Application Signing

Application signing allows iOS to identify who signed app and to verify that app has not been modified since developer signed it. The Signing Identity consists of a public-private key pair that Apple creates for developers.

Certificate Signing Request

A Certificate Signing Request or CSR is a block of encoded text that is given to a Certificate Authority when applying for a certificate. It is usually generated on the server where the certificate will be installed and contains information that will be included in the certificate such as the organization name, common name (domain name), locality, and country. It also contains the public key that will be included in the certificate. A private key is usually created at the same time the CSR is created, making a key pair.

Apple (as a certificate authority) will use the CSR to create an SSL certificate for the developer, but it does not need a private key to create one. A certificate created with a particular CSR will only work with the private key that was generated with it. So if the private key is lost, the certificate will no longer work.

What is contained in a CSR?

What does a CSR look like?

Most CSRs are created in the Base-64 encoded PEM format.


Signing process

  • Create a Certificate Signing Request through the Keychain Access Application.

  • Keychain Application will create a private key (stored in the keychain) and a certSigningRequest file which developer will then upload to Apple.

  • Apple will proof the request and issue a certificate. The Certificate will contain the public key that can be downloaded. After downloaded, the developer need to put it into Keychain Access Application. The Certificate will be pushed into the Keychain and paired with the private key to form the Code Signing Identity.

  • During app installation, iOS verifies that the private key that was used to sign the app matches the public key in the certificate. If this fails, the app is not installed.

The digital signature

Signed code contains several different digital signatures:

  • If the code is universal, the object code for each slice (architecture) is signed separately. This signature is stored within the binary file itself.

  • Various data components of the application bundle (such as the Info.plist file, if there is one) are also signed. These signatures are stored in a file called _CodeSignature/CodeResources within the bundle.

  • Nested code, such as libraries, helper tools, and other bits of code that are embedded in the app are themselves signed, and their signatures are also stored in _CodeSignature/CodeResources within the bundle.


Last updated