Understanding Provisioning Profiles and Certificates | Xcode | iOS App Development

00:01

hey guys welcome to my channel icode

00:03

i am pallav and today we are going to

00:05

have a look at a very interesting topic

00:07

that is provisioning profiles and

00:08

certificates

00:10

i understand that as a beginner it's a

00:12

real pain it's very confusing to

00:14

understand that water provisioning

00:15

profiles what are certificates

00:17

why they are used what they do and how

00:19

they do

00:20

how our profiles link to certificates

00:22

those random errors of code signing

00:24

and everything else so today we will

00:26

deep dive into them

00:27

we will see that what is the use of

00:29

profiles

00:30

why they are used what is the use of

00:32

certificates how it is linked to

00:34

profiles

00:35

how they work in sync and everything

00:37

else so let's dive in

00:41

i believe that before understanding the

00:42

what part or how

00:44

part we must look at the why part as in

00:47

before understanding that what profiles

00:49

and certificates do

00:50

or how they do whatever they do we must

00:52

understand that why are they needed

00:54

so let's look at that first and then

00:57

we'll understand

00:58

that how they work so the first thing

01:00

that is why

01:02

and the answer is code signing code

01:05

signing is digitally signing of your

01:06

code

01:07

so whatever source code that you have

01:08

written for your application

01:10

the code signing gives us a confirmation

01:12

that after this point your code cannot

01:14

be modified

01:15

or in other words it just make it more

01:17

secure

01:18

so assume that you want to send some

01:20

sensitive information to your friend

01:22

you put that information in an envelope

01:24

and you cohere it to your friend

01:26

but you are afraid about its security

01:28

that it does not get compromised

01:30

the information do not get changed

01:31

before it is received and a simple way

01:33

to fix this

01:34

is to put a stamp to sign the envelope

01:37

to put your signature on it

01:38

so that whenever the envelope will be

01:40

received by the other party by your

01:42

friend

01:42

it will give a sense of confirmation a

01:44

sense of security that if the seal is

01:46

not broken

01:47

if your signature your stamp is not

01:49

broken it means that the information has

01:51

not been compromised

01:52

and the same thing is being done by code

01:54

signing

01:56

so your source code is digitally signed

01:57

to make it more secure

01:59

and this is done using provisioning

02:01

profiles and certificates

02:02

so now let's see that what is

02:03

provisioning profile

02:07

as per the apple's definition a

02:08

provisioning profile is a digital entity

02:10

that uniquely ties developers

02:12

and their devices to an authorized

02:14

iphone development team

02:16

and i understand that this is not very

02:17

clear so let's see it in detail

02:23

the first thing is that unlike android

02:25

iphone applications cannot run directly

02:27

on any device

02:28

those devices on which we target to test

02:31

our applications to run our applications

02:32

while development phase

02:34

those devices need to be signed by the

02:36

apple first or we say that those devices

02:38

need to be provisioned

02:40

now to do so provisioning profiles acts

02:43

as a link between the developer account

02:45

and the devices so with your developer

02:47

account whatever devices that you have

02:49

provisioned the provisioning profile

02:50

will act as a link between those two

02:54

provisioning profile decides that our

02:56

app can run on what all devices

02:58

and what all services it can access so

03:01

this relates to the entitlements part

03:03

that our app is entitled to use what all

03:05

features what are services like app

03:07

groups push notifications

03:09

everything else so before the ip

03:13

is made the profiles are downloaded from

03:15

the developer account

03:16

they are embedded in the bundle and then

03:18

the bundle is code signed

03:19

using certificates so assume that your

03:22

company your organization is sending you

03:24

to attend some conference

03:25

and the conference organizers want some

03:27

extra piece of information

03:29

to verify that you are the authorized

03:31

person who is here to attend the

03:33

conference

03:33

and what part of conference will you be

03:36

attending and

03:37

some other relevant information so along

03:40

with the other documents

03:41

your company will put an extra piece of

03:43

information having your employee id your

03:45

conference id or whatever information is

03:47

required by the organizers

03:49

that will help them identify that you

03:51

are the authorized person

03:52

and they will close the envelope they

03:53

will stamp it they will sign it

03:55

so that it gives a sense of security

03:57

that the information has not been

03:58

changed

03:59

and this extra piece of information that

04:01

they have put in the envelope

04:02

can be treated as provisioning profiles

04:09

now that we have an understanding of

04:11

what is a provisioning profile and what

04:12

it does

04:13

let's see that what does a provisioning

04:15

profile contains

04:18

so provisioning profile contain three

04:20

things development certificates

04:22

unique device identifiers and the app id

04:26

the development certificates authorizes

04:28

the test devices

04:29

that we want to run our app on the

04:32

unique device identifiers will let the

04:34

ios know

04:35

if this is the designated device on

04:36

which the app should run and the app id

04:38

helps in identify

04:39

that whether this particular application

04:41

is authorized to run on this device or

04:43

not

04:44

so app id is a two-part string which

04:46

contains the team id

04:47

followed by the bundle identifier so if

04:50

the app id that is in our provisioning

04:51

profile

04:52

if it contains the bundle identifier of

04:54

the application that we are trying to

04:55

run

04:56

if the two bundle ids match then it will

04:58

allow to install the application

05:00

otherwise the installation will fail

05:03

so provisioning profile contains these

05:05

three things the app id the certificates

05:07

and the device identifiers

05:11

now let's see that how does an app run

05:13

from the xcode

05:14

what actually happens when we hit

05:16

command r in rx code

05:18

how does the installation process take

05:22

place

05:24

once the build is done there are no

05:26

compilation errors there are a number of

05:28

checks that are made

05:29

the developer certificate that is

05:31

mentioned in our provisioning profile

05:33

is matched against the certificate that

05:34

we are having in our max keychain

05:36

if a match is found that certificate is

05:39

used to code sign our bundle

05:42

once the code signing happens the device

05:44

is checked for its authenticity

05:46

so the device on which we are trying to

05:47

run our application its uuid

05:49

is checked against the uui ids that are

05:52

mentioned in the provisioning profiles

05:54

if this goes well then the bundle

05:56

identifier of our application

05:57

is checked against the bundle identifier

05:59

mentioned in the app id

06:01

that is in the provisioning profile once

06:03

this is done then the entitlements

06:05

required by our

06:06

app are verified against the associated

06:08

ones with the app id

06:10

if all of these checks are done if

06:12

everything goes smooth

06:13

then the installation takes place

06:15

otherwise the app install

06:16

fails and at times you would have seen

06:18

that your app icon is greyed out

06:21

that is because one of these checks fail

06:23

or we can say that the installation

06:24

failed

06:26

so if you see your app id your

06:28

certificates the capabilities

06:30

the entitlements associated with your

06:32

app id and everything else can be

06:34

checked

06:34

in the signing and capabilities tab of

06:36

your export

06:41

now let's see that what are the types of

06:42

provisioning profiles

06:45

there's development ad hoc enterprise

06:47

and the distribution programming profile

06:49

now let's see the development first

06:51

development is the most

06:52

easy to understand provisioning profile

06:54

and we deal it with almost daily

06:56

as a part of our development process so

06:58

the development provisioning profile

06:59

contains the list of our test devices on

07:01

which we want to test our application

07:03

in our development phase and it cannot

07:05

be used for distributing

07:06

our application on test flight or on the

07:08

app store

07:10

the distribution profile does not

07:12

contain the identifier of any of our

07:14

devices

07:14

and it is used to distribute our app to

07:17

ship it on the app store

07:19

so if the distribution profile has been

07:20

used then the app can be installed on

07:23

any device

07:24

once apple code signs it and that

07:26

happens when we submit our app

07:27

to the app store the other two are used

07:30

in the development process

07:32

but at a later stage an add-on profile

07:35

is used to distribute our app to a

07:36

larger audience

07:38

the people who are not the part of the

07:39

apple developer beta program

07:41

or their devices are not mentioned in

07:43

our developer certificates

07:45

can test our app using the addock

07:47

profile

07:50

so an app that is deployed using ad hoc

07:52

provisioning profile is very identical

07:54

to the version that we submit on our app

07:56

store

07:56

as in the app store push notification

07:58

certificate is used with the adult

08:00

provisioning profiles

08:01

and it gives the almost same experience

08:04

as that of the app store build

08:12

now let's see that how code signing

08:14

works because we have been discussing

08:15

about the code signing since the start

08:17

of the video

08:18

now let's see that how it is done

08:22

so one thing that we know is that code

08:23

signing gives us a sense of confidence a

08:25

sense

08:26

of trust that our source code has not

08:28

been modified

08:29

since we have signed it now this is done

08:31

using a public private key pair

08:33

that apple has created for us or we can

08:36

say

08:37

that apple uses asymmetric cryptography

08:39

for this purpose

08:40

let's understand it

08:47

sam and john are two friends and they

08:49

decide to encrypt their chat

08:51

to do so they came with the concept of

08:53

public and private key

08:55

both of them made a pair of keys that is

08:57

public and private key

08:59

sam gave his public key to jon and john

09:02

gave his public key to sam

09:04

now when sam needs to send a message to

09:06

john he encrypts the message using

09:08

john's public key when john will receive

09:10

the encrypted message he will decrypt it

09:12

using his private key

09:14

same will be done by john he will

09:16

decrypt the message using sam's public

09:18

key and when sam will receive it he will

09:20

decrypt it using his private

09:22

key this concept is called the symmetric

09:24

trip

09:26

so this is the concept of asymmetric

09:28

cryptography that apple uses

09:30

for signing our code when we request a

09:32

certificate from the certificate signing

09:34

authority or that we create the csr that

09:37

will see it in a moment

09:38

the same thing happens the public key

09:41

and the private key pair is used for

09:42

signing our code

09:49

let's see certificate signing request

09:54

to get the developer certificate from

09:56

the apple we need to create a

09:58

certificate signing request

09:59

through our keychain when we create the

10:01

certificate signing request

10:03

a public private key pair is created on

10:06

our machine

10:06

and the public key is embedded in that

10:09

request that we send to apple

10:11

so basically certificate signing request

10:13

is a block of encoded text

10:15

that is having our public key that has

10:17

been generated from our machine

10:19

after the apple proof the request and we

10:21

get the certificate

10:22

when we double click the certificate to

10:24

install it in the keychain

10:25

it is matched against the private key

10:27

that was generated at the time of

10:29

certificate signing request

10:31

so when we created the csr or

10:33

certificate signing request

10:34

we created a pair of public key and the

10:36

private key the public key was

10:38

embedded in the certificate signing

10:40

request using which the apple created

10:42

the certificate

10:43

and now when we are trying to install

10:44

that certificate it is matched against

10:46

the private key that we are having in

10:48

our machine

10:49

if the match succeeds then the

10:51

certificates will be installed

10:52

otherwise it will not

10:55

now the certificate that we are having

10:57

in our keychain it also has a public key

10:59

given by apple

11:02

so at the time of installation the

11:04

private key that is used to sign the

11:06

bundle

11:06

is matched against the public key in the

11:08

certificate

11:10

if the match succeeds the installation

11:12

happens otherwise it fails so this is

11:14

the whole idea behind the code signing

11:17

the public private key or the asymmetric

11:19

cryptography that is used by apple for

11:21

this purpose

11:24

so i hope that you have got the concept

11:26

of provisioning profiles and

11:27

certificates

11:28

like why they are used what they do and

11:30

how they do

11:31

why do we get the errors for code

11:33

signing for provisioning profiles

11:35

identify or not match etc etc and if

11:38

there are any other doubts please put

11:39

them in the comments and i'll try to

11:41

answer them

11:42

so that's pretty much for this video a

11:43

new video comes out every sunday

11:45

so do subscribe to my channel let's

11:47

write better code together

11:48

happy coding and stay safe