Validate certificate and provisioning profile
Answering my own question, I hope this helps someone else.
Turns out, the mobileprovision file is a PKCS7 digitally signed message. It is not signed with the developer's certificate, but with Apple's one.
However, the data that's signed is an XML plist that contains the public key of the certificate you use to sign your binaries.
So basically, the steps are as follows:
- Extract the data from the PKCS7 file.
- Extract the public-key from the p12 file.
- Compare the two, and check if they are the same.
I managed to do this easily with Ruby, since it provides nice wrappers to OpenSSL. I left a script in Github, if anyone wants to use.
The relevant parts of the code are as follows:
profile = File.read(@profile_file)certificate = File.read(@certificate_file)p7 = OpenSSL::PKCS7.new(profile)cert = OpenSSL::PKCS12.new(certificate, @certificate_password)store = OpenSSL::X509::Store.newp7.verify([], store)plist = REXML::Document.new(p7.data)plist.elements.each('/plist/dict/key') do |ele| if ele.text == "DeveloperCertificates" keys = ele.next_element key = keys.get_elements('//array/data')[0].text profile_cert = "-----BEGIN CERTIFICATE-----" + key.gsub(/\t/, "") + "-----END CERTIFICATE-----\n" @provisioning_cert = OpenSSL::X509::Certificate.new(profile_cert) endend# Compare @provisioning_cert.to_s and cert.certificate.to_s
Here is a blog entry I found that explains the structure of the .mobileprovision file: .mobileprovision files structure and reading
And thats how csr files are looking like: What is a CSR (Certificate Signing Request)?
I don't think that there is already a working solution out there exactly fitting your needs. That's probably not the answer you were looking for, but I hope that you will find a connection somehow.