验证证书和配置文件 [英] Validate certificate and provisioning profile
问题描述
在我们的iOS项目中,我们将版本控制存储库提交给签名证书和用于生成AdHoc和AppStore构建的配置文件。这样,每当新开发人员下载应用程序的新副本时,他就拥有了为测试人员创建AdHoc构建所需的一切。
On our iOS projects, we commit to the version control repository both the signing certificate and the provisioning profiles used to generate AdHoc and AppStore builds. This way, whenever a new developer downloads a new fresh copy of the app, he has everything he needs to create an AdHoc build for testers.
我们正在使用Jenkins for Continous集成,我想有一个脚本,对提交的文件进行一些健全性检查。特别是,我想检查提交的配置文件确实是在存储库中提交的签名证书的情况下生成的。
We are using Jenkins for Continous Integration, and I would like to have a script that does some sanity checks on the commited files. In particular, I'd like to check that the commited provisioning profiles were indeed generated with the signing certificate commited in the repository.
有谁知道如何从命令行?我无法弄清楚.mobileprovision文件格式,虽然它似乎是一个签名的二进制plist文件。
Does anyone know how to do this from the command line? I can't figure out the .mobileprovision file format, although it seems to be a signed binary plist file.
推荐答案
回答我的问题自己的问题,我希望这有助于其他人。
Answering my own question, I hope this helps someone else.
原来, mobileprovision 文件是PKCS7数字签名的邮件。它没有使用开发人员的证书签名,而是使用Apple的证书。
Turns out, the mobileprovision file is a PKCS7 digitally signed message. It is not signed with the developer's certificate, but with Apple's one.
但是,签名的数据是XML plist,其中包含您使用的证书的公钥签署你的二进制文件。
However, the data that's signed is an XML plist that contains the public key of the certificate you use to sign your binaries.
所以基本上,步骤如下:
So basically, the steps are as follows:
- 从PKCS7文件中提取数据。
- 从p12文件中提取公钥。
- 比较两者,并检查它们是否为同样。
我设法用Ruby轻松完成这项工作,因为它为OpenSSL提供了很好的包装器。如果有人想使用的话,我在Github中留下了脚本。
I managed to do this easily with Ruby, since it provides nice wrappers to OpenSSL. I left a script in Github, if anyone wants to use.
代码的相关部分如下:
profile = File.read(@profile_file)
certificate = File.read(@certificate_file)
p7 = OpenSSL::PKCS7.new(profile)
cert = OpenSSL::PKCS12.new(certificate, @certificate_password)
store = OpenSSL::X509::Store.new
p7.verify([], store)
plist = REXML::Document.new(p7.data)
plist.elements.each('/plist/dict/key') do |ele|
if ele.text == "DeveloperCertificates"
keys = ele.next_element
key = keys.get_elements('//array/data')[0].text
profile_cert = "-----BEGIN CERTIFICATE-----" + key.gsub(/\t/, "") + "-----END CERTIFICATE-----\n"
@provisioning_cert = OpenSSL::X509::Certificate.new(profile_cert)
end
end
# Compare @provisioning_cert.to_s and cert.certificate.to_s
这篇关于验证证书和配置文件的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
