Selfsigned certificate and provisioning profile for Xcode iOS building

Doesn’t work in Xcode 10

Xcode now allows anyone with an Apple ID to build and run app, from anywhere. But, what if, I’m jailbroken and not satisfied with 7-days expiration? Or I’m trying to build an open-source app, but can’t build because the bundle id is already taken and submitted to iTunes?

Since we are jailbroken, everything should just work if we use selfsigned certificate. But somehow, Xcode just keeps asking for a “provisioning profile”, and which is kind of messy to play around. But finally I got it working.

Provisioning profile, is a Cryptographic Message Syntax (CMS) signed property list (plist), which includes team, app, and permission info.

For those who don’t want to bother with cert generating and plist signing, you can just take CodeSigning.zip, import the p12 into keychain, open provisioning profile in Xcode, and skip to the last step, and you are all set.

If you’d like to create the cert from scratch, here’s the detailed steps.

Create selfsigned certificate for code signing

Things is different here because we are going to sign the plist, so for key usage you need not only “Code Signing”, but also “Any” and “Email Protection”, everything else should be famillar if you tried to create a code signing cert in the past. Note that you need to fill in “Organizational Unit”, and this will be your team id, so don’t leave white space in here.

Choose Code Signing type and don’t forget to check the “Let me override defaults”
Fill in the Organizational Unit, everything else can leave blanked
Any and Email Protection must be included or you can’t sign the profile later

Create provision plist

Now you have a working certficate, it’s time to create the provision plist. Here is the template plist file:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>AppIDName</key>
	<string>selfsigned: any app</string>
	<key>ApplicationIdentifierPrefix</key>
	<array>
	<string>SELFSIGNED</string>
	</array>
	<key>CreationDate</key>
	<date>2018-08-27T16:55:24Z</date>
	<key>Platform</key>
	<array>
		<string>iOS</string>
	</array>
    <key>IsXcodeManaged</key>
	<true/>
	<key>DeveloperCertificates</key>
	<array>
		<data>MIIDSTCCAjGgAwIBAgIBATANBgkqhkiG9w0BAQsFADBKMSYwJAYDVQQDDB1pUGhv
bmUgRGV2ZWxvcGVyOiBTZWxmIFNpZ25lcjETMBEGA1UECwwKU0VMRlNJR05FRDEL
MAkGA1UEBhMCQ04wHhcNMTgwODI3MTU1NTI0WhcNMjgwODI2MTU1NTI0WjBKMSYw
JAYDVQQDDB1pUGhvbmUgRGV2ZWxvcGVyOiBTZWxmIFNpZ25lcjETMBEGA1UECwwK
U0VMRlNJR05FRDELMAkGA1UEBhMCQ04wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
ggEKAoIBAQCx2pbOzmLI1ACKEHuUCPqz7VnM3txiHCmGLzLCAnTY7X8HyeHqFJ0S
JhG1CcYkdeQAGYQyUkC9mTvqU2QzUlvILTwREAg9lJG3jHLQlG45uF+AJD3dh7IO
x0wDSwZZXldmaR58Z/TUdq/z0lC5LCIAi2QHaSjWOtZWwmwEl5vQkUFLmgKqhaGx
znfWRjnYHx4jQ9w6LCi+hkyuyxjEsu5ZfoFLjEDNDF1NStgo7GW6G7X+20kWZ7++
JjeUaf9a56jMfSDe/Qs7UWe91UttHzn+WWgqV4ePCIXE2VVNjKAn/ZY5uQJtgWaa
i3cmQS7FNEaNRghwVuH7FPrBTIm5kb7HAgMBAAGjOjA4MA4GA1UdDwEB/wQEAwIH
gDAmBgNVHSUBAf8EHDAaBggrBgEFBQcDBAYIKwYBBQUHAwMGBFUdJQAwDQYJKoZI
hvcNAQELBQADggEBAD4DFoFp2ihSzVeYmimfA8R2pDWsHBNa3VfDefWo6Q5ITu4X
EPxMaiL7K0/nWPCkGUnIbGPraRVfXSSEQIHuq7azSj/PUWnya32YdXrb+See287d
KyKuX/7d2r+JbMAkPwMu1DECNsZxlzQQsd7eYclkrvtZdsPxYAFXzHn4nTV321QO
iOpXpzgOIaOnWn9+Oh1QI9z34GWBe0/69eXf2nFvSNHmXjsJdiOjMZc82//CZQXy
HLq0n2aVOJVlfx26PasYAreDudYgk3kBQSVfTkf5FRMEhNINqg604DE5aj48IKGl
RfM2IR//Ds0qkcpGIxcl+wS3o9SQLn7jyYdzP/o=</data>
	</array>
	<key>Entitlements</key>
	<dict>
		<key>keychain-access-groups</key>
		<array>
			<string>SELFSIGNED.*</string>		
		</array>
		<key>get-task-allow</key>
		<true/>
		<key>application-identifier</key>
		<string>SELFSIGNED.*</string>
		<key>com.apple.developer.team-identifier</key>
		<string>SELFSIGNED</string>
	</dict>
	<key>ExpirationDate</key>
	<date>2028-08-26T16:55:24Z</date>
	<key>Name</key>
	<string>Self Signed Provisioning Profile</string>
	<key>ProvisionedDevices</key>
	<array>
	</array>
	<key>LocalProvision</key>
	<true/>
	<key>TeamIdentifier</key>
	<array>
		<string>SELFSIGNED</string>
	</array>
	<key>TeamName</key>
	<string>SELFSIGNED</string>
	<key>TimeToLive</key>
	<integer>3652</integer>
	<key>UUID</key>
	<string>05F16888-117A-4640-A26B-6548942C2E1A</string>
	<key>Version</key>
	<integer>1</integer>
</dict>
</plist>

Here’s a few thing you need to change in this plist.

  • Paste your certificate content after DeveloperCertificates entry. Open Terminal.app and run “security find-certificate -c “iPhone Developer” -p” and copy things between the dashes.
  • Change all the team identifier SELFSIGNED if you chose your own “Organizational Unit” name when creating cert.
  • Change the CreationDate, ExpirationDate, and TimeToLive to match your cert’s validation info.
  • (Optional) Run “uuidgen” in Terminal and change the UUID entry.

Signing the provision profile

After you modified the plist, the easiest way should be running

security cms -S -N "iPhone Developer" -i provision.plist -o provision.mobileprovision

Though, for some reason, my machine keep running into error. If you have the same problem, export the cert and private key from keychain and sign it with openssl. (Note that the openssl cli utility comes with mac does not have cms function, you might need to compile one yourself or find another platform)

openssl cms -sign -nodetach -in provision.plist -out provision.mobileprovision -inkey CodeSigning.key -signer CodeSigning.crt -outform DER

 

Configure Xcode to use the certificate and provisioning profile

So we finally got everything set up, but wait! There’s the last step.

First open the .mobileprovision file in Xcode, it will not react or pop anything, but you can check “~/Library/MobileDevice/Provisioning Profiles” directory if your generated uuid is there.

Then go to project’s “Build Setting” – Signing, select your certificate in “Code Signing Identity”, change “Code Signing Style” to “Manual”, leave “Development Team” empty, and select your provisioning profile in both “Provisioning Profile” and “Provisioning Profile (Deprecated)”

 

Now check the Gerenal tab, and it should not complaint about signing anymore.

发表回复

您的电子邮箱地址不会被公开。 必填项已用 * 标注

To create code blocks or other preformatted text, indent by four spaces:

    This will be displayed in a monospaced font. The first four 
    spaces will be stripped off, but all other whitespace
    will be preserved.
    
    Markdown is turned off in code blocks:
     [This is not a link](http://example.com)

To create not a block, but an inline code span, use backticks:

Here is some inline `code`.

For more help see http://daringfireball.net/projects/markdown/syntax