app signing workflow capps, 9/11/2013 app singing workflow2 michał kwiatek, it/ois

2

App signing workflow

CAPPS, 9/11/2013 App singing workflow

Michał Kwiatek, IT/OIS

App singing workflow 3

Agenda• Summary of iOS Dev Programs

• Program types, roles, certificates and provisioning profiles

• CERN Context• The gap• Current workflow

• Recent examples of CERNland and Open Days

• Open questions• Conclusions

CAPPS, 9/11/2013


iOS dev programs

CAPPS, 9/11/2013


iOS dev programs roles

CAPPS, 9/11/2013


iOS dev programs roles (con’d)• iOS Developer Program Admin can also

manage program members and assign roles • The admin role is global to the entire

contract – there is no concept of „admin for the given app”

• iOS Developer Program Agent is the „root” for the program; there is only one Agent for the given program

CAPPS, 9/11/2013


iOS certificates• Development

• Certifies the identity of an individual developer• Can be requested by a program Member• Can be downloaded by the Member who requested

it after the request has been validated by a program Admin

• Production• Certifies the identity of the entire team (CERN)• Can be requested by a program Admin• Can be downloaded only by an Admin

CAPPS, 9/11/2013


iOS Provisioning Profiles• Adequate provisioning profile is required to run a given application on a given device

• Development profile• To install development apps on test devices• Contains the development certificate (individual) and the list of devices

• Production App store• To submit the app to the App Store• Contains the production certificate (CERN)

• Production Ad Hoc• To install your app on a limited number of registered devices• Contains the production certificate (CERN) and the list of devices

• Production In House (iOS Developer Enteprise)• To install your app on any device• Contains the production certificate (CERN)• Legally limited to apps distributed internally only• Technically not limited

CAPPS, 9/11/2013


CERN context• 1 instance of iOS Developer Program• 1 instance of iOS Developer Enterprise

Program• IT represents CERN within these programs• App developers are

• CERN engineers• 3-party companies contracted to create the app

CAPPS, 9/11/2013


The gap• We need to enable both CERN and 3-rd party developers

to develop apps for CERN• We need to keep control of the CERN Production

certificates, because they are a cryptographic identification of CERN

• The concept of the production certificate is that it is shared by the entire development team

• But at CERN, we don’t have a single development team• There is no concept of sub-teams or per-app certificates• Moreover, once the app has been admin-approved by a

for publication in the appstore, we need the CERN owner of the app to be able to publish it on their own

CAPPS, 9/11/2013


Revoking a certificateWhat happens if my certificate expires or has been revoked?

• iOS Distribution Certificate (App Store)

If your iOS Developer Program membership is valid, your existing apps on the App Store will not be affected. However, you will no longer be able to submit new apps or updates to the App Store.

• iOS Distribution Certificate (In-house, Internal Use Apps)

Users will no longer be able to run apps that have been signed with this certificate. You must distribute a new version of your app that is signed with a new certificate.

CAPPS, 9/11/2013


Experience of the current workflow

Color code:

- worth automating as a self-service

- worth delegating to the app owner

- security issue

CAPPS, 9/11/2013


Use Case 1: CERN Open DaysPer developer:1. Request IT to be registered as Member of the iOS Developer Program 2. Request IT to have your iOS devices registered for the iOS Developer Program

Per app:3. Request IT to have an application id created within the iOS Developer Program4. Request IT to have a Development provisioning profile created for the given app,

developers and devices5. Develop your app and test it on the registered devices6. Request IT to repackage your app (.ipa) using the Production In House profile (requires

resigning with the iOS Developer Enterprise Production Certificate), so that tests can be extended to un-registered devices

7. Request IT to have a Production App Store provisioning profile created for the app8. Request IT to share with you the CERN Production Certificate so that you can prepare

the app for publication in the App Store9. Request IT to have your app created within iTunesConnect10. Request IT to have access to iTunesConnect so that you can publish – and later

manage – your app within the App Store11. Publish your app to the AppStore using iTunesConnect

CAPPS, 9/11/2013

Can we replace these steps by:6. Request IT to repackage your app using Production App Store provisioning profile9. Publish the repackaged app to the AppStore using Application Loader


Use Case 2: CERNland1. The external developer develops the app using their

own iOS Developer contract

2. The CERN owner of the app requests IT to create the App id, Production App Store provisioning profile and get access to iTunesConnect

3. The CERN owner of the app requests IT to upload the app to iTunesConnect in cooperation with the developer

CAPPS, 9/11/2013

Can we replace this step by:3a. Request IT to repackage the app using Production App Store provisioning profile4a. Publish the repackaged app to the AppStore using Application Loaderor:3b. The external developer publishes the app to the AppStore under his iOS Developer Program and then transfers the app’s ownership to CERN


Open questions1) What is the real-life risk of sharing CERN iOS Developer

Program’s Production Certificate’s private key within CERN?• Clearly not optimal in such a large organisation• The risk is mitigated by the fact that this certificate needs to be

included in a provisioning profile, which can be specific to a given app id

2) Can we avoid sharing of this private key througha) Providing a self-service that would on-demand repackage the app

using the Production AppStore provisioning profile

b) Documenting use of Application Loader so that the app owner can publish the repackaged app within the AppStore

3) What happens when we hit the limit of 100 registered devices per contract?

CAPPS, 9/11/2013


Conclusions• We see a gap between CERN needs and how

Apple organised the iOS Developer programs• We have successful workarounds to assist

owners of CERN iOS apps• We are hoping to gradually move on from

workarounds to solutions

• This activity is user-community driven – please talk to us if you need to distribute an in-house developed iOS app.

CAPPS, 9/11/2013

app signing workflow capps, 9/11/2013 app singing workflow2 michał kwiatek, it/ois

Documents

app capps

app certificates

app singing workflow7

app singing workflow3

app singing workflow5

app singing workflow4

app singing workflow8

app singing workflow6