iOS Super Signature Principle

First, introduce the third-party companies that have achieved super-signature.
1. dandelion
2. Eternal Science and Technology
3. cloud packing

2. The ultimate effect to be achieved

III. Specific Principles

Signature principle
In fact, the principle of signature is just one sentence. It uses the Ad-Hoc distribution channel provided by Apple to developers, and distributes the installation device as the development device.
Since the signature is ad hoc, the advantages and disadvantages of ad hoc are also inherited:

Direct distribution, installation can be run without the need for users to do the trust operation of enterprise certificates
Currently stable, there will be no business risk caused by certificate revocation (follow-up Apple policy risk is very high)

The number of single-developer iPhone devices is only 100, resulting in very high distribution costs ($99/1/100 devices).
Developer account needs to write UDID of installation device in advance. It is relatively difficult and tedious to obtain user's UDID when the tool chain is not connected, and there is no commercial feasibility to write UDID manually. Of course, this shortcoming has been solved at present.

Overall framework
Next, let's look at how the whole mechanism works:

1. After installing the device description file, the UDID of the device will be sent to the server.
2. After the server receives the UDID, it registers the UDID to a developer's account.
3. Reproduce the description file for signature and sign IPA.
4. Then the iPA passes on to the Server and lets users download it in itms-services mode.

Apple Developer Center Automation Tool
The next key point is how to register a new developer device + update the Provisioning Profile in seconds after obtaining the user's UDID. Here we need the help of open source tools (Spaceship):

Technical details
Use configuration files to get UDID
Apple allows developers to get the UDID of the IOS device (including some other parameters) through an operation between the IOS device and the Web server. Here is an overview:
1. Create a description file in. mobile econfig XML format on your Web server.
2. Users must complete a click operation before all operations. mobileconfig description file installation;
3. The data needed by the server, such as UDID, need to be configured in the. mobile econfig description file, and the URL address of the data received by the server;
4. When the user device installs the description file, the device will call back the URL you set. If your URL returns 302 jumps, the Safari browser will jump to the address you gave.

<!--Reference resources:>
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "">
<plist version="1.0">
            <string></string> <!--Interface address for receiving data-->
        <string></string>  <!--Organization name-->
        <string>Query device UDID</string>  <!--Title displayed during installation-->
        <string>3C4DC7D2-E475-3375-489C-0BB8D737A653</string>  <!--Unique string filled in randomly by oneself-->
        <string>This document is only used to obtain equipment. ID</string>   <!--describe-->
        <string>Profile Service</string>

Getting the third-party library of device UDID
Getting UDID Third Party Library

Next you get the UDID, register the new developer device + update the Provisioning Profile
Apple Developer Center Automation Tool:
Apple Developer Center

Automatic Signature Packet Tool:
Automatic Signature Packet Tool

OTA Distribution Application Tool:
OTA Distribution Application Tool

Over-the-Air Profile Delivery Concepts
Obtain device UDID official text

Resignature without changing package name

1. Create embedded.plist file through provision file;

security cms -D -i embedded.mobileprovision > embedded.plist

2. Create entitlements.plist file through embedded.plist file;

/usr/libexec/PlistBuddy -x -c 'Print:Entitlements'  embedded.plist > entitlements.plist

Entlements. plist looks like this. It can also be directly copied and modified. The package name here does not affect the re-signed package name.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "">
<plist version="1.0">

3 Unzip the ipa file

unzip *.ipa 

4. Delete the signature file of the ipa

rm -rf Payload/*.app/_CodeSignature/

5. Replace the provision file in app

cp embedded.mobileprovision Payload/*.app/embedded.mobileprovision re-signature

codesign -f -s "iPhone Distribution: XXX" --no-strict --entitlements=entitlements.plist  Payload/*.app

7. Re-compress packaged app

zip -r xxx.ipa Payload

Tags: Mobile iOS xml Web Server

Posted on Mon, 23 Sep 2019 04:02:15 -0400 by hazel999