After reading the provisioning profile documentation , I wonder where the iOS device retrieves the public key that it will use to decrypt the code signature and verify the app binary during the development process.
The public key is generate on my mac when creating a CSR, and then it is embedded in the certificate, but the ipa file does not contain the certificate itself (the provisioning profile only contains certificate references). So where does it retrieve the certificate that contains the public key? Thanks
In your question, you say:
the ipa file does not contain the certificate itself (the provisioning profile only contains certificate references)
This is incorrect. From the document you linked to:
Every profile has a
DeveloperCertificatesproperty holding the certificates of each developer who can sign code covered by the profile.
So, the profile does, indeed, contain the developer certificates. The certificates include their public keys.
The developer certificates are signed by the Apple WWDR CA, which is trusted by iOS. The iOS device can, therefore:
For example, I followed the steps listed in the Apple Tech Note on the embedded.mobileprovision file from a developer build ipa file.
Dumping the certificate with certtool gives:
Serial Number : 68 D8 D7 27 7D 16 26 37 BD C8 26 2A 1B 45 35 0D
Issuer Name :
Common Name : Apple Worldwide Developer Relations Certification Authority
OrgUnit : G3
Org : Apple Inc.
Country : US
Subject Name :
Other name : XXXXXX
Common Name : Apple Distribution: YYYY (XXXX)
OrgUnit : XXXX
Org : XXXX
Country : AU
Cert Sig Algorithm : OID : < 06 09 2A 86 48 86 F7 0D 01 01 0B >
alg params : 05 00
Not Before : 02:00:24 Apr 29, 2024
Not After : 02:00:23 Apr 29, 2025
Pub Key Algorithm : OID : < 06 09 2A 86 48 86 F7 0D 01 01 01 >
alg params : 05 00
Pub key Bytes : Length 270 bytes : 30 82 01 0A 02 82 01 01 ...
There is the public key required to validate the code signing.