Provisioning Profile Stockholm Syndrome

This presentation contains confidential information intended only for the recipient(s) named above. Any other distribution, re-transmission, copying or disclosure of this message is strictly prohibited. If you have received this transmission in error, please notify me immediately by

telephone or return email, and delete this presentation from your system.  

Jay Graves - CTO POSSIBLE Mobile@skabber

Provisioning Profiles Are Everywhere

• App

• Today Widget

• Watch App

• Watch Extension

• Shared Library

• Share Extension

I want you to LOVE Provisioning Profiles

What is a Provisioning Profile?

What is a Provisioning Profile?

SMIME / PKCS#7

Thank you!Jay Graves - CTO POSSIBLE Mobile@skabber

What is a Provisioning Profile?

SMIME / PKCS#7

Provisioning Profile in vi

Read a ProfileCOMMAND LINE

security cms -D -i my.mobileprovision

Important ValuesAPPLICATION IDENTIFIER

<key>application-identifier</key>

<string>ABCDEFGHIJK.com.your.bundleid</string>

Important ValuesENTITLEMENTS

<key>Entitlements</key> <dict> ... <key>com.apple.developer.ubiquity-container-identifiers</key> ... <key>com.apple.developer.ubiquity-kvstore-identifier</key> ... <key>get-task-allow</key> ... </dict>

Important ValuesPROVISIONED DEVICES

<key>ProvisionedDevices</key> <array> <string>7af8ee3af8e4e13193bd834bab50e1d...</string> <string>a9f0d0477a6d3e8dad0ff984f7ba77e...</string> </array>

Important ValuesUUID

<key>UUID</key>

<string>E0EF8ACE-E83A-475C-9DA7-C67A147659FD</string>

Important ValuesDEVELOPER CERTIFICATES

<key>DeveloperCertificates</key> <array> <data> MIIFnDCCBISgAwIBAgIIEIdrqpJlb9MwDQYJKoZIhvcNAQEFBQAwgZYxCzAJ BgNVBAYTAlVTMRMwEQYDVQQKDApBcHBsZSBJbmMuMSwwKgYDVQQLDCNBcHBs ZSBXb3JsZHdpZGUgRGV2ZWxvcGVyIFJlbGF0aW9uczFEMEIGA1UEAww7QXBw bGUgV29ybGR3aWRlIERldmVsb3BlciBSZWxhdGlvbnMgQ2VydGlmaWNhdGlv ...

Important ValuesDEVELOPER CERTIFICATES

-----BEGIN CERTIFICATE----- MIIFnDCCBISgAwIBAgIIEIdrqpJlb9MwDQYJKoZIhvcNAQEFBQAwgZYxCzAJ BgNVBAYTAlVTMRMwEQYDVQQKDApBcHBsZSBJbmMuMSwwKgYDVQQLDCNBcHBs ZSBXb3JsZHdpZGUgRGV2ZWxvcGVyIFJlbGF0aW9uczFEMEIGA1UEAww7QXBw bGUgV29ybGR3aWRlIERldmVsb3BlciBSZWxhdGlvbnMgQ2VydGlmaWNhdGlv ... -----END CERTIFICATE-----

openssl x509 -text -in cert.pem

Important ValuesDEVELOPER CERTIFICATES

Certificate: Data: Version: 3 (0x2) Serial Number: 10:87:6b:aa:92:65:6f:d3 Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, O=Apple Inc., OU=Apple Worldwide Developer Relations, CN=Apple Worldwide Developer Relations Certification Authority Validity Not Before: Nov 3 21:38:10 2012 GMT Not After : Nov 3 21:38:10 2013 GMT Subject: UID=9K9F9LCV74, CN=iPhone Distribution: Massively Overrated, OU=9K9F9LCV74, O=Massively Overrated, C=US Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Modulus (2048 bit): 00:c8:57:f9:cf:af:c2:4d:7a:8a:16:62:47:4b:c2:

Install a Provisioning ProfileDON’T DOUBLE CLICK THEM!

Not human readable.

Install a Provisioning ProfileDRAG THEM INTO THE FINDER

~/Library/MobileDevice/Provisioning Profiles

Install a Provisioning ProfileDRAG THEM INTO THE FINDER

Install a Provisioning ProfileDRAG THEM INTO THE FINDER

Much better.

Tools for using Provisioning ProfilesTERMINAL.APP

Tools for using Provisioning ProfilesTERMINAL.APP + SHELL ALIAS

alias prov=‘security cms -D -i‘

Tools for using Provisioning ProfilesQUICK LOOK PLUGIN

Tools for using Provisioning ProfilesAUTOMATOR SERVICE

Tools for using Provisioning ProfilesAUTOMATOR SERVICE

http://d.pr/13uj9

Tools for using Provisioning ProfilesAUTOMATOR SERVICE

Xcode

XcodeHOW DOES IT SEE PROFILES?

CODE_SIGN_IDENTITY = "iPhone Developer";PROVISIONING_PROFILE = "";

XcodeHOW DOES IT SEE PROFILES?

CODE_SIGN_IDENTITY = "iPhone Developer: Jay Graves (E6L876QFM6)";

PROVISIONING_PROFILE = "0FEB5831-22D3-4B1D-A973-59ED243E8103";

Build Error

Project Diff

What does all this mean?

•Automatic Profiles•Good if you don’t have multiple projects.•It can select the wrong profile.•Rules on automatic selection are not defined.

•Specific Profiles•Much more control over which profile is selected.•Can be a pain to update the project file every time a profile is updated.

Nick ArnottIS A FUNNY GUY

Can this be better?Yes!

Convention over Configuration

Convention over Configuration

• An Xcode Project can have multiple targets

• Every target can have multiple configurations

• Every target/configuration combination “should” have a provisioning profile

Name your profiles accordingly.

PROJECT-TARGET-CONFIGURATION.mobileprovision

Convention over ConfigurationUSE A SCRIPT

Run this script to set all the profiles properly.

set_project_profiles.sh -b -p Your.xcodeproj

http://bit.ly/ProjectProfiles

Thank You!Jay Graves - CTO POSSIBLE Mobile@skabber

Convention over ConfigurationHOW DOES IT WORK?

Magic scripts are great but how does it work?

• Create a folder at the root of every project called “CodeSign”.

• Put every profile in that directory.

• Script copies those profiles into ~/Library/MobileDevice/Provisioning Profiles

• Script inspects Xcode project for a list of Targets,

• Script gets a list of Configurations for each Target.

Convention over ConfigurationHOW DOES IT WORK?

• Script checks for any installed profile that follows the naming convention.

• Script queries the UUID for that profile.

• Script modifies the Xcode project with the appropriate UUID per Target/Configuration.

Modifying an Xcode Project!OMGWTFBBQ!

It’sJust

APLIST

PlistBuddy Demo

Modifying and Xcode ProjectIS NO BIG DEAL

Except…

PlistBuddy only outputs XML.

Tips:

• Project Specific Keychains

• Runtime asserts for missing entitlements

• Don’t click “Fix Issue”

• Read the Xcode errors

• Don’t go nuclear!

Thank you!Jay Graves - CTO POSSIBLE Mobile@skabber