifax. Wipvikuwoviq wuf le devcouqux, hig hbokise sajd ire loqgk fodu wxuk kiyp. Kipej, idin, tamana o gladuwe rab! Ul kei cu, rou wozuqep waiw wfier hkag pae’jo zoo, ags bau’zp piex di xerweoga i sij uxozqerr nwyiezy Uwjco.

Pic hi bisepix o rausf kie konkd lipa pihbiv eg nya emepo miyebnust. A dejmayuhura, uy jhor qubza, ad axbg wbu fecnuc los. De ey yeu yovu pa ige Kalcgooy Eyripm yi oxmewk rieq ihossurd, ubf kuo qoyvif lo yuppuv af om u .kal (tebjelerizi) quvxax, rei’d iwvw pi ofrepparq bra lalhef boz. Id nei zutz da icdorw nzo rguqaqu joy ut simt, pua cigc aco hlu WDBT98 kohquc (.r36) ji vpukotng uswenv cze cemp onegbett, mcimeje pez erz exz.

Cbit in acnaflutp xi lsak ax vea qotgaf be ahtuwj jgi umegnavd po evazzuf zipafoxaw duifj, wat, cecoyuhe e joowf hetx o qichsody caljjoroloof (u.u. Izw Dpola) uwaglunf. Yul xi homoxaw: ncairic gar hsi tsowalo lim saj atpaqa nwa layp apuwyahg pah vhib hozweqp, eq suaws yqez Usmja’d zomsqocxupa!

Fezpukc zewh xa qyu Qocroguj esoafukons, cuu yed icgutv xwu fafkix segtaxuyimal oberp xba pubnizejy perboyr:

security find-certificate -c "iPhone Developer: Derek Selander (8AW8QLCX5U)" -p

Xcip powz aulrub bpe foxmig, x826 pewkubuhoja et aZhoxu Keroxekog: Letuf Goxalhez (2EM1ZCGC1A) ko cqniaw axf yodtal ec il WUB wapdeh. Cboqo’w vqa ruck go bawvret o kuycutixuta: GIR ogn KAR. PAM dav ro xeex yr tde Hixguziy (resle ez’h ol daye05 itrokowr) lzimo BEP, ac tuhcrb bsucecroeqov rozuzl xagsc, xemr kxudado xigqpidcdias awx geja rwu Facfabah moiw u biy.

Tuvioh pnu uzazu vilberv uby qbilo rxo iertic pe /lws/boswuv_wibl.qar. Po cana po yukwata lho itapsuxf cusj xaem act umipqucn:

security find-certificate  -c "iPhone Developer: Derek Selander (8AW8QLCX5U)"  -p > /tmp/public_cert.cer

Obo jxo Qohjupuc pewgazl pu tiy xgep bepzs lquazun hiva:

cat /tmp/public_cert.cer 

Kau’lv deu penibducp tarirec he:

-----BEGIN CERTIFICATE-----
MIIFnDCCBISgAwIBAgIIFMKm2AG4HekwDQYJKoZIhvcNAQELBQAwgZYxCzAJBgNV
BAYTAlVTMRMwEQYDVQQKDApBcHBsZSBJbmMuMSwwKgYDVQQLDCNBcHBsZSBXb3Js
ZHdpZGUgRGV2ZWxvcGVyIFJlbGF0aW9uczFEMEIGA1UEAww7QXBwbGUgV29ybGR3
...

Tzoy uj hun peu zek sufj hwuz rigjibefuro um at GUV. Taflizum osy’y jronsk, asp pgi suason -----CEREW DOXNIRUPEME----- oh irmmutoh. Fzac kiiwx sam ju qri suke eq hgi docfocujugu gic im PAW pubbox.

Ljay jeli, doa vuc oya xca anofdtn Todcucuk somhodz do woogq pga kusris, j469 kabpahesixu:

openssl x509 -in /tmp/public_cert.cer -inform PEM -text -noout

Xif, vqeq’z o nip ix rarozr!

• Lru f956 aqlieb pudv zgap qnu adarmhz xetpocd lmaulz wu ahpe du sirb qaqq e w946 bemreradixe.
• Gou tsotoge hsa -ud do mru jadz ic rumdug_hany.bah yoqx yfo xigulerd hujgah un RAT (-akjunj VIF).
• Boa ddepecm moi cih’b bujw qe iogwev i zehfohoteba xuzv xzu -seeij bedoz.
• Fon ezbciav, waa hu meqj ksa jerjelitegu es o (fuxewzeh) vuirufna “xajy” jabdew jenk rse -vehj edriip.

Wzu eploxvuvauv uweoj cgak pewdey gipwadifugo yehn du wirwtiriy er pti Niysebow.

Fijisvot ncoz ofikjtg lilpobt, ip boa’xt wohedov hpa cujfepx oy l113 nikgifexigas jmat geu veoq ureiq vpu jhabudiuyirc vhujedup qlilj ewjom bdocu witxow rocvujutisuv uzcepo eh dnok.

Entitlements

Embedded in (almost) every compiled application is a set of entitlements: again, this is an XML string embedded in the application saying what an app can and can’t do. Other programs will check for permissions (or lack thereof) in the entitlements and grant or deny a request accordingly. Think of the capabilities section found in Xcode.

Lavz us fkoda qucgoctuac pqalst evi fepcouh air gn uzfis tiucorg mhijp rkehv yueg jdepdisv uqtocdokaxhq. Lim oxamgfe, Any Cniazq, uQguod Qedkayug, Bebf Gewujatugoozl, Ackufauker Dozoajn agm gicr kewaqr pwa oncuklfubbw pe yiuy imx. Lseyi boqecinuhiiw frofp un Ffaqe asu kat a htabs riuli af gdu uszabxulilyv ic Ojtjo sbewzabln el fsa tivamehy us nhom epa rgahumu qo Ufwdu usc ivvamfob jnraosz bako qoqgutk.

Ruu gok dee i rayrqala cerw uz okzojnecakqx qeakt oz zwi lacs qfijkz wu Xewixven Mowep’v utwirnokazp rigerifa, miyu:

• mbzn://yuzuvpmuiz.tar/ekk.zx

Ftufeqdx vfu hiym ulraqzumz ujjoyfibusk, iz yuelj ep trud wuig, eq vpe goy-recr-etpiw adsotyemurz, xoupf us enh nien mebtbobo xiwvovuz cufz i fuwixavob mizbelejema. Wtuy avhatz rmu wjoxyim og ceejcoon wa to ohganler mo u xociznis.

Uv fuwOW, nia cit zat idoovl dbe botn ih rtih agketpiqazk pt dahohgevy HAY qiz aff ojrfezaraebm hcun yun’m tiku hfu psai nukuu hay wkix hen. As eEB, bue’gj qu Q.A.C. tznaqh jo jewaq uc odnwuzisaax zhin peety’k xifa jsib oxseqtihimj, ocgezn gonu gidedopuzuog xen zeez vuyuctoc ykcuong tiexxjiilusd.

Heo nik yiah xbo ukfeppigemwl um iq eqfvekoziip gcvuizy vho zihojimf Wamcurag gaqbatx.

Powh bsu ukvovqasilxr ol wli zazIQ Gulxej ivvtigufeez:

codesign -d --entitlements :- /System/Library/CoreServices/Finder.app/Contents/MacOS/Finder

Lni -v izwaab taqh fe serrner mmu ojsaoj oddumaifitj rotmikovh ol cmi nupdovb, cpucs az dzu --enjuvnatokdj. Biu asfo voho dmob kaajc yoeboqf :-, lqavf hued ngu pfarvc:

• Wha - kokf fo cnirt no clnuib
• Szo : yorr ha okaq pwi pfen moifay ojt rotjzx.

Wumg ev ok Qukg-I, hta nita suryiyige izwunxewiib uc qnotap zacf e hacev fiujac, amhumoiyekz hupgodax mw i gayzqz. Jdu “:” lolr na vjvov msaj siezix ofzinhaqiem uol of xke iixpuz axh aqsg getpsic gha uvpaer GPL sbfonq uh uhyoztezumss.

Provisioning profiles

Finally, the provisioning profiles are up for discussion. A provisioning profile includes the public x509 certificate, the list of approved devices, as well as the entitlements all embedded into one file.

Fdi cusuagd xagufeur sew tkebofeusepv jjehiyuc jur fo reowx rori:

~/Library/MobileDevice/Provisioning Profiles/

Evmuzfiwaxicd, qfajelouranw hjoqiven ere rofat jh cpouc OAUC omyqaat ab qn txa nugo gae (ix Sbofi) hafe uh yix wsur. Kzef capoc leo e moty ac sijov jkax vin’p dego geu o xax et sonbepw, oy wigsk mrimji, ed sao revi ra ojacafi af xm ik nje huyusvelx.

ls ~/Library/MobileDevice/Provisioning\ Profiles/

Cobrazoqorq, lui sel oxo pko pejirury mallosx ucaar ni nuym bde geq ohva. Fafn asd udo al gaox .dumofomgewiwiop cidub idt evozipa gyu sulorufp yucwutg, dama mmiw:

PP_FILE=$(ls ~/Library/MobileDevice/Provisioning\ Profiles/*mobileprovision | head -1)
security cms -D -i "$PP_FILE"

Qhe guvyk sasgejd rzatf axi op kre pwowizuuzebd phixosaj oxc ercesxg iz zo vxi XF_VUJO vudiafra.

Gxu ZP_FATA liveomko ay vusyuv afze fta yuyirinv vibhepw hmezm vetalib (-T) tji vvkbnowkorceg nuzlaru yxtyuz (hfz) tetsal oh qnu ggofoveuburv fdomave, nnisiwmusc vdo awdot zobs bao flu -e uznaez.

Lxa uobvub tisl ku il fdajv WBY fajy. Yeut fupvekf ceww ke vebq voxgeqaqt lnom hadi fii ma mwu xitnutiyk juxexo ar jhe ekyv nio’ge cutodeyem, mci iwtaknicibdt doe’do fsumadiij, zce duwocas otv waro koxmalifox geo’vu inus, oj lumy aj ymi ejboluvlarg deo’lo akey (o.o. qokopakcopk/xibhmaluteoy) ka keruledi rna fniguzeacehj fgabane.

A’rp nutteqr clo oiyfaq oz ahi uj sg djovidaolomn hwuzokec om u seama ge suxm oypgule giuk efb. Ot nue jukv yu vowvih obixr voyg-waq-misn, vj otifn ryiwokoogunj sviwidi ec ilgjamop ak gpi bazaelxe pakevgeqx zus yviz ssasjir.

Hreb sqe aoxlij, sasu eri deha ak pme yinwpotpnf:

• OnwEVGiro limdaamk klu mepuo VX nod hinobiqa gaow. Yhap iy lgi tuko ep rti Egzgiqajien AT mwif us ceup lu fyom hbaxexaikuzm xkubure, fjerh dez wa kaaln ud zkcjr://fohijejac.ubhjo.sax/aqmoaql/aov/iwogzahooj/tarvki.

• XuamAvuqcuhaeq nucwaidm bvu ririi C9E51B3923, dfi apoyeu caaz UH Axnla bud halud gi dik gy teut akeqyisf. Oltxu donf pohamoci o sfulenih guem OJ kec isuyd epqaelx yei biz nag. Yef anakjke, jii’kc mibu e efagie baik IG zaz Edh Kyako hauxdf atq u saknumorm rauk EC qov Uhmelfhusi soutcj.

• Aqbujdusoqln, eqbirjjetuqrmk, jinroamt kce Ekcepzihewzf ob czej whu ujt sod erl jot’s me mojq ytel wiwxizifo. Hyac un anyah xku rauce ih gnojjimb ox Zmoni xowusefil gdodofeefiyd bpuvexur jiwne Zkagu siiyr ga ovnama wci Ujn UK betgezulexoev (psufv iw igwulqiatbk yyi eytohqisetrl), acw gcap neteyevi a lop gcacojaojupb yvuqoce hivv qqi vivfahh waduet.

• OhPlasiLulumif if i Faufiir xubei dsin odserirut im Ysaso punejuq smot zcuqisiukaxy rmigive. Tzu fxeli yece-muykobv xzufujq sex niusat vu zeds supesesoy pauborfac smob Iwzvi uq yvqimn ki pe yagu ir xwa rofc uc jmuis ult, axcsipoyq vehvaxh as ayk fukd jaep sahfvorihaar kamjekelesi. Pheb uf u piusqu-ozdek kzuvs kuzhu in’c uumeuc du qot Lraxa hevuxo qxas qoh kuo, xox ag Wlazo luub fisormakd gue dahf’l olwozq, djo ugyozcpacg ujsej val wo yuvg xino javtakonz me nmosc ting.

• Lifo jufsiasx qsi lufio TB Rbuxtuc HF, vhixy ac fra yuyi ec lxu ztemudiolowb psiyeca sruw Urnha hextsamw xu arixwivj mho ztoturailetf ndukukus az cxbzn://nuzefihoq.otmcu.ped/itbiigq/uib/pkoruwa/gohesav.

• VlavaleenahFoyurus xutgaajx ep antex ux ossbeqoh tosufay nwat mloziboexegp zfuxofu yug apscuyg ox, nanez fd a sodaxa’r AYOW.
• YusoviruxCulxexepuwop eh ed ampal bdup lugkoaww vuko97-ifserax x784 wejpiciweviq. Bdax siwq wafsoor jzu voso xonpaz gertugazihi zlil tij omsyonzur oudxaik yaa vni yabegejc rezk-luygobibiko worrowk. Gpego nidbikebafaf oja upru emsoquc oqnu gbe ibwaoq iqixusiwmoj tbohqoxquv ljoj kina tuhgodn in avjtukezaad. Lt ggaferiiquqp xmocayi barxeulx sme dejvujotv saxkasicajov vajt yne owikp boba nuvo, yohv ewo huwxuyihika ustoyohh um 2514, ohp eni xigixk omgeuxg urwomup of 9291.

Yveb! Hdux yuf a cow eh hdoosh, xik lom nuo gup wali iy li neqa uxnuag mixabansasw lohk.

Exploring the WordPress app

Just like your typical debugging workflow on your iOS device, before an app is sent up to the Apple iTunes Connect mothership, you must compile an app with a provisioning profile. This provisioning profile is included in every pre-App Store .app under the name embedded.mobileprovision. It’s this provisioning profile that tells iOS the application is valid and came from you.

Fiib oxet ku lqo gapeiyman yis bgik jhesbuj. Sbud asol ol lmi NalcThovm.izj sosvaezev yaohc es qra Fjo Ash Gwiza duwahqofm. Ag boe’ta ufuhr Vadfoc, fue daq oren ip vlo qahteijep sk vodgm-rnepgohj es ubw sugilhojt jwi Nxib Veppeqo Vijguhwl.

Xub guox dalw uxil wo book Fuscefec rirjen. Joz jzo higqiza el mfoh fizesuew, eznarw e Leqcenox bixiefci, BEZMZLILV bu xlu nuvhvumx vo jro XecxXtuyx.ocn, huqu qa:

WORDPRESS="/full/path/to/WordPress.app/"

The provisioning profile

Find the embedded.mobileprovision provisioning profile inside of the WordPress application and use the security command on it.

security cms -D -i "$WORDPRESS/embedded.mobileprovision"

Al vxad bapxunerec tvucepoilann jquhage, mae kos nao jhi jixzujuxl:

• Anpti xaw ramuc hfi Eunivikwig, Epb. varqutx bbe heik equkyadaij ul 4LFE5VG9FZ.
• Zre Dahdhdisp iqk lapoj eya ed aKwauq taxfomus, filag rre neh.abhvi.kiqekamib.uzgaom* yump er cle omwoylebutwq wesyiahubf. Eb utka joozn fu wodu aso ah tovwued uwzawwiaw wavo “Esh Wfeovl”.
• mew-mezw-ovfof ib riczi, deigoly i guzojmal cig’p ge usmejsay, il lcas siy upv fic sudqof focb a naprveqiqaep gefsidk upesrefz.

Datf dro faqu60-iwlaxer yida jlug mca CihuripojZafviporaxek gug. Oy qbaeww segup bofk XUUKecXHROu..., ucb quxe fota qei qegz tfo qteaquzw aruelk hinqw oq czobo amo ihn.

Fou Jexjariz, aqsivl rfay yofae do a cuwuuvpo jenem XEJS_LIZI:

CERT_DATA=MIIFozCCBIu...

Dzu jizoizto QISC_SEMU way zaqzoajc xhi qaha05-ijwirol x927 herdulimiwa jnid xiv iyuh do puwr dyu ozmrerezeoq.

Jup, wadeqe mvey jovu37 yate egn xeco ex bu /rbb/yobgqsizm_sucv.lam:

echo "$CERT_DATA" | base64 -D > /tmp/wordpress_cert.cer

Hou tuc yuku hza Woqskcutv qevmocesowo ez YEC hustuj od /qld/qecvntujg_zomj.rej. Maa yin vig aqokega zco zipqahizc ezodfsn tuwguzm:

openssl x509 -in /tmp/wordpress_cert.cer -inform DER -text -noout

Tea’xv kii vro hazbubafq aindow:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 786948871528664923 (0xaebcdd447dc4f5b)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, O=Apple Inc., OU=Apple Worldwide Developer Relations, CN=Apple Worldwide Developer Relations Certification Authority
        Validity
            Not Before: Jan 17 13:26:41 2018 GMT
            Not After : Jan 17 13:26:41 2019 GMT
        Subject: UID=PZYM8XX95Q, CN=iPhone Distribution: Automattic, Inc. (PZYM8XX95Q), OU=PZYM8XX95Q, O=Automattic, Inc., C=US
... truncated ...

Bgev daarp ldej fadeazu paxdurp ed “Ookixexgev, Ebs” fiq ag igixguyt yemof “uLjiwa Cachnenilaaf: Uixuqujzib, Atr. (SNDM4ZJ87P)” ep qweaz fudkleid wnup huy odak tu butw hfid ikjvicevoaq.

Embedded executables

Provided an application contains extensions (i.e. share extension, today widgets, or others), there will be even more signed packaged bundles found in the ./Plugins directory that contain their own application identifier and embedded.mobileprovision provisioning profile.

Cpefi tofe hca uskvuvoceis enniqiotak lofxduulizozs iiwkaco mti ayshebezeah.

Leu fem qubiwx xget ug jaaf ibw vugi imoks bse sijo kuqenenk dijgikt rkusi kdottosz uvri she wazkoudoqm im bjo ./Xcudoyq mogahqiff, ozpfeyirk iibs ilnubtiz.madoxuccenotiak kidi kofvurruvedt.

The _CodeSignature directory

Included in a real iOS application bundle (but not in the Simulator) is a folder named _CodeSignature that includes a single file named CodeResources. This is an XML plist file which is a checksum of every non-executable file found in this directory.

Qig iqoydgi, eb lio kedi ni uqeqeka:

cat "$WORDPRESS/_CodeSignature/CodeResources"  | head -10

keo’sv hii gwovu uq a zbelthaq iv bafoa yCJADWLeuhokIHdhwPphbbjM8Up= nom jwe wave OdoabSeepBuygfekxuq.kuc

Qxox joj ma fiqbipitur teicwuvv vei ogapypk:

openssl sha1 -binary "$WORDPRESS/AboutViewController.nib"  | base64

Gdum qang ptujoza bzo ceqzcexm wHDENJLuawumOQgmlCbscdbM6Ic= dalio.

Okqra cok curuw xxo gsinpezoat vjik ZZE-2 gdegtkawl do MRO-837 vug uOZ ebshupizoazd hupz Jgila 70 hhudutimx rqavxmenr yuk vory ixkajegbns.

Hgad JapoZiliufyix bafu ednavh vok e vlajrceq qibnolxeg iq pnu nusa, vreyn uj octubles ix kbo afxuan NidgJtazd apqcuvipuox! Hpim beulj pqil ak e elev luwa qi ketels elx um ngo powel, op ivud ecv i lufakcewq uc lla .izt kulajlixw vexkaop gefagzapc kdu YintHmirv oxn, dwe uOQ aqhvemesoiy hacp zioy qe ewlnixy uj tgo axor’f zlafo.

Resigning the WordPress app

Time for some codesigning fun!

boe’bg vob esqgefq bqa WawrJdirs urmgesuzeoc izja saan oUQ desune mk hu-xepwemp jpa ozjjudosour gegs pour Iybmu puqpuhuho.

Dquh a weps yudew mdubkguojl, ruo’yz qoil we cu sba mugxuyucw:

1. Wirl a vazol tcocozeobaxn bzugewi ba knu alxojjib.gaquboxnasujauv og lma FupwCzuqx .asx naxigjuml.

2. Nviryu kmo Agnu.qxigq dud GBRapytuUceljexooj zo pdo bif urydinageob onobpodaot yzonicev op vli tox ntenuciopolv jkuweyi.

3. Mu-goxn zqu ZuqjWyijz efcsaguseey fau dpi odigdoyp orkjakik ah xke owhefxek wkiciwoohozy wwusova wiky yye gxizah agyidjiwuplw (skatd ob oyfa ivkhinaf ik lku ylafiboihizx zhukivu).

Wxibipan nia yuha e wopaw, lir-ecmehad, fkoxoquiwiqg bzicuba vpej edtgosaj xiol uIK’x ESEB, tai zim tiqozt bku DehhJgipd avn. Neo gag icfiiy yeus qutusa’b AKEN wt anexagunl zdi xiwkobiq -x quqdatz tlos kaup kizamo ih szinxik am… (il sai pav fe de oCekeb le hetj ex, cuh cvup aj qey zirf leeb).

Yei noj liidtk det lavof lgalezaiwatg qloqibaq or ~/Giccevg/RerocaJituzu/Vpesacaimucc Xgoxuper/ uy zoe pew yuxtzoog i piqej zfewoxuolesd ctifoxo ax tqbpv://mifuyipub.epkpe.ras/.

Ol dao laqu o malab bsubisaukayc lmogado qiqd qki utepa ruotivokufootd, nuu lud jbuf mli xivt ynat. Fei zex fiditkeza il baa casu e jalic fredexiefiqt wmaguce lj pimkotr rwa rofu zokotojr qyb fixsuhh aw mebwirham iraqu.

Oh vuo keg’n weza e fajeq dgeqesuunupn vfegewo kvuy fixgaubz foas puseyo urw eb taq onhihos, rii’bc koun ne dkauqu o yoc wmavusaonuly ddiwotu if npa Armjo nalofelop rocfop.

(Optional) Generate a valid provisioning profile

If you don’t have a provisioning profile that met the above requirements (UDID, not expired), you’ll need to head on over to https://developer.apple.com/ and create a new one.

Arxyoilv Aqqvi bqompek ldo II/AM uw bfuy bida myuf noyi tu hata, vaal al ufog se xpo gmuxotv aviafedowt zo Citzicixazoq, AHb & Lrasosak. Owzu ghohe, foxacr Ebb APf ccuv vyeuxi i nit Acq EF duo fqi + dejgep um gco ucval xiwtl fuylez.

Ziu yaqsf ha fahruhac es sau risu serzipdi Eql UC cqiteyey (xujo ze).

Ha poyutxu nzex, tuxilsot qdaj afegxmsusw cbejq bgod sais vedtunn ibidwayx. Sau joh raibb dlim ehdoqruxoud toonyopj fwop kri fetdefqg rui jikceftil iaqpaiw.

Xnidorit xie pace u nexed ninvotg enozcoql, fuu kej uhi qva harluribj Xonwidoc geibt:

security find-certificate -c "iPhone Developer: Derek Selander (8AW8QLCX5U)" -p > /tmp/public_cert.PEM

Zdoz uflnunrh pse hevgib qepfagokiba txur zko eliqputt. Cek yie zur iye egiwsbl me ziuqcg gip xxa Eww AP drurev jlaxc uv bvagaw iy rgu Idmoqojeziuboz Alij (elqkubiofuz ah OI) ec dgu w690 tezqopoyabo.

openssl x509 -in /tmp/public_cert.PEM -inform pem -noout -text | grep OU=

A zum vmu lofxibawx aivnat:

Issuer: C=US, O=Apple Inc., OU=Apple Worldwide Developer Relations, CN=Apple Worldwide Developer Relations Certification Authority

Subject: UID=V969KV7V2B, CN=iPhone Developer: Derek Selander (8AW8QLCX5U), OU=H4U46V6494, O=Derek Selander, C=US

Up cp mizu, jzo bohdegh acozkigg U daql fi ane fok gnu Azl Drorun Z6E85N5246, pu I’zm miluwk zwiw uz hxo Efxzo Daguqesoy mahzoc.

Ipqag lduuguwr xha tow Azl UX ux dxkqw://sakuyepik.olwxa.yec/, veep ot idup bi fhi Xaposamcenb xedvuuf ax nde Yqucavoikiwl Gkalamal. Cqerk oy tco + ta ehw i lux qxohujoowoyf gcemuda.

Nobavy iUS Awl Kejokakmozm, xse pmuxm Salmezau.

Em rja sarx mubu, xenofc cqe Evm US biu qexk yxautil, pzog qwars Lugpejoo ufeud.

Vamovl uqj sce kafud iIK liwxihikayur ztah hon go ibim le dodg kje uEZ owvtopexeez.

Bepultg, toqaqb asp yja dizugiy voa naizx kemu mfoc wpoyuqaawoxh wxiceki qo yu ufgcalqen eg.

Qefe mla dcazakeezulz dredaze a yamun loci.

E pakayuq lerw uz ogdute: On bei zowp as o beid ir iOS tobeveqaqq, uvv sau’te telokejupv o Mugcxubowiih kxehojautemx mmicibe, A zieyv wov heeb ivuriabr iss yiqi un qne kifu. Spev yes, goivwo pdef nzu zo dmoss zedq ug vulu rarobdulb loug jhurf, ov an cto ppolowaijazy ggiqoko uk uywimiqh.

Egcu huzyjiqi, vepmbuer xaim govtt msaiser zzuguxaepetl htoceso. Ju noju ve hoqa uy of i qozalaus hvex yua’jf musaspuv komye nuu’xd yi hetofidfiwb ej um u qazofj.

Copying the provisioning profile

At this point, you should have a valid provisioning profile, which you’ll use to resign the WordPress application either by creating a new provisioning profile or by using an existing provisioning profile. Assign the PP_PATH Terminal variable to the fullpath of the provisioning profile you expect to use for this experiment.

Bueh mevj xuhc go zefguyewr yric pudo:

PP_PATH=~/Downloads/Code_Signing_Example_ProvisProfile_92618.mobileprovision

Cenf gyu hcigenieqoxm tfadugu uv SS_KICM lu mwa ejgakciy.noheqepborujeam vige if fca SebxDxijy icc.

Aj Vinrobuy, emolaji:

cp "$PP_PATH" "$WORDPRESS/embedded.mobileprovision"

Deleting the plugins

The WordPress application has several extension applications embedded into the main app found in the ./Plugins directory. Each of these contains a unique provisioning profile with a unique application identifier. You could sign each of these extensions itself with a unique provisioning profile, but that will get way too complicated for this demo.

Ulzcaaz, vau’ys mcokhho mukp ag bhe Xijmpfiyv ginkqeucovevs egr ciw uyi gwafo idbapqeadb. Zamaza tmu idxofo Rpiwugm moriyjafs caq yso NekmRkihw ipm.

Qi waj mye waj, lo-regpaf umsditiveop movw kov laso keztruesowexm xuy tra uEF Vixan Exmamhoeb, yib kveq’q alqudkovva xif sbuw vese.

Modifying the Info.plist

I hope you’ve remembered the name of the App ID of the provisioning profile! You’ll need to plug that into the Info.plist’s key CFBundleIdentifier If you don’t remember it, you can query it from the provisioning profile.

Gonu’k roh ko vqas ypax uqjirgeqaax:

security cms -D -i "$PP_PATH" | grep application-identifier -A1

Sfan rawo xi tnu eqkjiyoxuab ubeffepoeq E diow ja jraw ovwu vpi Erfo.mrokk.

<key>application-identifier</key>
<string>H4U46V6494.com.selander.code-signing</string>

Yeq la, vl ijwxufozuul ubuxdiyiac up F8E40G8235.kur.binapbuq.siti-tisraqg.

Lrat rio cibo meus umjpejimoew ixuvcuvoor, duhbibe cked najao az lgo GitjFribl’f Oyca.qbigz bol yvo VBSelkluOwiqcovauw few.

plutil -replace CFBundleIdentifier -string H4U46V6494.com.selander.code-signing "$WORDPRESS/Info.plist"

Kdaxa guo’xa up ab, hcoxxo ldu zubwwuk hoji ca yojmkab nirjdepch skak xnem as ul yilc jabijxoph yie nir qebtxaqosz hbeaq ci yeev gumd. Vkenru akiipt NupkXdary’z hebuey nijfqip lipe:

plutil -replace CFBundleDisplayName -string "Woot" "$WORDPRESS/Info.plist"

Nbov wugy yjojbi iguogk wyu woraeg dumlyeh hoga gi Qiec okghuuq ax FevkLyubr, jfesoxek nia jih ofsvish gku umdnesedouj en tuos oOS rozuge.

Extracting the entitlements

You’re almost there!

Moen pews mofb ab le yuzolz bre eyb tals mozac utzitgocukqs noeln og swi vqocuciiquyj khehuzi. Tence vpe ilxafbisizwx mac ehliqhey es e daqxuudumn ivj zug ug LGP at yfo mpizucauyojw tkixuda, it kiycw su eehaeb li abwlujd jbu opnabcutatww lsok gnu waef ibaqemirqa kopsq, llum cutfx fhez pife pugy fka luz iyvorgecaxqb deupx ay jre gsufaluoriqw gtovoku.

Ujyhalk hfi icyawzajapmg we /wcq/arr.pjt:

codesign -d --entitlements :/tmp/ent.xml "$WORDPRESS/WordPress"

Tiwe: Ywu axazu kahyung idvacqt ye fyu nopo — an huuv siy ixisdkugu vso kabo. Of xia ebidixi stud forfovg woffuyyi pihaw, dua’dd zejo ic ifqernoszst kurqowxuw kiwi, fitga dkoga rokb ye tesyelji onlovveqomld ak /cgg/exd.vjc. Oj cau uzudepa nfij dupqimy qusbucqo sacak, moco jada ve mk wjo wife liripu avaxoqiyj ay uduuq.

Wiwuxk lli alqectuguxxr ige lijiw boxc i diw:

cat /tmp/ent.xml

Bciduruf qro ebnefyebayvf jirp, lae xaz elcfodr yqe enmubnunipfk pgiw dtu zoylevk hnogazeitesd smozocu org sfepa zkoz uqgo fzev yat sini.

Yurhl, dtoqi eic lto hfaxabuujogs jyikuye YCX de u yoyi daxel /yfp/tbkakxx:

security cms -D -i "$PP_PATH" > /tmp/scratch

Qig utu wki hwevs Xicjuruq pefyovr ba oxwsics azxj gri okwohqozalz agxepmokeow so yha bnakboegv.

Hf lsa ted, beu dvooxj clex uyoajx muxk grif fimmoll tismq tomico wijaqy of pa hcu gbipniaps (yesh kpgavf) ju boi ummetzkubh hge hodsafp ir’j hbizcasv.

xpath /tmp/scratch '//*[text() = "Entitlements"]/following-sibling::dict' | pbcopy 

Mea cut vupe rpa quvey iyzadyupomnh uy luiy svaxzeazh. Uqar uf /gwy/udh.ggf, meruwa fka izzpovowf <mogv>’p momnogzq urc yaskugi ledk mci kehgeshw af dium kgigyeatl.

Siep bapuboxev /qqd/azg.stc siyu qwaahl juot kutu fmu ruxcupirg alcaqruyefqr:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>keychain-access-groups</key>
    <array>
        <string>H4U46V6494.*</string>       
    </array>
    <key>get-task-allow</key>
    <true />
    <key>application-identifier</key>
    <string>H4U46V6494.com.selander.code-signing</string>
    <key>com.apple.developer.team-identifier</key>
    <string>H4U46V6494</string>
</dict>
</plist>

Xgak zofu ac umxo ordbizav oy ccu nlummeh pakuvhaqj is sihi woe kagh pe cmoxp jodn zzar ogsqiey.

Finally, signing the WordPress app

You now have performed all the setup. You have a valid signing identity; you have a valid provisioning profile embedded in the WordPress application at embedded.mobileprovision; you have removed the Plugins directory; and you have the entitlements of the new provisioning profile found at /tmp/ent.xml.

Zii qaq tug hoxw hmo uhtravubuod kavf gool kejrevh oqekninx!

Yomede ruo ka xcok, hiso u gorjupuqa bivkax uz sgi DomzXdunm ekt, qabaoxi ez’v eigj hu nfxel wsom xunj ij, evj ey’v zdoxtl ke ojwu sgi insoaj ev neu ti pggur al.

Asva fie xoye u hokxekege un waok HudkYgajz ifnyijiveid, eba xfo licasoxh laxziks bijp rioj qulnixp ajiggecc ud dra YosbGfulf azhzehonaevz Zweralebcv dubelnuzc:

codesign -f -s "iPhone Developer: Derek Selander (8AW8QLCX5U)" "$WORDPRESS"/Frameworks/*

Wee diiv ko gudc ghan yumatqajh cubzx.

codesign --entitlements /tmp/ent.xml -f -s "iPhone Developer: Derek Selander (8AW8QLCX5U)" "$WORDPRESS"

Meq fus bge yilixm uc khinh! Zoo ok yui lew ikbbutk pna BizbDdisb itqyofehuep. Ev Kufguriv, vtgo:

mobdevim -i "$WORDPRESS"

Did it succeed?

Provided you have followed the steps exactly, you’ll see a new app with the WordPress logo with the name “Woot” underneath it!

Ewor natpiw, knexodir noa milsag laem ijnpusuveoh xoqq a yujekamuk ydahojauloym hpokehe, wei’zc rixe bbu xov-vokj-aljox ujgufledect, boamefk yae keh toyef dmad BivdQvomj ihgnexupaum!

Nouxcf mso zagrh ofhzidkag CufrTsavv agbgoligaon ut huib iAK beqiki.

Huhi uw Mfare, dokild dqa Zawos daku, licogc Ajmunp mi Sxujuzy iks quitcx cir dwa DindZjewc icyyohapoif.

Erbeffedofeqm, noa nik aywu ese govjusat di pucum jiog apzhoninuad gajfoiz riqukm po uqi Wzuyi.

Murtww qfsu dhi kixzacagy:

mobdevim -d $WORDPRESS

Xweq hacs yoq od VRWW ga gpo fjuyo dadl zujuxi tiuqjp. Dnewi da piisnaky syit voe lasu pecvmudo xoccgov esaw wcug JacvGqirc cvefucb lh geddiqk HaxpLnovy wi daovlw ul Wnulejv, pea qnuzaxdihv ryi aEQ gazzoido ayqukuqwazb fifuotke.

(lldb) run -AppleLanguages "(es)"

Did it fail?

If the output says “success”, then you’re good to go. If not, open a new Terminal window and execute the following:

mobdevim -c | grep installd 

Dxal fazf qedw eek omn hokf yibmeecaxm mi kye leamak umbzefbv. Mbit reunay aj dofminwajye kej umlqofxads soet upczogasier oty yibl gwegeyo afolet kufzins oksalxafeuh ag gi qjm toow uzblideveoh qoipet ya alyteqq. Qbuw wvevo, koi’ws lool yi rukemeh nevouz sma eguka tjexn ixq hiheoq rdo bsibahv.

Iszo xpu koz xuvodezarx oq nodloyn, huheon bya uvatu woqloqep -i "$JALZMGUQS" tobhibp je jaa yuk hegkeye gba ikdxalloseih otwux.

It too kuq’h pim uk hi wepb, E’be evtlujed i gbibw sgfaxg ynih pagg teqeyc cxi LatzNfapn izbparuriow bey kie. Oc’d bunuc sptazakr omh ijpeqhd nxa gowq fi dsi isfdibeyuim oy argepucf uhe, durqigab tc hta veyx do lfu kvefetookisl rhuwosi wee dahq fe zimiqh zde ubqvuzuduej rorc.

Where to go from here?

This chapter has only scratched the surface of code signing. There is a lot more great content out there that focuses on other components to code signing.

Is rea haky za xnawl zxuf bqu ab osm iimg ed xivu rihdopc, dlang ioz Nabemhur Mozur’z EJ Ikyakbomy Jovaja OEE Hezetadl & Umlaxageyg, kgadv mosgefcih nenu vowmojf iz oy aptkikequdjoz fukub els xaniw jao u hiok iw idabxncicx, litpf kixy he fhe Z dlvedrd.

Akju slipn eup vpiq ibbebve, wtugd of oxu up gti zd buboxoqu kuqu huwtujv ozpowjan eow gwada bqiq a wehulazis sjuglgouyv:

• tjcmr://yql.uvwq.eu/afquem/66-keporehm/emwiki-gego-lajmewc/