什么是代码签名身份? [英] What are code signing identities?

问题描述

什么是 XCode 中的代码签名身份"?

What are "code signing identities" in XCode?

它们是证书吗?

它们是私钥吗?

它们是应用 ID 吗?

Are they the app ids?

它们是配置文件吗?

如果我转到目标构建设置，它会要求提供代码签名身份，因此我需要弄清楚这一点.

If I go to the target build settings, it asks for the code signing identity, so I need to figure this out.

我以为我们使用我们的私钥签署了代码.然而，我的私钥名称都没有出现.它显示了证书列表(我认为，尽管我什至不确定.)

I thought we signed code using our private key. None of my private key names show up, however. It shows a list of certificates (I think, though I am not even sure.)

推荐答案

您肯定遇到了一个非常快速深入的主题，并且在尝试制作 iOS 应用程序的设备构建时，这是一个常见的令人头疼的问题.首先，让我围绕代码签名流程中涉及的每个术语(对您和以后遇到此问题的任何人)进行一些结构化，然后我们可以转向您的主要问题:

You've definitely hit on a topic that gets very deep very quickly and is a common source of headaches when trying to make device builds of iOS applications. First, let me put a little structure around each of the terms involved in the Code Sign process (both for you and anyone stumbling across this question later) and then we can turn to your main question:

CodeSign 术语

iOS 设备构建的代码签名阶段是我们对应用程序中的特定数据排列进行加密签名和保护的过程，包括应用程序可执行二进制文件本身、任何嵌入的媒体资产(如按钮纹理、自定义图稿、字体等)，以及一组关于我们应用程序的元数据，代表我们应用程序数据的唯一指纹".Apple 和 iOS 使用此指纹来帮助确保我们的应用程序在交付给用户的设备或在用户的 iOS 设备上运行时不会被篡改.为了使这成为可能，开发人员需要向 Apple 注册、设置应用程序标识符、请求开发和分发证书、注册一组测试设备，最后为他们的开发工作请求配置文件.每个元素的作用如下:

The Code Sign phase of an iOS Device build is the process by which we cryptographically sign and secure a specific arrangement of data in an application including the application executable binary itself, any embedded media assets (like button textures, custom artwork, fonts, etc.), and a set of metadata about our application and represents a unique 'thumbprint' of our application's data. This thumbprint is what is used by Apple and iOS to help ensure that our applications are not tampered with when being delivered to user's devices or when being run on user's iOS devices. To make this possible Developers are required to register with Apple, setup an App Identifier, request Development and Distribution Certificates, Register a set of Test Devices, and finally request a Provisioning Profile for their development efforts. The role each of these elements is as follows:

• 应用标识符(或 AppID) - 一种反向 DNS 样式的字符串，用于唯一标识 AppStore 上的一个 iOS 应用.
• 开发和分发证书 - 这些是由 Apple 加密签名的数字文件，用于证明文件颁发给的个人的身份.对于熟悉公钥基础设施的人来说，证书本身包含一个公钥，可用于在流程后期验证签名的完整性.
• 测试设备 - 唯一获得批准的 iOS 软件标准分发渠道是通过 AppStore.通过注册测试设备，开发者可以绕过AppStore，直接将软件安装到设备上进行开发和测试.给定会员年允许的测试设备总数为 100 台测试设备.
• 配置文件 - 包含三个主要组件的文档:1) 正好一个 App ID，2) 一个或多个 iOS 开发人员证书，以及 3) 零个或多个注册测试设备，其中指定的 iOS应用程序可以直接安装.本文档的内容由 Apple 进行加密签名，以确保其内容不会被篡改.

• App Identifier (or AppID) - A reverse DNS-style string that uniquely identifies exactly one iOS application on the AppStore.
• Development and Distribution Certificates - These are digital documents cryptographically signed by Apple certifying the identity of the individual to which the documents were issued. For those familiar with Public Key Infrastructure, the Certificate itself contains a public key that can be used to verify the integrity of signatures later in the process.
• Test Devices - The only approved standard distribution channels for iOS software is via the AppStore. By registering a test device, developers may circumvent the AppStore and install software directly to devices for development and testing purposes. The total number of test devices allowed in a given membership year is 100 test devices.
• Provisioning Profile - A document containing three main components: 1) Exactly one App ID, 2) One or more iOS Developer Certificates, and 3) Zero or more registered test devices on which the named iOS app may be directly installed. The contents of this document are cryptographically signed by Apple to ensure its contents can not be tampered with.

正是此文件和指纹检查确定是否可以将开发人员生成的应用程序安装到设备，因为它包含谁"(证书)、内容"(应用程序 ID)和哪里"(哪些设备).

It is the presence of this file and the thumbprint checks that determines if a developer-generated app can be installed to device as it contains the notion of the 'Who' (Certificates), the 'What' (AppID), and the 'Where' (which devices).

太好了，我明白了......现在这个代码符号身份怎么样?

在单个构建目标的构建设置的上下文中，术语代码签名标识是指安装在开发人员机器钥匙串中的那些证书的通用名称.在 Xcode 构建设置中，它显示为一个选项列表，开发人员必须从中选择用于 CodeSign 的身份——此菜单的每个部分都编码了很多信息:

In the context of an individual build target's build settings, the term Code Sign Identity refers to the Common Name of those certificates that are installed in the Keychain of the Developer's machine. In the Xcode build setting it appears as a list of options from which developers must select an Identity to use for CodeSign -- there's a lot of information encoded in each section of this menu:

首先查看黑色文本 - 来自上图iPhone 开发人员:Bryan Musial (XXXXXXXXXX)" - 这实际上是 Xcode 用来查找用于代码签名的公钥和私钥的主要项目.选择此项时，您是在指示 Xcode 进入您的钥匙串并尝试查找其通用名称"字段与该字符串匹配的证书，然后获取该证书(其中包含公钥)和关联的私钥以用于代码签名操作.

Looking first at the black text - From the image above 'iPhone Developer: Bryan Musial (XXXXXXXXXX)' - This is really the primary item Xcode uses to find the public and private keys used to Code Sign. When selecting this item, you are instructing Xcode to reach into your Keychain and try to find a certificate whose 'Common Name' field matches that string and then grab that certificate (which contains the public key) and the associated private key for use in the Code Sign operation.

如果您打开 Keychain Access 并双击任何iPhone 开发:..."或iPhone 分发:..."证书显示编码到 Apple 向其颁发的证书中的所有信息开发商.如果我要选择第一张图片中的条目，Xcode 将进入我的钥匙串并拉回此证书(注意:唯一标识详细信息已被 X'd 或更改):

Just to be thorough if you open up Keychain Access and double click any of the 'iPhone Development: ...' or 'iPhone Distribution: ...' certificates shows all of the information encoded into the certificates Apple issues to its developers. If I were to select the entry in the first image, Xcode would reach into my Keychain and pull back this certificate (NOTE: Unique identifying details have been X'd or changed):

如您所见，Xcode 选择中的黑色文本与我的证书中的 Common Name 字段完全匹配，因此 Xcode 会撤回此证书及其链接的私钥，以用于对我的应用进行代码签名.

As you can see, the black text from the Xcode selection exactly matches the Common Name field in my certificate, so Xcode would pull back this certificate and its linked private key for use in Codes Signing my app.

再次回顾 Xcode 设置，我们还注意到该菜单选项中还有更多文本——浅灰色文本标识将内置到应用程序中的 Provisioning Profile.在我的示例设置中，Xcode 将获取 Provisioning ProfileMyiOSApp Testing".它的 AppID 设置为com.myiosapp.*".Xcode 非常喜欢隐藏 Provisioning Profiles，幸运的是，Organizer 为您提供了一个查看已安装的 Provisioning Profiles 并了解它们包含的基本数据的好地方.对于第一张图片中的 Xcode 代码签名标识，我的管理器中的相关配置文件将如下所示:

Looking back at the Xcode setting again, we also notice that there is more text in that menu selection as well -- the lighter gray text identifies the Provisioning Profile that will be built into the application. In the case of my example setting, Xcode will go and get the Provisioning Profile "MyiOSApp Testing" which has its AppID set to 'com.myiosapp.*'. Xcode is very greedy with stashing Provisioning Profiles, and fortunately Organizer gives you a great place to look over the Provisioning Profiles that are installed and get a sense about the basic data they contain. Again for the Xcode Code Sign Identity in the first image, the related Provisioning Profile in my Organizer would look like this:

名称"列和应用标识符"列的尾端与我的 Xcode 设置中的浅灰色文本相匹配，因此这是在代码签名期间将被选中使用的配置文件.注意行尾的状态"列也很重要.在这种情况下，它是绿色的并指示有效配置文件".这意味着我的钥匙串至少具有该供应配置文件中编码的证书之一的公钥和私钥.如果此状态不是绿色，则说明您当前设置的公钥/私钥和/或配置文件存在问题——除非您尝试使用的配置文件将其状态设置为绿色，否则代码签名无法工作.其他可能的状态选项包括:

The 'Name' column and the tail end of the App Identifier column match the light gray text from my Xcode setting so this is the Provisioning Profile that would get selected for use during Code Sign. It is also important to note the 'Status' column at the end of the row. In this case, it is green and indicates 'Valid Profile'. This means that my Keychain has both the Public and Private keys for at least one of the certificates encoded in that Provisioning Profile. If this status is anything other than green then there is a problem with your current setup of Public/Private Keys and/or the Provisioning Profile -- Code Signing can not work unless the Provisioning Profile you are trying to use has its status set to Green. Other possible status options include:

• 未找到有效的签名身份:您没有此配置文件中编码的至少一个证书的公钥和私钥.从 Organizer 中删除配置文件，然后返回到 Certificates, Identifiers &developer.apple.com/ios 上的配置文件工具，并确保您的开发证书包含在配置文件中.验证您在 Keychain Access 中的证书没有过期或被撤销，并且有一个链接到公钥证书的私钥.
• 配置文件已过期:配置文件的过期日期已过.从 Organizer 中删除此配置文件，然后重新访问证书、标识符和developer.apple.com/ios 上的 Profiles 工具并重新发布此 Provisioning Profile(如果确实仍然需要)

• Valid signing identity not found: You do not have both the Public and Private key for at least one of the Certificates encoded in this Provisioning Profile. Delete the profile from Organizer, then return to the Certificates, Identifiers & Profiles tool on developer.apple.com/ios and ensure you have your Development Certificate included in the Provisioning profile. Verify your certificate in Keychain Access is not expired or revoked and has a private key linked to the public key certificate.
• Profile has expired: The expiry date for the provisioning profile has lapsed. Delete this Provisioning Profile from Organizer, then revisit the Certificates, Identifiers & Profiles tool on developer.apple.com/ios and reissue this Provisioning Profile (if it is actually still needed)

其他可能绊倒您的物品

除了确保您安装了公钥和私钥以及配置文件设置得恰到好处的所有细微差别之外，还有一些其他事情可能会让开发人员感到困惑.首先，Xcode 收集 Provisioning Profiles 并保留它们，直到您告诉它删除它们.从理论上讲，这不是什么大问题，除非您更改配置文件、下载并安装更新版本的情况.很多时候 Xcode 会获取正确的配置文件，但有时它不会正确获取，您将花费数小时查看证书、标识符和其他信息.配置文件工具以及您的钥匙串，以尝试了解正在发生的事情.

In addition to all of the nuances about making sure you have both Public and Private keys installed, and that the Provisioning Profiles are set just right, there are a few other things that can trip developers up. First, Xcode collects Provisioning Profiles and hangs on to them until you tell it to delete them. In theory, this isn't a super huge deal except in scenarios where you make changes to a Provisioning Profile, download and install a newer version. Many times Xcode will grab the right profile, but sometimes it doesn't get it right and you'll spend hours looking over the Certificates, Identifiers & Profiles tool as well as your keychain to try and get an idea about what is going on.

建议 1:在安装较新版本的配置文件时，删除旧版本，以免 Xcode 处于可能需要做出决定的位置.

Suggestion 1: When installing a newer version of a Provisioning Profile, delete older ones so that Xcode isn't put in a position where it may have to make a decision.

如果您重新颁发开发或分发证书，可能会发生类似的情况——大多数情况下，Xcode 会在构建期间触发关于不明确证书的警告.

A similar thing can happen if you reissue a Development or Distribution Certificate -- Most times Xcode will trigger a warning during the build about an ambiguous certificate.

建议 2: 注意构建期间的歧义警告.这意味着您有一个符合构建标准的旧证书，并且可能会被无意中使用，从而可能导致构建问题.

Suggestion 2: Pay attention to ambiguity warnings during the build. It implies that you have an old certificate floating around that meets the build criteria and could be inadvertently used potentially causing a build problem.

建议 3:无论何时您在钥匙串中处理您的证书，请查找带有红色X"的iPhone 开发人员:..."或iPhone 分发:..."证书在他们.这是证书已过期或已被吊销的指示符.无论哪种方式，此公钥(以及可能链接的私钥)都不再用于构建目的，可以删除.

Suggestion 3: Anytime you are in Keychain dealing with your certificates, look for 'iPhone Developer: ...' or 'iPhone Distribution: ...' certificates that have a red 'X' on them. This is an indicator that the certificate has expired or has been revoked. Either way, this Public Key (and potentially linked Private key) is of no further use to you for build purposes and can be deleted.

最后，代码签名标识设置还有一个列为自动配置文件选择器"的选项.在许多情况下，您会希望使用此选项，因为它会尽力从构建目标的设置中自动查找您的 AppID，查找与该 AppId 匹配的配置文件并包含您拥有公钥和私钥的证书.在某些自定义构建情况下，可能无法使用此选项，您必须使用固定的特定选项之一，例如我在第一张图像中的演示设置.如果您使用固定选项，请注意 - 每次更新配置文件时，您还需要更新代码签名身份构建设置以匹配较新版本.

Finally, the Code Sign Identity setting also has an option that lists as 'Automatic Profile Selector'. In many cases you will want to use this option as it will do its best to automatically look up your AppID from your build target's settings, look for a Provisioning Profile that matches that AppId and contains certificates that you have both a public and private key for. In some custom build circumstances it may not be possible to use this option and you'll have to use one of the fixed, specific options, like my demonstration setting in the first image. Be advised if you go with a fixed option -- any time you update the Provisioning Profile, you will need to also update the Code Signing Identity build setting to match the newer version.

关键要点

• 确保您的 Keychain 和 Xcode Provisioning Profile 列表保持干净且已删除重复数据.
• 安装证书和配置文件后，确保组织者将该配置文件的状态报告为绿色(有效配置文件").任何其他状态都表明您的钥匙串和配置文件之间存在问题，您甚至需要在考虑运行构建之前解决该问题.
• 尝试使用自动配置文件选择器".如果您的团队成员和任何自动化构建系统也不必考虑 Code Sign Identity 设置，他们会对您更满意.
• 如果您无法使用自动配置文件选择器，请确保在进行配置配置文件的更新迭代时始终保持该设置最新.

祝您构建配置好运，如果您有任何其他后续问题，请告诉我！

Good luck with your build configuration, and please let me know if you have any other follow up questions!

这篇关于什么是代码签名身份?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！