Code signing process

The Apps that you create using Studio need to be distributed to your consumers. There are two major mobile platforms: the Appstore for the iOS systems and the Playstore for the Android systems. In this process of distribution and deployment of your apps, the code signing process is a vital one. Code signing is a very important process to affix distributable files with digital signatures. It is necessary to get the apps signed before they are distributed on their respective platforms. The method is different for both types of systems but ultimately is used to promote trust on both sides of the transaction.

Let us see the process of code signing for IPA and APK files.

Code signing process for IPA package to be shared on Appstore

Prerequisites for Code Signing IPA

  • IPA file shared by Deltecs
  • Distribution Certificate
  • Provisioning profiles (1 each for App Extension and Main App target)

There are various things we need to code sign our iOS apps. We will briefly address each one.

Step 1: Creating CSR (Certificate Signing Request)

The first step in code signing iOS apps is to create a certificate signing request (CSR) from the local machine, with some basic details confirming the developer’s identity. The CSR needs to be sent to the certificate authority(CA), which is Apple for the iOS platform. Apple then confirms the developer’s identity and issues a certificate to the developer. Anyone can create a CSR from their local macOS machine using the Keychain:

  1. Open Keychain Access using Spotlight Search on Mac.

  2. From the top menu bar, go to Keychain Access → Certificate Assistant → Request a Certificate From a Certificate Authority.

  3. Fill in the Certificate Information form. Keep CA Email Address field empty. Select Saved to disk and click Continue.

  4. Now, click on Show in Finder to go to the folder where CSR is created.

  5. Click Done. Now you will have a CSR on your local machine.

Step 2: Certificate

You will need an Apple Developer Membership in order to generate a certificate from the Apple Developer Portal. There would be some fee for the developer membership. You can generate different types of certificates, e.g., development, distribution, or enterprise. As a developer, you can create a certificate for Development or Distribution.

  • A development certificate is used to develop apps internally, which are deployed on internal devices.
  • A distribution certificate is used to release an app to the App Store that can run on any device.

Follow the steps below to generate the distribution certificate:

  1. Go to the Apple Developer Portal, and sign in using your Apple ID and password.

  2. Select the Certificates, IDs & Profiles option from the left menu on the Dashboard.

  3. Under the Certificates option, click on the “+” button.

  4. Select the iOS Distribution option, and click on Continue.

  5. Click on Choose File to upload the CSR file that we had generated previously. Click Continue.

  6. Now, you can Download the generated iOS Distribution Certificate to your local machine.

  7. Double click on the downloaded certificate to add it to your local device’s Keychain.

  8. You can export any certificate from your Keychain by right-clicking and selecting Export.

  9. You will have to supply a Certificate Password for securing the certificate.

Step 3: App ID
You need to register an App ID to make the app uniquely identifiable on the App Store after publication. This App ID will also be required for generating the Provisioning Profile in the next step.

The steps for registering an App ID are:

  1. Go to the Identifiers option from the left menu, and click on the “+” button.

  2. Select the App IDs option, and click on Continue.

  3. Enter the Description and Bundle ID of the app. Click on Continue.

You will get the Bundle ID of your project under the Xcode General tab.

This Bundle ID needs to be unique. So, if the already defined Bundle ID of your project is not accepted in the portal, make sure you update the Bundle ID of the Xcode project with the accepted ID from the portal.

  1. Click on Register.

With this, you have successfully registered the Bundle ID of your iOS app.

Provisioning profiles

The provisioning profile is a combination of the Team ID, Bundle ID, App ID, Device ID, and Entitlements. It defines the rule for running the app inside the device. The provisioning profile’s role is to confirm:

  • a specific app with an App ID
  • that an app with that App ID can run on certain devices included in the provisioning profile. Development provisioning profiles have the list of devices included, while distribution provisioning profiles do not.
  • that the app should only have those entitlements defined in the provisioning profile.
  • that the app can only run trust based on the certificate embedded in the provisioning profile.

Provisioning profiles can also be created for development and distribution certificates. A Distribution Provisioning Profile is needed in order to publish an app to the Apple App Store. To generate a distribution provisioning profile, you will require the following:

  • App ID
  • Distribution Certificate

As we already have a registered App ID and an iOS Distribution Certificate, we can move on to generating the provisioning profile.

Follow the steps below:

  1. Go to the Profiles option from the left menu, and click on the “+” button.

  2. Select the App Store option from the list, and click on Continue.
    This will help to generate a distribution provisioning profile for publishing the app to the Apple App Store.

  3. Select the App ID that we had registered previously from the drop-down list, and click on Continue.

  4. Select a Distribution Certificate with which the app was signed, and click on Continue.

  5. Enter a friendly Provisioning Profile Name for identifying the profile in the Apple Developer Portal. Click on Generate.

  6. You can Download the distribution provisioning profile to your local machine.

Apple has very comprehensive documentation on the entire code signing process here. While code signing an iOS app, all components, including bundles, resources, frameworks, tools, scripts, libraries, plugins, Info.plist files, assets, and all other code, need to be code signed along with the individual components of the apps

Code signing steps

Let us assume that we have DronaWithStoryBoard.ipa that we want to code sign.

Open Terminal and Browse to location where ipa is present

Step 1 -

unzip DronaWithStoryBoard.ipa

Step 2 -

rm -rf Payload/*.app/_CodeSignature

Step 3 -

rm -rf Payload/DronaWithStoryBoard.app/PlugIns/Rich-Noti-Extension.appex/_CodeSignature/

Step 4 -

/usr/libexec/PlistBuddy Payload/DronaWithStoryBoard.app/PlugIns/Rich-Noti-Extension.appex/Info.plist

Step 5 -

Set :CFBundleIdentifier

Step 6 -

save

Step 7 -

quit

Step 8 -

cp Payload/DronaWithStoryBoard.app/PlugIns/Rich-Noti-Extension.appex/embedded.mobileprovision

Step 9 -

codesign -d --entitlements rich-notification-entitlements.xml Payload/DronaWithStoryBoard.app/PlugIns/Rich-Noti-Extension.appex/Rich-Noti-Extension

Step 10 -

open in XCode and edit the rich-notification-entitlements.xml file with your bundle identifier and remove extra characters at the start. File should start with <?xml
Replace the team identifier with your Company’s team identifier and bundle id with your bundle id

Step 11 -

codesign --entitlements rich-notification-entitlements.xml -f -s “<iPhone Distribution: Company Name (TEAM_ID)>” Payload/DronaWithStoryBoard.app/PlugIns/Rich-Noti-Extension.appex

Code signing the IPA file

Step 12 -

/usr/libexec/PlistBuddy Payload/DronaWithStoryBoard.app/Info.plist

Step 13 -

Set :CFBundleIdentifier

Step 14 -

save

Step 15 -

quit

Step 16 -

cp Payload/DronaWithStoryBoard.app/embedded.mobileprovision

Step 17 -

codesign -d --entitlements entitlements.xml Payload/DronaWithStoryBoard.app/DronaWithStoryBoard

Step 18 -

open in XCode and edit the entitlements.xml file with your bundle identifier and remove extra charaters at the start. File should start with <?xml

Replace the team identifier with your Company’s team identifier and bundle id with your bundle id

Step 19 -

codesign --entitlements entitlements.xml -f -s “<iPhone Distribution: Company Name (TEAM_ID)>” Payload/DronaWithStoryBoard.app

Step 20 - Verify the Payload

codesign -v --verbose=5 Payload/DronaWithStoryBoard.app/

The above step should output -

Payload/DronaWithStoryBoard.app/: valid on disk

Payload/DronaWithStoryBoard.app/: satisfies its Designated Requirement

Step 21 - If the above step is a success then zip it and upload it to the application loader

zip -qr myapp-resigned.ipa Payload/

Code signing process for APK package to be shared to the Playstore

Prerequisites for Code Signing APK

  • APK file shared by Deltecs
  • Keystore file and its password

STEP 1: Create the Java Key Store (JKS) file that contains the signing information. If you already have a Keystore file gennerated, you can skip this step. This steps involves creating a private key for your computer. From a command prompt, we can type the following to get a JKS.

keytool -genkey -v -keystore %DESKTOP%/key.jks -storetype JKS -keyalg RSA -keysize 2048 -validity 10000 -alias DEVELOPERNAME

Where you need to provide the following details:

  • Keystore password – you’ll need this to unlock this Keystore again in the future. If you lose this password, it is pretty much impossible to recover it.
  • Re-enter Keystore password
  • Personal details about what to put in the personal certificate

Thus a private key would be created. These should be used only by your company to sign packages.

STEP 2: Signing our app bundle or APK with the private key which ensures that our builds are being signed with the debug Keystore to ensure that your release build works.

jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore <Path to Keystore.jks file> <Path to Apk file> <Key Alias> -storepass <Keystore password> 

Here, you need to add your keystore path and apk file path, along with Key alias and keystore password.

STEP 3: Zipalign the Signed Apk

<path-to-android-sdk>/build-tools/<version>/zipalign -v 4 android-signed.apk android-signed-aligned.apk

Where android-signed.apk is the apk which you just signed in above step and android-signed-aligned.apk is the new apk created which is zipaligned.

STEP 4: Sending it to Google Play Store. Now your APK package is ready to be uploaded to the playstore. Any subsequent updates for your app, should be signed with this same key. Google Play recognises this key as our upload key.