iOS/Mac 设备(系统)使用 App Provisioning Profile(Code Signing Identity)中的开发证书来判断App的合法性:
- 若用证书公钥能成功解密出 App(executable bundle)的内容摘要(_CodeSignature),证明此 App 确乃认证开发者发布,即来源可信;
- 再对 App(executable bundle)本身使用哈希算法计算摘要,若与上一步得到的摘要一致,则证明此 App 未被篡改过,即内容完整。
CSR: Certificate Signing Request
Only Certificates: .p7b or .cer or .pem file
If Keychain Access shows a certificate in your personal keychain, but it doesn’t show it in the “My Certificates” list, it means you imported just a certificate but not the private key that goes with it, so OS X can’t tell that it’s truly “yours”.
Certificate is the proof that the public key belongs to the Owner in the certificate or not.
prove that a certificate is yours, you must have the private key that forms a matched set with the public key contained in the certificate.
https://superuser.com/questions/936840/add-to-my-certificates-in-keychain-access-mac-os-10-10
cn ver reference1
cn ver reference2
iOS Provisioning Profile and Code Signing
1.App ID(bundle identifier)
App ID is Product ID
App ID应该和bundle identifier一致(Explicit)或者匹配(Wildcard)
reverse-domian-name, Company ID as Prefix(com.apple.garageband)
Explicit App ID: com.apple.garageband
Wildcard App ID: com.apple.*
2.Device
UDIDiTunes->Summary or Xcode->WIndow->Devices
- Apps signed by you or your team run only on designated development devices.
- Apps run only on the test devices you specify.
3.Certificate
iOS certificate
- Development: identifies you, as a team member, in a development provisioning profile that allows apps signed by you to launch on devices.
- Production(Distribution): identifies
your team or organization in a distribution provisioning profile and allows you to submit your app to the store. Only a team agent or an admin can create a distribution certificate.
Individual Account:iOS Development/Production 2 Max for each.Root Certificate
Apple Certification Authority(Apple Root CA)
-> Apple Worldwide Developer Relations Cerification Authority(Subordinate CA)-> AppleWWDRCA.cer(Intermediate Certificates) ->Certificate for Development4.CSR: Cerificate Signing Request
5.Provisioning Profiles
App ID, Devices, Development Certificates
如果要打包或者在真机上运行一个APP,一般要经历以下三步:
- 首先,需要证书对应的私钥来进行签名,用于标识这个APP是合法、安全、完整的
- 其次,需要指明它的App ID,并且验证Bundle ID是否与其一致;
- 然后,如果是真机调试,需要确认这台设备是否授权运行该APP。
Provisioning Profile把这些信息全部打包在一起,方便我们在调试和发布程序打包时使用。这样,只要在不同的情况下选择不同的Provisioning Profile文件就可以了。
Provisioning Profile也分为Development和Distribution两类,有效期同Certificate一样。Distribution版本的ProvisioningProfile主要用于提交App Store审核,其中不指定开发测试的Devices(0,unlimited)。App ID为Wildcard App ID。App Store审核通过上架后,允许所有iOS设备(Deployment Target)上安装运行该App。
6.Team Provisioning Profile
7.Cetificate & Signature
7.share development account amoung multi machines
- Xcode export development account(.developmentprofile) or PKCS12 File(.p12)
- Keychain Access export PKCS12File(*.p12)
Short version:
You can’t use it as your certificate unless you have the private key that forms a matched set with the public key that’s in the certificate. Go find where you left your private key and import that into the keychain, and Keychain Access will automatically see that it matches with the public key in that certificate and start showing that certificate in the “My Certificates” list.
Long version:
Certificates are public documents that you can freely distribute. They are just a way to securely link your identity (i.e. identifying information like your full name, username, email address, etc.) to your public key.
Since certificates are publicly distributable, simply having a copy of a certificate is not proof you are the person named in the certificate, or that the public key in the certificate is truly your public key.
To be able to prove that a certificate is yours, you must have the private key that forms a matched set with the public key contained in the certificate.
If you just have a .p7b or .cer or .pem file, it most likely just contains a certificate, but not the private key that goes with it.
Private keys must be kept completely secure and private and never given to anyone else. When stored on disk, they should be stored in an encrypted file that you need a passphrase to decrypt. The typical way to securely store a certificate along with the matching private key in an encrypted, password-protected file, is a .p12 (PKCS#12) file. See if you already have a .p12 file somewhere.
If Keychain Access shows a certificate in your personal keychain, but it doesn’t show it in the “My Certificates” list, it means you imported just a certificate but not the private key that goes with it, so OS X can’t tell that it’s truly “yours”.
You need to go find where your private key was stored when you first generated your public/private key pair. Generating a key pair is the first step toward getting a certificate. First a key pair is generated, then the public key, along with your identity information, is put into a Certificate Signing Request (a.k.a. CSR, req), and sent off to a Certificate Authority (CA) to be signed. The CA is supposed to verify your identity information and your public key, and then if it all checks out, they sign the CSR, creating a certificate. The signed certificate is sent back to you, and you have to match it back up with the private key you’d generated in the first step, in order to truly use it.
Note that the role of CA is nothing terribly special. It doesn’t have to be some corporation like Verisign. Every personal computer OS contains all the software necessary to act as a CA. Keychain Access’s Certificate Assistant feature will even walk you through setting up your CA setup for your own private use.
If you don’t remember generating a key pair, you were probably using some software that did it automatically for you. For example, there’s a special HTML tag that CA websites can use on their CSR web forms that tells your web browser to automatically generate a key pair and submit just the public key along with the web form. When you use Safari on such a form, the private key is stored in the user keychain for the OS X user account you’re logged into. When you use IE in Windows on such a form, the private key is stored in the Windows equivalent of that (Microsoft calls this the user’s “Certificate Store”; “store” as in “storage container” not “retail shop” :-).
I can’t tell you where your private key is because I don’t know what software you used to create it, and even if I knew that, I wouldn’t know for sure where you told that software to save your private key. You’ll probably have to sleuth that out yourself.
If you can’t find your private key, you may need to consider it compromised and revoke your certificate (you may need to contact your CA to do that) and start over by generating a new key pair, creating a new CSR, having a CA sign it and issue a certificate, match it up with the new private key, etc. This is kind of like realizing that you’re missing a copy of your house key, and choosing to have a locksmith rekey all your door locks just to be safe.
tl;dr: Go find your private key and import it into the keychain.