app signing workflow capps, 9/11/2013 app singing workflow2 michał kwiatek, it/ois
TRANSCRIPT
App singing workflow 3
Agenda• Summary of iOS Dev Programs
• Program types, roles, certificates and provisioning profiles
• CERN Context• The gap• Current workflow
• Recent examples of CERNland and Open Days
• Open questions• Conclusions
CAPPS, 9/11/2013
App singing workflow 6
iOS dev programs roles (con’d)• iOS Developer Program Admin can also
manage program members and assign roles • The admin role is global to the entire
contract – there is no concept of „admin for the given app”
• iOS Developer Program Agent is the „root” for the program; there is only one Agent for the given program
CAPPS, 9/11/2013
App singing workflow 7
iOS certificates• Development
• Certifies the identity of an individual developer• Can be requested by a program Member• Can be downloaded by the Member who requested
it after the request has been validated by a program Admin
• Production• Certifies the identity of the entire team (CERN)• Can be requested by a program Admin• Can be downloaded only by an Admin
CAPPS, 9/11/2013
App singing workflow 8
iOS Provisioning Profiles• Adequate provisioning profile is required to run a given application on a given device
• Development profile• To install development apps on test devices• Contains the development certificate (individual) and the list of devices
• Production App store• To submit the app to the App Store• Contains the production certificate (CERN)
• Production Ad Hoc• To install your app on a limited number of registered devices• Contains the production certificate (CERN) and the list of devices
• Production In House (iOS Developer Enteprise)• To install your app on any device• Contains the production certificate (CERN)• Legally limited to apps distributed internally only• Technically not limited
CAPPS, 9/11/2013
App singing workflow 9
CERN context• 1 instance of iOS Developer Program• 1 instance of iOS Developer Enterprise
Program• IT represents CERN within these programs• App developers are
• CERN engineers• 3-party companies contracted to create the app
CAPPS, 9/11/2013
App singing workflow 10
The gap• We need to enable both CERN and 3-rd party developers
to develop apps for CERN• We need to keep control of the CERN Production
certificates, because they are a cryptographic identification of CERN
• The concept of the production certificate is that it is shared by the entire development team
• But at CERN, we don’t have a single development team• There is no concept of sub-teams or per-app certificates• Moreover, once the app has been admin-approved by a
for publication in the appstore, we need the CERN owner of the app to be able to publish it on their own
CAPPS, 9/11/2013
App singing workflow 11
Revoking a certificateWhat happens if my certificate expires or has been revoked?
• iOS Distribution Certificate (App Store)
If your iOS Developer Program membership is valid, your existing apps on the App Store will not be affected. However, you will no longer be able to submit new apps or updates to the App Store.
• iOS Distribution Certificate (In-house, Internal Use Apps)
Users will no longer be able to run apps that have been signed with this certificate. You must distribute a new version of your app that is signed with a new certificate.
CAPPS, 9/11/2013
App singing workflow 12
Experience of the current workflow
Color code:
- worth automating as a self-service
- worth delegating to the app owner
- security issue
CAPPS, 9/11/2013
App singing workflow 13
Use Case 1: CERN Open DaysPer developer:1. Request IT to be registered as Member of the iOS Developer Program 2. Request IT to have your iOS devices registered for the iOS Developer Program
Per app:3. Request IT to have an application id created within the iOS Developer Program4. Request IT to have a Development provisioning profile created for the given app,
developers and devices5. Develop your app and test it on the registered devices6. Request IT to repackage your app (.ipa) using the Production In House profile (requires
resigning with the iOS Developer Enterprise Production Certificate), so that tests can be extended to un-registered devices
7. Request IT to have a Production App Store provisioning profile created for the app8. Request IT to share with you the CERN Production Certificate so that you can prepare
the app for publication in the App Store9. Request IT to have your app created within iTunesConnect10. Request IT to have access to iTunesConnect so that you can publish – and later
manage – your app within the App Store11. Publish your app to the AppStore using iTunesConnect
CAPPS, 9/11/2013
Can we replace these steps by:6. Request IT to repackage your app using Production App Store provisioning profile9. Publish the repackaged app to the AppStore using Application Loader
App singing workflow 14
Use Case 2: CERNland1. The external developer develops the app using their
own iOS Developer contract
2. The CERN owner of the app requests IT to create the App id, Production App Store provisioning profile and get access to iTunesConnect
3. The CERN owner of the app requests IT to upload the app to iTunesConnect in cooperation with the developer
CAPPS, 9/11/2013
Can we replace this step by:3a. Request IT to repackage the app using Production App Store provisioning profile4a. Publish the repackaged app to the AppStore using Application Loaderor:3b. The external developer publishes the app to the AppStore under his iOS Developer Program and then transfers the app’s ownership to CERN
App singing workflow 15
Open questions1) What is the real-life risk of sharing CERN iOS Developer
Program’s Production Certificate’s private key within CERN?• Clearly not optimal in such a large organisation• The risk is mitigated by the fact that this certificate needs to be
included in a provisioning profile, which can be specific to a given app id
2) Can we avoid sharing of this private key througha) Providing a self-service that would on-demand repackage the app
using the Production AppStore provisioning profile
b) Documenting use of Application Loader so that the app owner can publish the repackaged app within the AppStore
3) What happens when we hit the limit of 100 registered devices per contract?
CAPPS, 9/11/2013
App singing workflow 16
Conclusions• We see a gap between CERN needs and how
Apple organised the iOS Developer programs• We have successful workarounds to assist
owners of CERN iOS apps• We are hoping to gradually move on from
workarounds to solutions
• This activity is user-community driven – please talk to us if you need to distribute an in-house developed iOS app.
CAPPS, 9/11/2013