IntroductionSecurity should be at the forefront of your mind at all times when developing any form of software. In the mobile app world one of the security requirements is code signing. Code signing is used to certify that an app was created by you. Once an app is signed, any changes to the app — whether the change is introduced accidentally or by malicious code can be detected. Code signing does not guarantee that a piece of code is free of security vulnerabilities, or that the app will not load unsafe code at runtime.
Our friends at pixelprivacy.com have written a great article, titled “What Is Encryption And How Does It Work?“, I would recommend you take a look.
If you’re developing a hybrid mobile app on a Windows machine which you want to distribute via the Apple App Store, one of the issues is how to generate an iOS signing key that is required by build tools such as Adobe PhoneGap Build or Cocoon.
It’s actually pretty straightforward…
1. Create an Apple Developer AccountThe one thing that you must have is an Apple Developer account, there is no way around this. It costs $99 a year, but if you need to build and distribute an app for iOS, then you simply must have an account.
2. Install OpenSSLYou need to download and install OpenSSL for Windows on your machine. Make a note of where you install it as it is worth adding the
bindirectory to your
Pathenvironment variable, which the steps below will assume you have done.
3. Generate a private keyThe first thing you need to do is generate a private key. Go to the command line and navigate to whatever directory you want to store the generated files in. Then type in the following to generate the key:
This will generate a key using the triple DES encryption algorithm, and store it in the file
openssl genrsa -des3 -out ios.key 2048
ios.key. You will be prompted to generate a password for this key (once to create and once to verify), which you should take note of as you will require it later. Triple DES (3DES), officially the Triple Data Encryption Algorithm (TDEA or Triple DEA), is a symmetric-key block cipher, which applies the DES cipher algorithm three times to each data block.
4. Generate a Certificate Signing RequestOnce you’ve got your private key you’ll need to generate a Certificate Signing Request or CSR file. To do that, run the following command which uses the
ios.keyfile generated earlier:
Don’t forget to change the email address, company name and country code details to your specific requirements, e.g.
openssl req -new -subj "/emailAddress=EMAIL-ADDRESS, CN=COMPANY-NAME, C=COUNTRY-CODE" -key ios.key -out ios.csr
-subj "/emailAddressfirstname.lastname@example.org, CN=HoboDigital, C=GB". This will generate the required certificate signing request and store it in the file
5. Generate an iOS CertificateNow you need to go to the Apple Developer iOS Provisioning Portal in order to generate an iOS Development Certificate, using the
ios.csrfile you’ve just generated. Click on “Certificates” in the left hand panel, and then “Request”. You will be prompted to upload a
.csrfile, and then wait for the certificate to be issued. Certificate issuance is quite quick, refresh the browser if you need to. If you need any help with the portal, the website provides you with all you need to know. Now download the certificate that was issued and save it in the same directory where the other generated files are.
6. Convert to a PEMYou now need to convert it to a PEM file which you can do with:
openssl x509 -in ios_development.cer -inform DER -out ios_development.pem -outform PEM
ios_development.ceris the name of the development certificate created on the Apple Provisioning Portal and
ios_development.pemis the PEM file that we want to generate. PEM is the standard format for OpenSSL and many other SSL tools. This format is designed to be safe for inclusion in ascii or even rich-text documents, such as emails. This means that you can simple copy and paste the content of a
.pemfile to another document and back.
7. Generate a P12 fileThe penultimate file to generate is the P12 file, which uses both our private key (
ios.key) and the iOS development certificate (
You will be asked to enter the passphrase for the
openssl pkcs12 -export -inkey ios.key -in ios_development.pem -out ios_development.p12
ios.keyfile (which you noted from earlier) and you will need to generate an export password for the P12 file and verify it. The
ios_development.p12file will then be automatically generated for you.
8. Generate the provisioning profileThe last file you need to generate is the provisioning profile, which requires you to return to the Apple Provisioning Portal. There are plenty of documentation sources online on how to do this. These certificates need to be tied to your iOS testing devices via their UDID. Again, there are many documentation sources online on how to do this. Once the provisioning profile is generated, download it (e.g.
iOS_Development.mobileprovision) and save it in the same place as the other files. The provisioning file will need to be used in conjunction with the P12 file when building and signing your IOS code.
ConclusionYou now have everything that you need to generate an iOS signing key for hybrid build tools such as PhoneGap Build or Cocoon:
- P12 certificate file.
- provisioning profile.
- certificate password.