Extracting and Using a Provisioning Profile

Last updated October 18, 2022 by Roy Cohen

Code signing is a prerequisite for installing any app on a mobile iOS device.
A valid signature, which uses an Apple-issued certificate, ensures the integrity of an app and stands as proof that the app comes from a known and approved source and has not been tampered with.
By enforcing mandatory code signing, Apple ensures that no third-party app loads unsigned code resources or uses self-modifying code.

During the Appdome app Build, Build process adapters are added to the app to achieve the requested added functionality. As a result, the app’s original signature is invalidated and must be resigned to allow deploying the app on mobile devices.

Appdome allows signing an app via the Sign tab, by using any of the following methods:

  • On Appdome

Allowing Appdome to take care of the entire signing process. You only need to provide the signing credentials. For details, see topic How to Sign Secured iOS Apps without Xcode.

  • Private Signing

Gives you full responsibility for handling the entire signing process. For details, see topic How to Privately Code Sign Sealed iOS Apps using DevSecOps Build System.

  • Auto-DEV Private Signing

Allows you to sign the app without uploading the signing certificate to Appdome’s cloud service.
Appdome provides you with a script (.sh file), which runs on your trusted environment and signs the app by using your credentials    (certificate and password) as input. For details, see topic How to Automate Secure iOS App Code Signing in DevOps CI/CD.

As part of the Appdome signing process of secured iOS apps, by using either Auto-dev Private Signing or Signing on Appdome, you are required to extract and upload a Provisioning Profile and an entitlement file for each executable in the app, and when using signing on Appdome, a P12 certificate and its password.

As part of the Appdome signing process of secured iOS apps, by using either Auto-dev Private Signing or Signing on Appdome, you are required to extract and upload a Provisioning Profile and an entitlement file for each executable in the app, and when using signing on Appdome, a P12 certificate and its password.

This article provides instructions for extracting a provisioning profile and using it via Appdome or XCode.

What is a Provisioning Profile?

A Provisioning Profile allows you to install apps onto your iOS device and includes the signing certificates, a list of supported device identifiers (for the development and ad-hoc provisioning profile types only), entitlements, App ID and more.

The following types of provisioning profile can be generated

  • Development Profile
    Used for installing an app on a registered device in debug mode.
  • Ad-hoc Profile
    Used at a later stage of the development process, in particular for distributing the app to testers that are not part of the iOS developer program for your organization.
  • App Store Profile
    A profile that is used for the distribution of a completed app to the App Store for sale

    , or to upload the application to test-flight platform.

Extracting a Provisioning Profile

To extract a provisioning file for distribution to Appstore:

  1. From your selected browser, go to iOS Dev Center and sign in with your Apple ID.
  2. In the iOS Dev Center, click Certificates, Identifiers & Profiles.
    Screen Shot 2022 10 04 At 9.39.06
  3. Go to Profiles.
  4. Click +.
  5. Select the requested Distribution/Development type.
    Screen Shot 2022 10 04 At 9.40.56
  6. Select an App or plugin ID.
  7. Select a certificate to include in the provisioning profile and click Continue.
  8. Enter a name for the profile and click Generate.
  9. (Optional) Click Download to download the provisioning profile.
    Here is an example of a provisioning profile file (can be opened by any text editor):

In order to sign an iOS executable, you need to define each executable’s capabilities and permissions via the executable’s entitlements.
The entitlements are part of the signature and are embedded into the executable.

If the app does not request an entitlement, the OS will not allow the matching application service at run time. Example entitlements are push notification, App-Groups (allow IPC between applications on the same device), Keychain access groups, and iCloud.

The image below displays an example of an entitlements file, which can be opened and edited by any text editor.

Screen Shot 2022 10 04 At 9.51.01

Congratulations! You have now extracted the provisioning profile file required for signing your secured iOS application.

How to use the obtained provisioning profile

You can use this provisioning profile when exporting your application from XCode.
After archiving your application, select the type of your provisioning profile:
Selectdistmethod
Then select the provisioning profile you have generated and download it:
Selectprovisioninprofile
You can also use this provisioning profile when signing your application on Appdome’s platform.

After performing the above steps and generating provisioning profiles for all your application’s executables, you can upload it on the Sign tab to either the On Appdome signing or Auto-DEV Private Signing.

Selectsighmethod

FAQ

How do I extract the target bundle identifier from provisioning profile file?

  1. Open your file.mobileprovision file in a text editor.
  2. Look for the application-identifier key, which is stored in the Entitlements section inside your provisioning profile file.
    The value for this key is a prefix with the team identifier used when generating this target, followed by the target bundle identifier.

How do I extract the target team identifier from provisioning profile file?

  1. Open your file.mobileprovision file in a text editor.
  2. Look for the com.apple.developer.team-identifier key, which is stored in the Entitlements section inside your provisioning profile file.
    The value for this key is the team identifier.

How do I determine the type of the provisioning profile file?

  1. Open your file.mobileprovision file in a text editor.
  2. Look for the aps-environment key,  which is stored in the Entitlements section inside your provisioning profile file.
    If this value is development, then this the provisioning profile file’s type.
  3. Look for the key get-task-allow.
    If the value of this key is True, the provisioning profile file’s type is development.
  4. If you failed to find the file’s type, and the key ProvisionedDevices exists, the type is Ad-Hoc.

How do I determine whether the provisioning profile expired?

  1. Open your file.mobileprovision file in a text editor.
  2. Look for the ExpirationDate key.
    If the value indicated in this key is earlier than today, your profile has expired.

What is the difference between the Entitlements section in my provisioning profile file and the entitlements used to sign my application?

The entitlements used to sign your application and that are being saved in the derived data folder by XCode are the entitlements your application is using.

The entitlements section that the provisioning profile file contains are the entitlements you declared for your application in your apple developer account when generating your provisioning profile

For Further Details:

If you have any questions, you are welcome to contact us at support@appdome.com or via the chat window on the Appdome platform.

NEED HELP?

let's solve it together

PascalMaking your security project a success!
By filling out this form, you opt-in to recieve emails from us.