为什么我无法将 APNs Development iOS 类型证书添加到配置文件 [英] Why I can't add APNs Development iOS typed certificate to provisioning profile

问题描述

我正在尝试为我的应用实施 APNS.我创建了 APP id 并且能够为我的应用生成 SSL 证书(类型显示为 APNs 开发 IOS).但是，当我尝试生成配置文件时，在我选择应用程序的 AppID 的屏幕之后，我没有看到为此应用程序生成的 SSL 证书.在证书列表中，我只看到之前创建的IOS 开发"类型的证书.

I am trying to implement APNS for my App. I created APP id and was able to generate an SSL certificate for my App (the type is shown to be APNs development IOS). However, when I try to generate a provisioning profile, following the screen where I choose the AppID of my app, I do not see the SSL certificate I generate for this app. In the certificates list, I only see certificates of type 'IOS development' that were created previously.

推荐答案

您创建的 APNs 证书被文档中称为APNs Provider"的人使用——在最简单的情况下，这是您自己的服务器负责跟踪 APNs 设备令牌并生成 APNs 推送有效负载，指示 APNs 向特定设备令牌传递什么消息、声音或徽章.正如您的应用程序中可执行代码和其他资产的安排通过加密签名(通过您的 iPhone 开发或 iPhone 分发证书和相关的配置文件)进行保护一样，您的服务器和 Apple APNs 网关之间的通信也必须受到保护，以防止流氓 3rd 方伪装成您的服务器并向您的用户发送垃圾邮件推送消息.此 APNs SSL 证书用于保护和验证您的服务器与 APNs 的连接，授权它向用户设备上的应用程序提供推送负载——确保这些证书的安全！如果有人获得了 SSL 证书私钥的访问权限，那么他们可能会向您的应用发送垃圾邮件！

The APNs certificate that you created is used by what the documentation refers to as the "APNs Provider" -- In the simplest case, this is your own server that is responsible for keeping track of APNs device tokens and generating APNs Push Payloads that instruct the APNs what message, sound, or badge to deliver to a specific device token. Just as the arrangement of executable code and other assets in your app is secured by a cryptographic signature (via your iPhone Development or iPhone Distribution certificate and associated provisioning profile), communications between your server and the Apple APNs gateway must also be secured to prevent a rogue 3rd party from masquerading as your server and sending spammy push messages to your users. This APNs SSL certificate is used to secure and authenticate your server's connection to the APNs, authorizing it to deliver push payloads to your app on user's devices -- Keep those certificates secure! If anyone gains access to the private key of the SSL certificate then they could send spammy pushes to your app!

您的 APNs 提供商将需要访问此 SSL 证书的私钥.没有它，Apple 的 APNs 网关将拒绝任何和所有连接尝试.你的提供者不需要你的配置文件——这个 APNs 证书与用于对 iOS 应用程序进行代码签名的机制完全分开，也就是说，服务器只需要服务器证书，而应用程序需要代码签名证书 +配置文件.这两项不相交，也不互相交换数据.

Your APNs Provider will need access to the private key for this SSL certificate. Without it, Apple's APNs gateways will reject any and all attempts to connect. Your provider, does not need to have your provisioning profiles -- this APNs certificate is entirely separate than the mechanisms used to code sign an iOS app, that is, the server only needs the server certificate, while the app needs the code signing certificate + provisioning profile. These two items do not intersect and do not exchange data with each other.

确实需要重新发布您的配置文件(开发、Ad-Hoc 分发和 App Store 分发)，但这是专门将 aps-environment 权利添加到每个这些配置文件允许使用这些配置文件签名的应用程序连接到 APNs 环境.绝对清楚，重新发布这些配置文件不会也不应该在配置文件中的任何位置添加您的 APNs SSL 证书......您的应用程序代码不需要以任何方式利用此证书，并且会导致您的应用程序大小略有增加.

It is true that your provisioning profiles (Development, Ad-Hoc Distribution, and App Store Distribution) will need to be reissued, but that is specifically to add the aps-environment entitlement to each of these profiles allowing apps signed with these profiles to connect with the APNs environments. To be absolutely clear, reissuing these profiles does not and should not add your APNs SSL certificate anywhere in the profile...your application code doesn't need to leverage this certificate in any way and would lead to a slight increase in your application's size.

您可以通过打开终端、复制并粘贴以下内容来检查您当前的配置文件是否包含 aps-environment 授权，注意更新特定 .mobileprovision:

You can check if your current provisioning profiles include the aps-environment entitlement by opening Terminal, copy and pasting the following, taking care to update the path to your specific .mobileprovision:

/usr/libexec/PlistBuddy -c 'Print :Entitlements'/dev/stdin <<<$(security cms -D -i/path/to/your/application.mobileprovision)

这个命令做了两件事:

1. 使用 OS X 中的 security 工具从 -i 参数后标识的 .mobileprovision 文件中提取 plist 内容并通过所有将此内容转化为...
2. PlistBuddy 将 Entitlements 键的全部内容打印到屏幕上.

1. Uses the security tool in OS X to extract the plist content from the .mobileprovision file identified after the -i argument and passes all of this content into...
2. PlistBuddy printing the entire contents of the Entitlements key to screen.

尚未启用推送通知的基本开发配置文件的输出将类似于以下内容:

The output for a basic Development profile that has not been enabled for Push Notifications will resemble the following:

Dict {
  get-task-allow = true
  com.apple.developer.team-identifier = ABC1DEF2G3
  application-identifier = XYZW1ABC2D.com.mycompany.niftyapp
  keychain-access-groups = Array {
      XYZW1ABC2D.*
  }
}

虽然尚未启用推送通知的基本 Ad-Hoc 或 App Store 分发的输出将类似于:

While the output for a basic Ad-Hoc or App Store Distribution that has not been enabled for Push Notifications will resemble:

Dict {
  get-task-allow = false
  com.apple.developer.team-identifier = ABC1DEF2G3
  application-identifier = XYZW1ABC2D.com.mycompany.niftyapp
  keychain-access-groups = Array {
      XYZW1ABC2D.*
  }
}

既然您已经为应用的 AppId 颁发了 APNs 证书，您确实需要逐步完成并重新颁发您的开发、临时和分发配置文件，以将 aps-environment 权利添加到您的每个个人资料.

Now that you have the APNs certificates issued for your app's AppId, you do need to step through and reissue your Development, Ad-Hoc, and Distribution provisioning profiles to add the aps-environment entitlement to each of your profiles.

1. 导航到证书、标识符和配置文件工具并找到与此应用程序关联的配置文件之一.
2. 单击编辑"按钮并完成向导的每一步——您无需对之前定义的设置进行任何更改，只需重新发布当前配置文件即可！
3. 点击向导末尾的下载"按钮.
4. 将更新的配置文件拖放到 Dock 上的 Xcode 图标上进行安装.

1. Navigate to Certificates, Identifiers, and Profiles tool and find one of the profiles associated with this application.
2. Click the Edit button and walk through each step of the wizard -- you don't have to make any changes to the previously defined settings, you simply need the current profile reissued!
3. Click the Download button at the end of the wizard.
4. Drag and drop the updated profile on the Xcode icon on your Dock to install.

如果您在这些新文件上再次运行同一组终端命令(请记住，如有必要，请更新新 .mobileprovision 的路径！)您现在将看到 aps-environment 键出现在您的应用程序的权利中:

If you run that same set of Terminal commands again on these new files (remember to update the path to the new .mobileprovision if necessary!) you'll now see that aps-environment key appear in your App's entitlements:

Dict {
  get-task-allow = true
  aps-environment = development
  com.apple.developer.team-identifier = ABC1DEF2G3
  application-identifier = XYZW1ABC2D.com.mycompany.niftyapp
  keychain-access-groups = Array {
      XYZW1ABC2D.*
  }
}

这个新键有两个值:

• aps-environment = development -- 这只会出现在 Development Provisioning Profiles 上，并允许使用 iPhone Developer 证书签名的应用程序，并且只能与 Sandbox APNs Environment 连接
• aps-environment = production -- 这只会出现在分发配置文件(Ad-Hoc 或 App Store)上，允许使用 iPhone Distribution 证书签名的应用程序连接使用生产 APNs 环境

• aps-environment = development -- This will appear only on Development Provisioning Profiles and allows apps signed using iPhone Developer certificates and may only connect with the Sandbox APNs Environment
• aps-environment = production -- This will appear only on Distribution Provisioning Profiles (Ad-Hoc or App Store), allowing apps signed using iPhone Distribution certificates to connect with the Production APNs Environment

根据您用于签署构建的证书决定了您的应用程序将连接到哪个 APNs 网关并获取推送令牌，以及您的应用程序将从哪个网关接收推送消息.开发人员在推送通知方面最常见的错误之一是应用的签名方式与其服务器连接到 Apple 的 APNs 网关的方式不匹配:

Depending on which certificate you use to sign a build determines which APNs gateway your app will connect to and fetch a Push token as well as which gateway your app will receive push messages from. One of the most common errors developers make with respect to push notifications is mismatching how the app is signed with how their server is connecting to Apple's APNs gateways:

• 只有当提供商还使用开发 APNs SSL 证书连接到沙箱 APNs 网关并在其生成的有效负载中使用沙箱设备令牌时，使用开发证书签名的应用才能成功协商 APN 并接收推送消息.
• 只有当提供商还使用生产 APNs SSL 证书连接到生产 APNs 网关并在其生成的有效负载中使用生产设备令牌时，使用分发证书签名的应用才能成功协商 APN 并接收推送消息.

试一试，让我们知道进展如何！

Give it a shot and let us know how things go!

这篇关于为什么我无法将 APNs Development iOS 类型证书添加到配置文件的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！