Generating an IOS app signing key on a Windows machine

If you’re developing a hybrid mobile app on a Windows machine which you want to distribute via the Apple App Store, one of the issues is how to generate an iOS signing key that is required by build tools such as Adobe PhoneGap Build or Cocoon.

Introduction

Security should be at the forefront of your mind at all times when developing any form of software. In the mobile app world one of the security requirements is code signing. Code signing is used to certify that an app was created by you. Once an app is signed, any changes to the app — whether the change is introduced accidentally or by malicious code can be detected. Code signing does not guarantee that a piece of code is free of security vulnerabilities, or that the app will not load unsafe code at runtime.

Our friends at pixelprivacy.com have written a great article, titled “What Is Encryption And How Does It Work?“, I would recommend you take a look.

If you’re developing a hybrid mobile app on a Windows machine which you want to distribute via the Apple App Store, one of the issues is how to generate an iOS signing key that is required by build tools such as Adobe PhoneGap Build or Cocoon.

It’s actually pretty straightforward…

Prerequisites

1. Create an Apple Developer Account

The one thing that you must have is an Apple Developer account, there is no way around this. It costs $99 a year, but if you need to build and distribute an app for iOS, then you simply must have an account.

2. Install OpenSSL

You need to download and install OpenSSL for Windows on your machine. Make a note of where you install it as it is worth adding the bin directory to your Path environment variable, which the steps below will assume you have done.

The steps

3. Generate a private key

The first thing you need to do is generate a private key. Go to the command line and navigate to whatever directory you want to store the generated files in. Then type in the following to generate the key:
openssl genrsa -des3 -out ios.key 2048
This will generate a key using the triple DES encryption algorithm, and store it in the file ios.key. You will be prompted to generate a password for this key (once to create and once to verify), which you should take note of as you will require it later. Triple DES (3DES), officially the Triple Data Encryption Algorithm (TDEA or Triple DEA), is a symmetric-key block cipher, which applies the DES cipher algorithm three times to each data block.

4. Generate a Certificate Signing Request

Once you’ve got your private key you’ll need to generate a Certificate Signing Request or CSR file. To do that, run the following command which uses the ios.key file generated earlier:
openssl req -new -subj "/emailAddress=EMAIL-ADDRESS, CN=COMPANY-NAME, C=COUNTRY-CODE" -key ios.key -out ios.csr
Don’t forget to change the email address, company name and country code details to your specific requirements, e.g. -subj "/emailAddress=info@hobo.co.uk, CN=HoboDigital, C=GB". This will generate the required certificate signing request and store it in the file ios.csr.

5. Generate an iOS Certificate

Now you need to go to the Apple Developer iOS Provisioning Portal in order to generate an iOS Development Certificate, using the ios.csr file you’ve just generated. Click on “Certificates” in the left hand panel, and then “Request”. You will be prompted to upload a .csr file, and then wait for the certificate to be issued. Certificate issuance is quite quick, refresh the browser if you need to. If you need any help with the portal, the website provides you with all you need to know. Now download the certificate that was issued and save it in the same directory where the other generated files are.

6. Convert to a PEM

You now need to convert it to a PEM file which you can do with:
openssl x509 -in ios_development.cer -inform DER -out ios_development.pem -outform PEM
Where ios_development.cer is the name of the development certificate created on the Apple Provisioning Portal and ios_development.pem is the PEM file that we want to generate. PEM is the standard format for OpenSSL and many other SSL tools. This format is designed to be safe for inclusion in ascii or even rich-text documents, such as emails. This means that you can simple copy and paste the content of a .pem file to another document and back.

7. Generate a P12 file

The penultimate file to generate is the P12 file, which uses both our private key (ios.key) and the iOS development certificate (ios_development.pem):
openssl pkcs12 -export -inkey ios.key -in ios_development.pem -out ios_development.p12
You will be asked to enter the passphrase for the ios.key file (which you noted from earlier) and you will need to generate an export password for the P12 file and verify it. The ios_development.p12 file will then be automatically generated for you.

8. Generate the provisioning profile

The last file you need to generate is the provisioning profile, which requires you to return to the Apple Provisioning Portal. There are plenty of documentation sources online on how to do this. These certificates need to be tied to your iOS testing devices via their UDID. Again, there are many documentation sources online on how to do this. Once the provisioning profile is generated, download it (e.g. iOS_Development.mobileprovision) and save it in the same place as the other files. The provisioning file will need to be used in conjunction with the P12 file when building and signing your IOS code.

Conclusion

You now have everything that you need to generate an iOS signing key for hybrid build tools such as PhoneGap Build or Cocoon:
  • P12 certificate file.
  • provisioning profile.
  • certificate password.
These steps can also be used to generate a distribution key for the iTunes Store.