{"type":"doc","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/50/50755ca798cda4ccc422aa14f80833e0.webp","alt":"圖片","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"導讀:","attrs":{}},{"type":"text","text":"iOS簽名校驗機制是蘋果生態安全的基礎,日常工作中無論是開發階段還是測試階段常常會遇到很多需要通過簽名機制解決的問題,瞭解iOS簽名機制的原理有助於提高我們解決相關問題的成本和效率。本文首先介紹數字簽名和證書的原理,之後會介紹蘋果開發者證書的生成安裝過程,最後對蘋果實現簽名校驗的流程及流程中涉及的關鍵信息進行介紹,希望能對大家有所幫助。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"italic","attrs":{}}],"text":"全文9494字,預計閱讀時間24分鐘。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"背景","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"codeinline","content":[{"type":"text","text":"iOS15 beta","attrs":{}}],"attrs":{}},{"type":"text","text":" 版發佈後,","attrs":{}},{"type":"codeinline","content":[{"type":"text","text":"QA","attrs":{}}],"attrs":{}},{"type":"text","text":" 同學需要測試新功能在","attrs":{}},{"type":"codeinline","content":[{"type":"text","text":"iOS 15","attrs":{}}],"attrs":{}},{"type":"text","text":" 系統下的功能穩定性,但是通過公司流水線打出的企業包無法安裝在 iOS 15 系統的設備上,具體報錯見下圖:","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/f7/f703c5d1632e223d2c0299468f8b4d38.webp","alt":"圖片","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"通過在控制檯查看安裝過程中的具體報錯信息,發現具體的","attrs":{}},{"type":"codeinline","content":[{"type":"text","text":"IPA","attrs":{}}],"attrs":{}},{"type":"text","text":" 包的簽名信息在iOS 15系統上已經不再被支持了: The code signature version is no longer supported.詳細的控制檯報錯信息如下圖所示:","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/85/8514f9cfb9c2daa75169239811dea3b6.webp","alt":"圖片","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"也就是安裝失敗和","attrs":{}},{"type":"codeinline","content":[{"type":"text","text":"IPA","attrs":{}}],"attrs":{}},{"type":"text","text":" 的代碼簽名版本有關,爲此通過","attrs":{}},{"type":"codeinline","content":[{"type":"text","text":"codesign","attrs":{}}],"attrs":{}},{"type":"text","text":"命令查看流水線產出的","attrs":{}},{"type":"codeinline","content":[{"type":"text","text":"IPA","attrs":{}}],"attrs":{}},{"type":"text","text":" 的相關簽名信息,具體信息見下圖,其中","attrs":{}},{"type":"codeinline","content":[{"type":"text","text":"CodeDirectory","attrs":{}}],"attrs":{}},{"type":"text","text":"的版本爲v=20400:","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/a2/a264a0e81d763f0f6accacf1d877e840.webp","alt":"圖片","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"CodeDirectory直譯是代碼目錄,記錄的是將 Mach-O文件分頁後每頁的哈希值信息,除此之外還包含了資源文件的摘要信息、權限信息等,這些信息按照一定的格式組合在一起,而不同的 signature version 對應這不同的信息種類、組合形式或計算算法。去年從iOS 14 beta2開始,蘋果系統採用一種更爲安全的簽名格式,在其上運行使用舊簽名格式簽名的APP時會出警告彈窗。其官方介紹中提到 In a future release, the new format will become mandatory, and the system won’t launch apps with the old signature format.因此懷疑是簽名格式在 iOS 15 系統上進行了強制校驗,導致安裝失敗:","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/2c/2c22f73d1c85b57e1a206ef9333dcbdb.webp","alt":"圖片","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在官方文檔中提到 If you signed your app on a Mac running macOS 10.14 or later, the app already has the new signature format.換句話說 macOS 系統的版本會影響到簽名的格式; \"For any value of v less than 20400, you’ll need to re-sign your app.\" ","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"當CodeDirectory version 的值小於 20400 時可以通過重簽名來解決簽名失效問題。而CodeDirectory v=20400 可以安裝在iOS 14 系統上,但是卻無法安裝在iOS 15 系統上。爲了解決這個問題,採用重簽名的思路,在macOS 11.5.2及 macOS 12.0 Beta 版系統下分別對流水線 IPA 包重簽名後,均可以正常安裝在 iOS 15 系統上了。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"以上是 iOS 簽名校驗機制的一個體現,日常開發及測試中,與上述 iOS 簽名校驗機制相關的事情還有很多比如修改系統時間後使得企業證書過期從而導致啓動崩潰等,在這裏再和大家一起分享下有關 iOS 證書與簽名校驗相關的一些信息。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"首先我們看幾個問題:","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"什麼是簽名校驗機制?","attrs":{}}]}]}],"attrs":{}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"對可執行文件或腳本進行數字簽名,用來保證軟件在簽名後未被損害或者修改的措施;","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"蘋果爲什麼要使用簽名校驗機制?","attrs":{}}]}]}],"attrs":{}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Signing your app allows iOS to identify who signed your app and to verify that your app hasn’t been modified since you signed it. ","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"即確定APP來源並防止外部攻擊,以實現蘋果對其生態的控制;","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"蘋果如何實現簽名校驗?","attrs":{}}]}]}],"attrs":{}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/40/40ea367265feffb790843b80a240feaa.webp","alt":"圖片","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"這是 iOS 簽名校驗機制的流程示意圖,在學習過程中,個人覺得理解清楚非對稱加密、數字簽名以及數字證書的原理對於理解整個簽名機制非常重要,因此在文章的開始會對加密與解密、數字簽名以及數字證書做一些說明,然後結合數字簽名和證書的原理,對蘋果創建開發者證書的流程以及 iOS 簽名校驗流程包括過程中涉及到一些關鍵信息進行說明:","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"1. 加密與解密、數字簽名、證書在通信過程中各自的作用","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"2. 解析蘋果開發者證書的生成安裝過程","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"3. 蘋果實現簽名校驗的流程及關鍵信息","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"heading","attrs":{"align":null,"level":1},"content":[{"type":"text","text":"一、加密與解密、數字簽名、證書在通信過程中各自的作用","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"無論是從 AppStore 下載 App 安裝到手機上還是在Debug 階段通過Xcode 將 App 安裝到測試機上進行真機調試,其實都是一次將 App 包發送到手機沙盒中的一次通信過程,如何保證一次安全有效的通信呢?或者說在一次通信過程中可能面臨哪些安全問題呢?","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/90/9056cb5eafce8c709a0e92a3ba911704.webp","alt":"圖片","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"blockquote","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"A向B發送的明文,可以被中間路由直接查看,泄密了 --- ","attrs":{}},{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"被竊聽","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"好事者C修改了A向B請求內容,使得A發起了錯誤請求 --- ","attrs":{}},{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"被篡改","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"好事者C攔截並模擬A向B發起請求,讓B誤以爲是A發起的 --- ","attrs":{}},{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"被欺騙","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"A向B發起了請求,但是A就是不承認發起了此次請求 --- ","attrs":{}},{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"被否認","attrs":{}}]}],"attrs":{}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"1.1 防止被竊聽 - 加密與解密","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"通信過程中是不好避免被第三方攔截的,但是我們可以做到即便被截獲,竊聽者仍然無法破譯有效的信息,這個過程可以通過加密來實現。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"目前加密算法主要有兩大類,對稱加密和非對稱加密:","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"對稱加密的特點是加密和解密使用的同一個祕鑰,其特點是速度快,常用算法有: DES 、3DES 、AES ;","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"非對稱加密的密鑰分爲公鑰和私鑰,其最重要的特性是使用公鑰加密的信息,只能使用私鑰解密,而使用私鑰加密的信息,只能使用公鑰進行解密,最常用的算法有 RSA ;","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"但是對稱加密的密鑰管理繁瑣且密鑰傳輸存在一定的安全隱患,而非對稱加密算法速度比較慢,尤其是對於加密數據較大的信息時耗時更加明顯。因此在實際使用過程中,最常使用的是混合加密方式:","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"發送方","attrs":{}},{"type":"text","text":":1.對信息(明文)採用DES 密鑰加密;2.使用RSA加密前面的DES 密鑰信息;然後將1和2步產生的信息進行整合後傳遞。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":"br"}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/47/475daaff4508137da5332919cf17abff.webp","alt":"圖片","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"接收方","attrs":{}},{"type":"text","text":":接收到信息後:1.用RSA解密DES 密鑰信息;2.再用RSA解密獲取到的密鑰信息解密密文信息;最終就可以得到我們要的信息(明文)。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":" ","attrs":{}}]},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/2b/2b7ae3de928b098bf5425df7787f5312.webp","alt":"圖片","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"1.2 防止否認 - 數字簽名","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"因爲公鑰是對外公開的,A可以使用公鑰加密信息計算摘要,B也可以使用公鑰加密信息計算摘要,也就是所有擁有公鑰的人都可能成爲信息發送者,這就導致A發送消息後可以否認。前面我們有提到非對稱加密的特性:使用公鑰加密的信息,只能使用私鑰解密,而使用私鑰加密的信息,只能使用公鑰進行解密。公鑰是對外公開的,但是私鑰僅存在於密鑰對生成者自己手裏,所以當在","attrs":{}},{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"發送消息時使用發送者的私鑰加密信息,在接收端使用發送者的公鑰來解密信息","attrs":{}},{"type":"text","text":",那麼接收端就可以精確確認消息發送者了,也就解決了消息發送者否認發送的問題。","attrs":{}},{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"使用發送者的私鑰對摘要進行加密,就形成了簽名,即數字簽名","attrs":{}},{"type":"text","text":"。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"我們來看下數字簽名是如何起作用的:","attrs":{}}]},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/db/dbb1e340c3708a96b456694f6bec0912.webp","alt":"圖片","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"總結下數字簽名的作用,主要有三點:1.可以確認消息的完整性;2.可以識別消息是否被篡改;3.可以防止消息發送者否認;","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"但是我們不能忽視一點:","attrs":{}},{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"數字簽名生效的前提:用於加密的公鑰必須屬於真正的接受者,用於解密的公鑰必須屬於真正的發送者","attrs":{}},{"type":"text","text":"。如果公鑰被僞造了或者說好事者冒充發送者去發送消息,單純依賴數字簽名是無法解決的;我們一起來看下公鑰被僞造時會發生什麼:","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/e4/e4f4d120945529094a454e8fc588ada5.webp","alt":"圖片","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"由上圖可以看到,如果公鑰在傳輸過程中被僞造了,那麼後續相關的通信過程都是建立一個僞造的密鑰對間進行,從而導致這個通信過程不再安全。因此在驗證簽名之前,首先得先驗證公鑰的合法性。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"但是如何保證公鑰的合法性呢?","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"根據上面的相關介紹,爲了保證公鑰信息不被篡改和欺騙,那麼最好的方式就是對公鑰進行數字簽名,但問題又來了,如何保證此次數字簽名驗證過程中公鑰的合法性呢?再來一次數字簽名嗎?這就陷入了一個雞生蛋蛋生雞的過程了,爲了打破這個死循環,人們創造了","attrs":{}},{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"證書中心和數字證書","attrs":{}},{"type":"text","text":"。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"1.3 保證公鑰的合法性 - 數字證書","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"循環進行數字簽名的原因是因爲公鑰有可能被僞造,爲此人們將一些具有公信力的組織或者政府部門作爲證書中心,由證書中心使用自己的私鑰來對公鑰進行數字簽名。通俗理解","attrs":{}},{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"證書中心就是那些能夠認定“公鑰確實屬於此人”並且能夠生成數字簽名的權威個人或者組織,簡稱CA","attrs":{}},{"type":"text","text":"。而","attrs":{}},{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"由CA對公鑰等信息施加數字簽名後就生成了證書。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"我們一起看下數字證書是如何起作用的:","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/0f/0f15e71a29f4aa3fcfe5f5ea47454594.webp","alt":"圖片","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"消息接收者首先生成密鑰對,並將公鑰_B 及郵箱等信息在CA 認證機構中進行註冊,認證機構CA 用自己的私鑰_CA 對公鑰_B 進行數字簽名,並生成證書;消息發送者A向認證機構CA 請求證書,並通過認證機構CA 的公鑰_CA 驗證數字簽名,以驗證公鑰_B 的合法性。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"對此,我們對公鑰、私鑰、數字簽名、數字證書的概念及作用有了一個大概的回顧。下面我們從數字簽名及數字證書的生成流程角度來看下iOS 開發者證書的生成與安裝過程。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"heading","attrs":{"align":null,"level":1},"content":[{"type":"text","text":"二、蘋果開發者證書的生成與安裝","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"-1.生成證書請求:鑰匙串訪問 -> 證書助理 -> 從證書頒發機構請求證書 (可以理解爲Mac 端創建非對稱加密密鑰對公鑰M 和 私鑰M 的過程,使用私鑰M 來簽署生成CSR 文件,CSR 文件中包含開發者的信息和公鑰M ,私鑰M 則存儲在Mac端本地)","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/9e/9ec90623d2004b860488a01a209c8f14.webp","alt":"圖片","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"-2.登錄開發者平臺,將第一步生成的CertificateSigningRequest.certSigningRequest上傳至Developer生成證書。(CertificateSigningRequest.certSigningRequest可以理解爲Mac生成的公鑰,上傳至開發者平臺可以爲將公鑰M 在證書認證機構CA進行註冊,並利用蘋果開發者中心的公鑰A 對Mac設備的公鑰進行簽名,生成開發者證書)","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/89/89cdd5a4c94dfbb59eed622fa0b3cfdd.webp","alt":"圖片","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"- 3.Mac將證書下載到本地,雙擊安裝(在安裝過程中,鑰匙串keychain會將第一步生成的私鑰M 與第二步生成的Cer 證書關聯在一起:","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/00/0076ebc2ee78ceab13f1acac954da76b.webp","alt":"圖片","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"heading","attrs":{"align":null,"level":1},"content":[{"type":"text","text":"三、蘋果實現簽名校驗的流程及關鍵信息","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"蘋果簽名校驗機制的作用是要保證每一個安裝到iOS 設備上的App 都是經過蘋果官方授權的。爲了實現上述效果,蘋果採取的方案是雙重簽名,其大概流程可以參見下圖:","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/f7/f7108e75eadf1b6d816d6b27ebceb967.webp","alt":"圖片","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"blockquote","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"> 1.首先在Mac端生成一對密鑰對(公鑰M和私鑰M),蘋果也會生成一對祕鑰對(公鑰A和私鑰A),其中公鑰A預置在iOS設備上,私鑰A放在蘋果服務器中;","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"> 2.開發者通過開發者後臺將公鑰M上傳至蘋果服務器,蘋果服務器使用私鑰A對公鑰M進行簽名生成證書,開發者下載該證書並安裝在Mac中。安裝過程中會將證書與私鑰M進行關聯。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"> 3.在開發過程中,會使用私鑰M對APP進行簽名,同時會將證書也打包進APP中。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"> 4.在安裝過程中,iOS系統首先會使用預置的公鑰A對證書進行驗證,得到公鑰M(驗證成功,即說明證書是經過蘋果私鑰簽名過的,根據前面的講解我們知道這樣就說明是經過蘋果認證的了),然後使用公鑰M對簽名進行驗證,驗證成功後才能將APP安裝在設備中。","attrs":{}}]}],"attrs":{}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"那是不是隻要擁有一個經過蘋果認證的開發者證書,就可以將任意App 安裝在任意測試機上呢?顯然這是蘋果生態所不允許的。那蘋果是通過什麼方式實現設備限制的呢?而且,在團隊開發中,也並不是所有人都去生成開發者證書,那又是通過什麼方式實現團隊授權的呢?以及在蘋果開發者中心中配置的BundleID 、Capabilities 、Devices 等信息在簽名機制中又扮演着什麼樣的作用呢?","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"3.1 關於P12 - 團隊協作開發","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在上面的簽名過程中,我們看到開發者在對App 進行簽名過程中,主要用到兩個信息:私鑰M 和證書,因此只需要將這兩個信息提供給團隊中的其它成員。在證書安裝過程我們瞭解中,鑰匙串會將證書與Mac生成的私鑰M 進行關聯並存儲爲鑰匙串中的一項,鑰匙串支持將其導出爲p12 文件,然後我們將p12 文件提供給團隊成員安裝就可以了。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/07/07b65627008823df5394e7cc7aa9ad01.webp","alt":"圖片","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"3.2 關於Entitlements - 權限管控","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Xcode 在編譯打包時會自動執行/usr/bin/codesign 命令進行代碼簽名,以下是簽名的詳細信息:","attrs":{}}]},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/76/76c15a78f6da2eb958c71ab916e34fe1.webp","alt":"圖片","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在簽名時通過--sign 指定了證書信息,那麼--entitlements 配置的是什麼信息呢?","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"entitlements鏈接:","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"(https://developer.apple.com/library/archive/technotes/tn2415/_index.html)","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"An Entitlement can be thought of as the string written into an app's signature that allows a specific capability or opts the app into a specific service. The operating system (OS) checks these strings before allowing an app access to certain features. For example, an app must have the iCloud entitlement before it is allowed to access iCloud APIs at runtime.","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"簡單來說entitlements其實就是iOS 沙盒環境的配置文件,蘋果通過entitlements文件來管控一個App 所能使用的服務和權限。Sandbox(沙盒)是iOS 安全體系中很重要的一環,沙盒不僅僅使App 間相互獨立,同時也對每個App 可操作的行爲進行了管控,比如可以使用哪些敏感的系統能力(Push、Sign in with apple等)等。Xcode 會默認生成一個包含有Team ID 信息和App ID 信息的權限聲明,如果在Xcode Signing&Capabilities中開啓了相關權限,那麼會顯式的生成一個後綴名爲.entitlements的配置文件,裏面包含了相關權限信息的說明。在--entitlements 選項後面的文件是在.entitlements的配置文件基礎上增加了默認配置後的信息。在Xcode 簽名時,會將該權限信息文件嵌入到二進制代碼中,作爲被簽名內容的一部分,由代碼簽名保證其不會被篡改。 ","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"可通過 security cms -D -i /path/to/iOSTest.mobileprovision 來檢查本地的 Provisioning Profile 是否包含所需要的權限。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"3.3 關於Provisioning profile","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Provisioning profile act as a link between the device and the developer account. During development, you choose which devices can run your app and which app services your app can access. A provisioning profile is downloaded from your developer account and embedded in the app bundle, and the entire bundle is code-signed. ","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Provisioning Profile 是一個由蘋果證書中心加密簽名的一個plist文件,包含有與之綁定的App ID、設備的UUID列表、過期時間、TeamID、entilements等信息以及用於對應用程序進行簽名的證書,是蘋果用來解決對設備授權以及管控APP敏感權限的解決方案。其在證書中心的配置頁面如下:","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/e3/e3392582c66a3cb323f9e52233a49fab.webp","alt":"圖片","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在證書中心配置完App ID、Unique Device Identifiers以及capabilities 等信息後,蘋果證書中心會將這些信息與證書一起使用蘋果的私鑰進行簽名,最後將簽名信息與配置信息、證書、簽名信息一起組成一個Provisioning Profile 文件。開發者將其下載並安裝,默認情況下Xcode 會自動幫助開發者進行管理。以下是Xcode中安裝的Provisioning Profile 信息:","attrs":{}}]},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/4a/4a37804a2b09d9f6239aa21ec3c3e21a.webp","alt":"圖片","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在Mac編譯完一個App 後,會將Provisioning Profile 文件也打包進App 中,並將文件命名爲embedded.mobileprovision。在App 安裝到iOS 設備上時,iOS 設備會通過預置的公鑰信息來驗證embedded.mobileprovision的簽名合法性,進而驗證證書中的簽名是否正確。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"確保了embedded.mobileprovision 裏的數據都是蘋果授權以後,就可以使用其中的信息來校驗本次安裝的合法性,使用公鑰A驗證Mach-O 的簽名信息、驗證證書的簽名及有效期、驗證設備ID是否在設備列表中、Provisioning Profile 中的App ID是否與BundleID是否匹配等等;","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"值得注意的一點是:設備列表只在Development證書下生效,因爲Enterprise 、Distribution 證書本身就是要求可以任意安裝,所以不受設備列表的限制;過期時間只對Development、Enterprise 證書生效,Distribution 證書下不受限制,這也是當Development、Enterprise 證書過期後會導致應用無法安裝或無法啓動,而從App Store下載的應用不會有時間限制。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"當然在開發者中心可以隨時對Provisioning Profile 進行修改,更新不會對已有Provisioning Profile 產生影響。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"3.4 關於可執行文件與資源的簽名","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在編譯生成App 的過程中,Xcode 會通過鑰匙串找到與配置證書配對的私鑰M對二進制文件進行簽名,並將簽名信息嵌入到可執行二進制文件中,用於在安裝時確認Mach-O 文件是否有被修改。可通過MackOView 驗證:","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/35/356986ca09c26931d75205bc3d6248b4.webp","alt":"圖片","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"但是App 中不僅僅包含二進制文件,還包含一系列諸如圖片、音視頻文件等預置資源,因此通過單一的對二進制文件進行簽名不足以保證整個App 文件的完整性和有效性。在iOS 中,應用程序使用遵循shallow application bundles結構的目錄來存儲必要資源和數據信息,大致爲:","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"TestProject.app |用戶可見應用程序","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"codeblock","attrs":{"lang":"text"},"content":[{"type":"text","text":"Info.plist |文件,其中包含有關軟件包的信息\n\nTestProject |可執行二進制\n\nAssets.car |圖標,顯示爲用戶可見應用程序\n\nFramework |任何可執行文件使用的框架或動態庫\n\nAFNetworking.framework |iOS 軟件中常見框架示例\n","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"以下是一個非常簡單的IPA包的包結構:","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/a1/a1cd57d41eb51a1c5431478f8222128b.webp","alt":"圖片","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"可以看到爲了保證可執行文件及其在運行期間所依賴的數據和資源不被篡改,在實際生成的APP包中,會新生成一個_CodeSignature 目錄,在該目錄下包含一個名爲CodeResources 文件,該文件爲plist 類型的文件,裏面包含了App 下除可執行文件外其它文件的信息,key 通常爲文件名,value 通常爲其摘要信息。裏面會有files 和files2 兩項,其中files保存的是每個文件的sha1的值,files2同時保存了sha1和sha256,主要原因是sha1存在不安全性。_CodeSignature/CodeResources 文件的主要作用是記錄簽名後每個文件的哈希值,以在安裝時用來確保對應的文件沒有被篡改過。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"3.5 簽名及校驗流程","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/40/40ea367265feffb790843b80a240feaa.webp","alt":"圖片","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"> 1.首先在Mac 端生成一對密鑰對(公鑰M和私鑰M),蘋果系統本身也會生成一對密鑰對(公鑰A和私鑰A),其中公鑰A預置在iOS 設備上,私鑰A放在蘋果服務器中;","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"> 2.開發者將公鑰M整合在csr 文件中通過開發者後臺上傳至蘋果服務器,蘋果服務器使用私鑰A對公鑰M進行數字簽名生成證書;同時使用私鑰A將證書、AppID、entilements、設備UDIDs等信息加密生成Provisioning Profile 文件;對應的開發者下載證書和Provisioning Profile 文件並安裝在Mac 中。安裝過程中會將證書與私鑰M進行關聯,Xcode 默認會對Provisioning Profile 文件進行管理。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"> 3.在開發過程中,會使用私鑰M對App 進行簽名,同時會將Provisioning Profile 文件也打包進App 中即embedded.mobileprovision文件。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"> 4.當將iOS 設備與Xcode 連接並通過身份驗證後,Xcode 會將App 數據傳輸到iOS 設備中,iOS 設備此時並不會創建真正的沙盒環境來運行App ,而是會在一個臨時沙盒環境中來存放陸續收到的數據,一旦全部接收完,iOS 系統首先會使用預置的公鑰A對embedded.mobileprovision文件的簽名進行驗證,已確認App 來源是否合法;來源合法性驗證通過後,便可使用公鑰M去驗證裏面證書的簽名信息、驗證該設備ID是否在對應UUID 列表中、以及APP中的權限開關配置是否和embedded.mobileprovision文件中配置的entilements信息相吻合等;同時會讀取_CodeSignature/CodeResources 中的信息對資源文件進行校驗。只有全部經過驗證後,纔會爲App 創建真正的沙盒環境進行安裝。在啓動APP時,系統也會執行相應的啓動校驗,以防止安裝後進行的修改。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"參考文獻:","attrs":{}}]},{"type":"blockquote","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"1.https://developer.apple.com/documentation/xcode/using-the-latest-code-signature-format","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"2.https://developer.apple.com/library/archive/documentation/Security/Conceptual/CodeSigningGuide/Introduction/Introduction.html","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"3.https://pewpewthespells.com/blog/migrating_code_signing.html","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"4.http://blog.cnbang.net/tech/3386/","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"5.https://developer.apple.com/library/archive/recipes/ProvisioningPortal_Recipes/DownloadingaProvisioningProfile/DownloadingaProvisioningProfile.html","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"6.https://developer.apple.com/library/archive/technotes/tn2415/_index.html","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"7.https://developer.apple.com/library/archive/qa/qa1814/_index.html#//apple_ref/doc/uid/DTS40014030","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"8.https://getupdraft.com/blog/ios-code-signing-development-and-distribution-prov","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"9.https://abhimuralidharan.medium.com/what-is-a-provisioning-profile-in-ios-77987a7c54c2","attrs":{}}]}],"attrs":{}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"推薦閱讀:","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"link","attrs":{"href":"http://mp.weixin.qq.com/s?__biz=Mzg5MjU0NTI5OQ==&mid=2247498745&idx=1&sn=88ab93caf2e8a3662b307206954bbcdb&chksm=c03ecb85f749429346766d992c69ffbe58037d33ae55642693efe497a5da722b5ae484b38d11&scene=21#wechat_redirect","title":null,"type":null},"content":[{"type":"text","text":"|","attrs":{}}]},{"type":"link","attrs":{"href":"http://mp.weixin.qq.com/s?__biz=Mzg5MjU0NTI5OQ==&mid=2247502740&idx=1&sn=499a704b05ff86891250ac96a538cc7d&chksm=c03efbe8f74972fef5f901768fca78430b65bf0aee686b479b7cf1d0ede31b89077015e60726&scene=21#wechat_redirect","title":null,"type":null},"content":[{"type":"text","text":"信息流推薦系統智能交付解決方案探索","attrs":{}}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"link","attrs":{"href":"http://mp.weixin.qq.com/s?__biz=Mzg5MjU0NTI5OQ==&mid=2247502056&idx=1&sn=d198187b97dd01246256214c548ad953&chksm=c03ef894f7497182b8a7bd24e8ece6d44596b873805e3bb34857ca04d3d5305c9ae0d4e2d943&scene=21#wechat_redirect","title":null,"type":null},"content":[{"type":"text","text":"|","attrs":{}}]},{"type":"link","attrs":{"href":"http://mp.weixin.qq.com/s?__biz=Mzg5MjU0NTI5OQ==&mid=2247502687&idx=1&sn=8953092fe93d4f3299982bc48cf6211e&chksm=c03efb23f74972353d8f71802a256f0f79905552ffdad3fe694eb4914142c1fb8070e1f4586c&scene=21#wechat_redirect","title":null,"type":null},"content":[{"type":"text","text":"圖譜相關技術在風控反作弊中的應用和探索","attrs":{}}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"link","attrs":{"href":"http://mp.weixin.qq.com/s?__biz=Mzg5MjU0NTI5OQ==&mid=2247502056&idx=1&sn=d198187b97dd01246256214c548ad953&chksm=c03ef894f7497182b8a7bd24e8ece6d44596b873805e3bb34857ca04d3d5305c9ae0d4e2d943&scene=21#wechat_redirect","title":null,"type":null},"content":[{"type":"text","text":"|好看視頻Android重構——圍繞於播放器的重構實踐","attrs":{}}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"","attrs":{}},{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"---------- END ----------","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"百度 Geek 說","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"百度官方技術公衆號上線啦!","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"技術乾貨 · 行業資訊 · 線上沙龍 · 行業大會","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"招聘信息 · 內推信息 · 技術書籍 · 百度周邊","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"歡迎各位同學關注","attrs":{}}]}]}
iOS簽名校驗那些事兒
{"type":"doc","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/50/50755ca798cda4ccc422aa14f80833e0.webp","alt":"圖片","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"導讀:","attrs":{}},{"type":"text","text":"iOS簽名校驗機制是蘋果生態安全的基礎,日常工作中無論是開發階段還是測試階段常常會遇到很多需要通過簽名機制解決的問題,瞭解iOS簽名機制的原理有助於提高我們解決相關問題的成本和效率。本文首先介紹數字簽名和證書的原理,之後會介紹蘋果開發者證書的生成安裝過程,最後對蘋果實現簽名校驗的流程及流程中涉及的關鍵信息進行介紹,希望能對大家有所幫助。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"italic","attrs":{}}],"text":"全文9494字,預計閱讀時間24分鐘。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"背景","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"codeinline","content":[{"type":"text","text":"iOS15 beta","attrs":{}}],"attrs":{}},{"type":"text","text":" 版發佈後,","attrs":{}},{"type":"codeinline","content":[{"type":"text","text":"QA","attrs":{}}],"attrs":{}},{"type":"text","text":" 同學需要測試新功能在","attrs":{}},{"type":"codeinline","content":[{"type":"text","text":"iOS 15","attrs":{}}],"attrs":{}},{"type":"text","text":" 系統下的功能穩定性,但是通過公司流水線打出的企業包無法安裝在 iOS 15 系統的設備上,具體報錯見下圖:","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/f7/f703c5d1632e223d2c0299468f8b4d38.webp","alt":"圖片","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"通過在控制檯查看安裝過程中的具體報錯信息,發現具體的","attrs":{}},{"type":"codeinline","content":[{"type":"text","text":"IPA","attrs":{}}],"attrs":{}},{"type":"text","text":" 包的簽名信息在iOS 15系統上已經不再被支持了: The code signature version is no longer supported.詳細的控制檯報錯信息如下圖所示:","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/85/8514f9cfb9c2daa75169239811dea3b6.webp","alt":"圖片","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"也就是安裝失敗和","attrs":{}},{"type":"codeinline","content":[{"type":"text","text":"IPA","attrs":{}}],"attrs":{}},{"type":"text","text":" 的代碼簽名版本有關,爲此通過","attrs":{}},{"type":"codeinline","content":[{"type":"text","text":"codesign","attrs":{}}],"attrs":{}},{"type":"text","text":"命令查看流水線產出的","attrs":{}},{"type":"codeinline","content":[{"type":"text","text":"IPA","attrs":{}}],"attrs":{}},{"type":"text","text":" 的相關簽名信息,具體信息見下圖,其中","attrs":{}},{"type":"codeinline","content":[{"type":"text","text":"CodeDirectory","attrs":{}}],"attrs":{}},{"type":"text","text":"的版本爲v=20400:","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/a2/a264a0e81d763f0f6accacf1d877e840.webp","alt":"圖片","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"CodeDirectory直譯是代碼目錄,記錄的是將 Mach-O文件分頁後每頁的哈希值信息,除此之外還包含了資源文件的摘要信息、權限信息等,這些信息按照一定的格式組合在一起,而不同的 signature version 對應這不同的信息種類、組合形式或計算算法。去年從iOS 14 beta2開始,蘋果系統採用一種更爲安全的簽名格式,在其上運行使用舊簽名格式簽名的APP時會出警告彈窗。其官方介紹中提到 In a future release, the new format will become mandatory, and the system won’t launch apps with the old signature format.因此懷疑是簽名格式在 iOS 15 系統上進行了強制校驗,導致安裝失敗:","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/2c/2c22f73d1c85b57e1a206ef9333dcbdb.webp","alt":"圖片","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在官方文檔中提到 If you signed your app on a Mac running macOS 10.14 or later, the app already has the new signature format.換句話說 macOS 系統的版本會影響到簽名的格式; \"For any value of v less than 20400, you’ll need to re-sign your app.\" ","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"當CodeDirectory version 的值小於 20400 時可以通過重簽名來解決簽名失效問題。而CodeDirectory v=20400 可以安裝在iOS 14 系統上,但是卻無法安裝在iOS 15 系統上。爲了解決這個問題,採用重簽名的思路,在macOS 11.5.2及 macOS 12.0 Beta 版系統下分別對流水線 IPA 包重簽名後,均可以正常安裝在 iOS 15 系統上了。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"以上是 iOS 簽名校驗機制的一個體現,日常開發及測試中,與上述 iOS 簽名校驗機制相關的事情還有很多比如修改系統時間後使得企業證書過期從而導致啓動崩潰等,在這裏再和大家一起分享下有關 iOS 證書與簽名校驗相關的一些信息。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"首先我們看幾個問題:","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"什麼是簽名校驗機制?","attrs":{}}]}]}],"attrs":{}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"對可執行文件或腳本進行數字簽名,用來保證軟件在簽名後未被損害或者修改的措施;","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"蘋果爲什麼要使用簽名校驗機制?","attrs":{}}]}]}],"attrs":{}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Signing your app allows iOS to identify who signed your app and to verify that your app hasn’t been modified since you signed it. ","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"即確定APP來源並防止外部攻擊,以實現蘋果對其生態的控制;","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"蘋果如何實現簽名校驗?","attrs":{}}]}]}],"attrs":{}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/40/40ea367265feffb790843b80a240feaa.webp","alt":"圖片","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"這是 iOS 簽名校驗機制的流程示意圖,在學習過程中,個人覺得理解清楚非對稱加密、數字簽名以及數字證書的原理對於理解整個簽名機制非常重要,因此在文章的開始會對加密與解密、數字簽名以及數字證書做一些說明,然後結合數字簽名和證書的原理,對蘋果創建開發者證書的流程以及 iOS 簽名校驗流程包括過程中涉及到一些關鍵信息進行說明:","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"1. 加密與解密、數字簽名、證書在通信過程中各自的作用","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"2. 解析蘋果開發者證書的生成安裝過程","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"3. 蘋果實現簽名校驗的流程及關鍵信息","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"heading","attrs":{"align":null,"level":1},"content":[{"type":"text","text":"一、加密與解密、數字簽名、證書在通信過程中各自的作用","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"無論是從 AppStore 下載 App 安裝到手機上還是在Debug 階段通過Xcode 將 App 安裝到測試機上進行真機調試,其實都是一次將 App 包發送到手機沙盒中的一次通信過程,如何保證一次安全有效的通信呢?或者說在一次通信過程中可能面臨哪些安全問題呢?","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/90/9056cb5eafce8c709a0e92a3ba911704.webp","alt":"圖片","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"blockquote","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"A向B發送的明文,可以被中間路由直接查看,泄密了 --- ","attrs":{}},{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"被竊聽","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"好事者C修改了A向B請求內容,使得A發起了錯誤請求 --- ","attrs":{}},{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"被篡改","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"好事者C攔截並模擬A向B發起請求,讓B誤以爲是A發起的 --- ","attrs":{}},{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"被欺騙","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"A向B發起了請求,但是A就是不承認發起了此次請求 --- ","attrs":{}},{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"被否認","attrs":{}}]}],"attrs":{}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"1.1 防止被竊聽 - 加密與解密","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"通信過程中是不好避免被第三方攔截的,但是我們可以做到即便被截獲,竊聽者仍然無法破譯有效的信息,這個過程可以通過加密來實現。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"目前加密算法主要有兩大類,對稱加密和非對稱加密:","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"對稱加密的特點是加密和解密使用的同一個祕鑰,其特點是速度快,常用算法有: DES 、3DES 、AES ;","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"非對稱加密的密鑰分爲公鑰和私鑰,其最重要的特性是使用公鑰加密的信息,只能使用私鑰解密,而使用私鑰加密的信息,只能使用公鑰進行解密,最常用的算法有 RSA ;","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"但是對稱加密的密鑰管理繁瑣且密鑰傳輸存在一定的安全隱患,而非對稱加密算法速度比較慢,尤其是對於加密數據較大的信息時耗時更加明顯。因此在實際使用過程中,最常使用的是混合加密方式:","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"發送方","attrs":{}},{"type":"text","text":":1.對信息(明文)採用DES 密鑰加密;2.使用RSA加密前面的DES 密鑰信息;然後將1和2步產生的信息進行整合後傳遞。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":"br"}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/47/475daaff4508137da5332919cf17abff.webp","alt":"圖片","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"接收方","attrs":{}},{"type":"text","text":":接收到信息後:1.用RSA解密DES 密鑰信息;2.再用RSA解密獲取到的密鑰信息解密密文信息;最終就可以得到我們要的信息(明文)。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":" ","attrs":{}}]},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/2b/2b7ae3de928b098bf5425df7787f5312.webp","alt":"圖片","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"1.2 防止否認 - 數字簽名","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"因爲公鑰是對外公開的,A可以使用公鑰加密信息計算摘要,B也可以使用公鑰加密信息計算摘要,也就是所有擁有公鑰的人都可能成爲信息發送者,這就導致A發送消息後可以否認。前面我們有提到非對稱加密的特性:使用公鑰加密的信息,只能使用私鑰解密,而使用私鑰加密的信息,只能使用公鑰進行解密。公鑰是對外公開的,但是私鑰僅存在於密鑰對生成者自己手裏,所以當在","attrs":{}},{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"發送消息時使用發送者的私鑰加密信息,在接收端使用發送者的公鑰來解密信息","attrs":{}},{"type":"text","text":",那麼接收端就可以精確確認消息發送者了,也就解決了消息發送者否認發送的問題。","attrs":{}},{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"使用發送者的私鑰對摘要進行加密,就形成了簽名,即數字簽名","attrs":{}},{"type":"text","text":"。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"我們來看下數字簽名是如何起作用的:","attrs":{}}]},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/db/dbb1e340c3708a96b456694f6bec0912.webp","alt":"圖片","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"總結下數字簽名的作用,主要有三點:1.可以確認消息的完整性;2.可以識別消息是否被篡改;3.可以防止消息發送者否認;","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"但是我們不能忽視一點:","attrs":{}},{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"數字簽名生效的前提:用於加密的公鑰必須屬於真正的接受者,用於解密的公鑰必須屬於真正的發送者","attrs":{}},{"type":"text","text":"。如果公鑰被僞造了或者說好事者冒充發送者去發送消息,單純依賴數字簽名是無法解決的;我們一起來看下公鑰被僞造時會發生什麼:","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/e4/e4f4d120945529094a454e8fc588ada5.webp","alt":"圖片","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"由上圖可以看到,如果公鑰在傳輸過程中被僞造了,那麼後續相關的通信過程都是建立一個僞造的密鑰對間進行,從而導致這個通信過程不再安全。因此在驗證簽名之前,首先得先驗證公鑰的合法性。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"但是如何保證公鑰的合法性呢?","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"根據上面的相關介紹,爲了保證公鑰信息不被篡改和欺騙,那麼最好的方式就是對公鑰進行數字簽名,但問題又來了,如何保證此次數字簽名驗證過程中公鑰的合法性呢?再來一次數字簽名嗎?這就陷入了一個雞生蛋蛋生雞的過程了,爲了打破這個死循環,人們創造了","attrs":{}},{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"證書中心和數字證書","attrs":{}},{"type":"text","text":"。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"1.3 保證公鑰的合法性 - 數字證書","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"循環進行數字簽名的原因是因爲公鑰有可能被僞造,爲此人們將一些具有公信力的組織或者政府部門作爲證書中心,由證書中心使用自己的私鑰來對公鑰進行數字簽名。通俗理解","attrs":{}},{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"證書中心就是那些能夠認定“公鑰確實屬於此人”並且能夠生成數字簽名的權威個人或者組織,簡稱CA","attrs":{}},{"type":"text","text":"。而","attrs":{}},{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"由CA對公鑰等信息施加數字簽名後就生成了證書。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"我們一起看下數字證書是如何起作用的:","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/0f/0f15e71a29f4aa3fcfe5f5ea47454594.webp","alt":"圖片","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"消息接收者首先生成密鑰對,並將公鑰_B 及郵箱等信息在CA 認證機構中進行註冊,認證機構CA 用自己的私鑰_CA 對公鑰_B 進行數字簽名,並生成證書;消息發送者A向認證機構CA 請求證書,並通過認證機構CA 的公鑰_CA 驗證數字簽名,以驗證公鑰_B 的合法性。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"對此,我們對公鑰、私鑰、數字簽名、數字證書的概念及作用有了一個大概的回顧。下面我們從數字簽名及數字證書的生成流程角度來看下iOS 開發者證書的生成與安裝過程。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"heading","attrs":{"align":null,"level":1},"content":[{"type":"text","text":"二、蘋果開發者證書的生成與安裝","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"-1.生成證書請求:鑰匙串訪問 -> 證書助理 -> 從證書頒發機構請求證書 (可以理解爲Mac 端創建非對稱加密密鑰對公鑰M 和 私鑰M 的過程,使用私鑰M 來簽署生成CSR 文件,CSR 文件中包含開發者的信息和公鑰M ,私鑰M 則存儲在Mac端本地)","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/9e/9ec90623d2004b860488a01a209c8f14.webp","alt":"圖片","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"-2.登錄開發者平臺,將第一步生成的CertificateSigningRequest.certSigningRequest上傳至Developer生成證書。(CertificateSigningRequest.certSigningRequest可以理解爲Mac生成的公鑰,上傳至開發者平臺可以爲將公鑰M 在證書認證機構CA進行註冊,並利用蘋果開發者中心的公鑰A 對Mac設備的公鑰進行簽名,生成開發者證書)","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/89/89cdd5a4c94dfbb59eed622fa0b3cfdd.webp","alt":"圖片","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"- 3.Mac將證書下載到本地,雙擊安裝(在安裝過程中,鑰匙串keychain會將第一步生成的私鑰M 與第二步生成的Cer 證書關聯在一起:","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/00/0076ebc2ee78ceab13f1acac954da76b.webp","alt":"圖片","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"heading","attrs":{"align":null,"level":1},"content":[{"type":"text","text":"三、蘋果實現簽名校驗的流程及關鍵信息","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"蘋果簽名校驗機制的作用是要保證每一個安裝到iOS 設備上的App 都是經過蘋果官方授權的。爲了實現上述效果,蘋果採取的方案是雙重簽名,其大概流程可以參見下圖:","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/f7/f7108e75eadf1b6d816d6b27ebceb967.webp","alt":"圖片","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"blockquote","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"> 1.首先在Mac端生成一對密鑰對(公鑰M和私鑰M),蘋果也會生成一對祕鑰對(公鑰A和私鑰A),其中公鑰A預置在iOS設備上,私鑰A放在蘋果服務器中;","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"> 2.開發者通過開發者後臺將公鑰M上傳至蘋果服務器,蘋果服務器使用私鑰A對公鑰M進行簽名生成證書,開發者下載該證書並安裝在Mac中。安裝過程中會將證書與私鑰M進行關聯。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"> 3.在開發過程中,會使用私鑰M對APP進行簽名,同時會將證書也打包進APP中。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"> 4.在安裝過程中,iOS系統首先會使用預置的公鑰A對證書進行驗證,得到公鑰M(驗證成功,即說明證書是經過蘋果私鑰簽名過的,根據前面的講解我們知道這樣就說明是經過蘋果認證的了),然後使用公鑰M對簽名進行驗證,驗證成功後才能將APP安裝在設備中。","attrs":{}}]}],"attrs":{}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"那是不是隻要擁有一個經過蘋果認證的開發者證書,就可以將任意App 安裝在任意測試機上呢?顯然這是蘋果生態所不允許的。那蘋果是通過什麼方式實現設備限制的呢?而且,在團隊開發中,也並不是所有人都去生成開發者證書,那又是通過什麼方式實現團隊授權的呢?以及在蘋果開發者中心中配置的BundleID 、Capabilities 、Devices 等信息在簽名機制中又扮演着什麼樣的作用呢?","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"3.1 關於P12 - 團隊協作開發","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在上面的簽名過程中,我們看到開發者在對App 進行簽名過程中,主要用到兩個信息:私鑰M 和證書,因此只需要將這兩個信息提供給團隊中的其它成員。在證書安裝過程我們瞭解中,鑰匙串會將證書與Mac生成的私鑰M 進行關聯並存儲爲鑰匙串中的一項,鑰匙串支持將其導出爲p12 文件,然後我們將p12 文件提供給團隊成員安裝就可以了。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/07/07b65627008823df5394e7cc7aa9ad01.webp","alt":"圖片","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"3.2 關於Entitlements - 權限管控","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Xcode 在編譯打包時會自動執行/usr/bin/codesign 命令進行代碼簽名,以下是簽名的詳細信息:","attrs":{}}]},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/76/76c15a78f6da2eb958c71ab916e34fe1.webp","alt":"圖片","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在簽名時通過--sign 指定了證書信息,那麼--entitlements 配置的是什麼信息呢?","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"entitlements鏈接:","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"(https://developer.apple.com/library/archive/technotes/tn2415/_index.html)","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"An Entitlement can be thought of as the string written into an app's signature that allows a specific capability or opts the app into a specific service. The operating system (OS) checks these strings before allowing an app access to certain features. For example, an app must have the iCloud entitlement before it is allowed to access iCloud APIs at runtime.","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"簡單來說entitlements其實就是iOS 沙盒環境的配置文件,蘋果通過entitlements文件來管控一個App 所能使用的服務和權限。Sandbox(沙盒)是iOS 安全體系中很重要的一環,沙盒不僅僅使App 間相互獨立,同時也對每個App 可操作的行爲進行了管控,比如可以使用哪些敏感的系統能力(Push、Sign in with apple等)等。Xcode 會默認生成一個包含有Team ID 信息和App ID 信息的權限聲明,如果在Xcode Signing&Capabilities中開啓了相關權限,那麼會顯式的生成一個後綴名爲.entitlements的配置文件,裏面包含了相關權限信息的說明。在--entitlements 選項後面的文件是在.entitlements的配置文件基礎上增加了默認配置後的信息。在Xcode 簽名時,會將該權限信息文件嵌入到二進制代碼中,作爲被簽名內容的一部分,由代碼簽名保證其不會被篡改。 ","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"可通過 security cms -D -i /path/to/iOSTest.mobileprovision 來檢查本地的 Provisioning Profile 是否包含所需要的權限。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"3.3 關於Provisioning profile","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Provisioning profile act as a link between the device and the developer account. During development, you choose which devices can run your app and which app services your app can access. A provisioning profile is downloaded from your developer account and embedded in the app bundle, and the entire bundle is code-signed. ","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Provisioning Profile 是一個由蘋果證書中心加密簽名的一個plist文件,包含有與之綁定的App ID、設備的UUID列表、過期時間、TeamID、entilements等信息以及用於對應用程序進行簽名的證書,是蘋果用來解決對設備授權以及管控APP敏感權限的解決方案。其在證書中心的配置頁面如下:","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/e3/e3392582c66a3cb323f9e52233a49fab.webp","alt":"圖片","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在證書中心配置完App ID、Unique Device Identifiers以及capabilities 等信息後,蘋果證書中心會將這些信息與證書一起使用蘋果的私鑰進行簽名,最後將簽名信息與配置信息、證書、簽名信息一起組成一個Provisioning Profile 文件。開發者將其下載並安裝,默認情況下Xcode 會自動幫助開發者進行管理。以下是Xcode中安裝的Provisioning Profile 信息:","attrs":{}}]},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/4a/4a37804a2b09d9f6239aa21ec3c3e21a.webp","alt":"圖片","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在Mac編譯完一個App 後,會將Provisioning Profile 文件也打包進App 中,並將文件命名爲embedded.mobileprovision。在App 安裝到iOS 設備上時,iOS 設備會通過預置的公鑰信息來驗證embedded.mobileprovision的簽名合法性,進而驗證證書中的簽名是否正確。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"確保了embedded.mobileprovision 裏的數據都是蘋果授權以後,就可以使用其中的信息來校驗本次安裝的合法性,使用公鑰A驗證Mach-O 的簽名信息、驗證證書的簽名及有效期、驗證設備ID是否在設備列表中、Provisioning Profile 中的App ID是否與BundleID是否匹配等等;","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"值得注意的一點是:設備列表只在Development證書下生效,因爲Enterprise 、Distribution 證書本身就是要求可以任意安裝,所以不受設備列表的限制;過期時間只對Development、Enterprise 證書生效,Distribution 證書下不受限制,這也是當Development、Enterprise 證書過期後會導致應用無法安裝或無法啓動,而從App Store下載的應用不會有時間限制。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"當然在開發者中心可以隨時對Provisioning Profile 進行修改,更新不會對已有Provisioning Profile 產生影響。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"3.4 關於可執行文件與資源的簽名","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在編譯生成App 的過程中,Xcode 會通過鑰匙串找到與配置證書配對的私鑰M對二進制文件進行簽名,並將簽名信息嵌入到可執行二進制文件中,用於在安裝時確認Mach-O 文件是否有被修改。可通過MackOView 驗證:","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/35/356986ca09c26931d75205bc3d6248b4.webp","alt":"圖片","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"但是App 中不僅僅包含二進制文件,還包含一系列諸如圖片、音視頻文件等預置資源,因此通過單一的對二進制文件進行簽名不足以保證整個App 文件的完整性和有效性。在iOS 中,應用程序使用遵循shallow application bundles結構的目錄來存儲必要資源和數據信息,大致爲:","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"TestProject.app |用戶可見應用程序","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"codeblock","attrs":{"lang":"text"},"content":[{"type":"text","text":"Info.plist |文件,其中包含有關軟件包的信息\n\nTestProject |可執行二進制\n\nAssets.car |圖標,顯示爲用戶可見應用程序\n\nFramework |任何可執行文件使用的框架或動態庫\n\nAFNetworking.framework |iOS 軟件中常見框架示例\n","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"以下是一個非常簡單的IPA包的包結構:","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/a1/a1cd57d41eb51a1c5431478f8222128b.webp","alt":"圖片","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"可以看到爲了保證可執行文件及其在運行期間所依賴的數據和資源不被篡改,在實際生成的APP包中,會新生成一個_CodeSignature 目錄,在該目錄下包含一個名爲CodeResources 文件,該文件爲plist 類型的文件,裏面包含了App 下除可執行文件外其它文件的信息,key 通常爲文件名,value 通常爲其摘要信息。裏面會有files 和files2 兩項,其中files保存的是每個文件的sha1的值,files2同時保存了sha1和sha256,主要原因是sha1存在不安全性。_CodeSignature/CodeResources 文件的主要作用是記錄簽名後每個文件的哈希值,以在安裝時用來確保對應的文件沒有被篡改過。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"3.5 簽名及校驗流程","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/40/40ea367265feffb790843b80a240feaa.webp","alt":"圖片","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"> 1.首先在Mac 端生成一對密鑰對(公鑰M和私鑰M),蘋果系統本身也會生成一對密鑰對(公鑰A和私鑰A),其中公鑰A預置在iOS 設備上,私鑰A放在蘋果服務器中;","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"> 2.開發者將公鑰M整合在csr 文件中通過開發者後臺上傳至蘋果服務器,蘋果服務器使用私鑰A對公鑰M進行數字簽名生成證書;同時使用私鑰A將證書、AppID、entilements、設備UDIDs等信息加密生成Provisioning Profile 文件;對應的開發者下載證書和Provisioning Profile 文件並安裝在Mac 中。安裝過程中會將證書與私鑰M進行關聯,Xcode 默認會對Provisioning Profile 文件進行管理。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"> 3.在開發過程中,會使用私鑰M對App 進行簽名,同時會將Provisioning Profile 文件也打包進App 中即embedded.mobileprovision文件。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"> 4.當將iOS 設備與Xcode 連接並通過身份驗證後,Xcode 會將App 數據傳輸到iOS 設備中,iOS 設備此時並不會創建真正的沙盒環境來運行App ,而是會在一個臨時沙盒環境中來存放陸續收到的數據,一旦全部接收完,iOS 系統首先會使用預置的公鑰A對embedded.mobileprovision文件的簽名進行驗證,已確認App 來源是否合法;來源合法性驗證通過後,便可使用公鑰M去驗證裏面證書的簽名信息、驗證該設備ID是否在對應UUID 列表中、以及APP中的權限開關配置是否和embedded.mobileprovision文件中配置的entilements信息相吻合等;同時會讀取_CodeSignature/CodeResources 中的信息對資源文件進行校驗。只有全部經過驗證後,纔會爲App 創建真正的沙盒環境進行安裝。在啓動APP時,系統也會執行相應的啓動校驗,以防止安裝後進行的修改。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"參考文獻:","attrs":{}}]},{"type":"blockquote","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"1.https://developer.apple.com/documentation/xcode/using-the-latest-code-signature-format","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"2.https://developer.apple.com/library/archive/documentation/Security/Conceptual/CodeSigningGuide/Introduction/Introduction.html","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"3.https://pewpewthespells.com/blog/migrating_code_signing.html","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"4.http://blog.cnbang.net/tech/3386/","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"5.https://developer.apple.com/library/archive/recipes/ProvisioningPortal_Recipes/DownloadingaProvisioningProfile/DownloadingaProvisioningProfile.html","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"6.https://developer.apple.com/library/archive/technotes/tn2415/_index.html","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"7.https://developer.apple.com/library/archive/qa/qa1814/_index.html#//apple_ref/doc/uid/DTS40014030","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"8.https://getupdraft.com/blog/ios-code-signing-development-and-distribution-prov","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"9.https://abhimuralidharan.medium.com/what-is-a-provisioning-profile-in-ios-77987a7c54c2","attrs":{}}]}],"attrs":{}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"推薦閱讀:","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"link","attrs":{"href":"http://mp.weixin.qq.com/s?__biz=Mzg5MjU0NTI5OQ==&mid=2247498745&idx=1&sn=88ab93caf2e8a3662b307206954bbcdb&chksm=c03ecb85f749429346766d992c69ffbe58037d33ae55642693efe497a5da722b5ae484b38d11&scene=21#wechat_redirect","title":null,"type":null},"content":[{"type":"text","text":"|","attrs":{}}]},{"type":"link","attrs":{"href":"http://mp.weixin.qq.com/s?__biz=Mzg5MjU0NTI5OQ==&mid=2247502740&idx=1&sn=499a704b05ff86891250ac96a538cc7d&chksm=c03efbe8f74972fef5f901768fca78430b65bf0aee686b479b7cf1d0ede31b89077015e60726&scene=21#wechat_redirect","title":null,"type":null},"content":[{"type":"text","text":"信息流推薦系統智能交付解決方案探索","attrs":{}}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"link","attrs":{"href":"http://mp.weixin.qq.com/s?__biz=Mzg5MjU0NTI5OQ==&mid=2247502056&idx=1&sn=d198187b97dd01246256214c548ad953&chksm=c03ef894f7497182b8a7bd24e8ece6d44596b873805e3bb34857ca04d3d5305c9ae0d4e2d943&scene=21#wechat_redirect","title":null,"type":null},"content":[{"type":"text","text":"|","attrs":{}}]},{"type":"link","attrs":{"href":"http://mp.weixin.qq.com/s?__biz=Mzg5MjU0NTI5OQ==&mid=2247502687&idx=1&sn=8953092fe93d4f3299982bc48cf6211e&chksm=c03efb23f74972353d8f71802a256f0f79905552ffdad3fe694eb4914142c1fb8070e1f4586c&scene=21#wechat_redirect","title":null,"type":null},"content":[{"type":"text","text":"圖譜相關技術在風控反作弊中的應用和探索","attrs":{}}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"link","attrs":{"href":"http://mp.weixin.qq.com/s?__biz=Mzg5MjU0NTI5OQ==&mid=2247502056&idx=1&sn=d198187b97dd01246256214c548ad953&chksm=c03ef894f7497182b8a7bd24e8ece6d44596b873805e3bb34857ca04d3d5305c9ae0d4e2d943&scene=21#wechat_redirect","title":null,"type":null},"content":[{"type":"text","text":"|好看視頻Android重構——圍繞於播放器的重構實踐","attrs":{}}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"","attrs":{}},{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"---------- END ----------","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"百度 Geek 說","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"百度官方技術公衆號上線啦!","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"技術乾貨 · 行業資訊 · 線上沙龍 · 行業大會","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"招聘信息 · 內推信息 · 技術書籍 · 百度周邊","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"歡迎各位同學關注","attrs":{}}]}]}
發表評論
所有評論
還沒有人評論,想成為第一個評論的人麼? 請在上方評論欄輸入並且點擊發布.
相關文章