Sign results in the validation of your software by a source trusted by Apple. To do this you need to be a member of the Apple Developer Program. Then you can request a signing certificate and you can install and run your apps on iOS devices.
Get your Certificate
In order to get a certificate you have many options.
The easiest way is using Xcode. You should connect your device and run your application. You must be signed in Xcode with your Apple ID. In the Signing tab your status will show an error. Click in Register Device and Xcode will automatically generate your certificates.
Apple Developer Website
You can also generate it using Apple Developer portal.
and click in the “plus” button.
Here you can select what type of certificate you need. In this example we are going to select iOS App Development to sign our app.
Now you need to create a Certificate Signing Request (CSR).
Open keychain Access in your mac. Select Certificate Assistant > Request a Certificate from a Certificate Authority.
You need to complete the information required. User Email Address, Common Name (the name for your private key), CA Email Address (should be left empty) and Request is (select Saved to disk option).
Now to generate your certificate you need to upload the CSR file you saved on your Mac.
This is a different way to create the CSR file. You need to generate a new private key. Run the following command in your terminal:
~ openssl genrsa -out PrivateKey.key 2048
We use 2048 bit long modulus for generating the RSA key pair because this is the standard for creating signing certificates on OS X.
To create and sign the CSR with the private key has been created use this command:
~ openssl req -new \
-key PrivateKey.key \
-out MyCertificateSigningRequest.csr \
In this request you should include your email in the ‘emailAddress’, your name in ‘commonName’ and your country code in ‘countryName’.
With the .csr file created with the previous command you can go to the Apple Developer Website and upload it. As we explained before select iOS App Development in the creation of a new Certificate and click continue because you already have a CSR file. Upload it and click Continue.
Now you can download your certificate.
And what should I do now with my certificate?
Once you have your certificate downloaded you need to add it to the Keychain Access in your Mac. Unless you create your certificate with Xcode, in that case you already have it on the Keychain Access.
To add it you only need to double click on it or drop it on the Keychain Access app.
The certificate allows you to sign software that you want to install on an iOS device. This way the final users can install the application on an iOS device without having to have the iOS device explicitly know about each individual developer. The reason is the iOS device will trust the Certificate Authority that the developer’s certificate was generated by. The devices can trust a certificate that was signed by Apple. Once an app is signed, the system can detect any change in the app, avoiding modifications by accident (corrupted files) or by malicious code. The scheme below resumes the process:
The developer’s private key is used to create the CSR . CSR contains the public key and developer’s information. Apple’s Certificate Authority recieves the CSR and creates an identity certificate for the developer to sign. The developer uses the identity certificate and signs applications using it and their private key. The signed application with the identity certificate is trusted by the signer. The application installed on the iOS devices has their certificates validated against the Certificate Authority that signs developer’s certificates.
Now you already know three different ways to get your certificate and what is its role in the signing. In the next article we are going to talk about signing a binary.