What is Code Signing in iOS & How it Works?
In this article, we will learn the What, Why & How parts of Code Signing in iOS Development.
The concept of code signing is very similar to the real world. When any document or contract is signed we are sure that it will not be illegally modified by someone. It gives us a sense of security since it comes from trusted authorities.
Code signing is the process of digitally signing our code to confirm the Developer’s identity and guarantee that code has not been altered or corrupted.
Why do we need Code Signing?
iOS devices only run apps that have been signed by trusted developers. Apple uses a strong code signing mechanism to provide security, integrity, and safety for iOS apps downloaded from the App Store.
Code signing is for the safety and security of iOS users so that they feel safe using the apps they downloaded from the app store.
How it works?
The code signing uses Asymmetric cryptography to verify authenticity and integrity of the code.
Asymmetric cryptography uses the concept of Public key and Private key for secured communication.
Lets quickly understand how Asymmetric cryptography works:
Suppose Alice & Bob both have their own Private & Public keys & Alice wants to communicate with Bob.
Both will share their public keys to each other and keep the private key with themselves.
Now Alice will encrypt the document with Bob’s Public key & will send it to him.
Since it was signed with Public key of Bob, it can only be opened/decrypted with Bob’s Private key.
Please refer to the video below which explains this concept beautifully.
https://www.youtube.com/watch?v=AQDCe585Lnc&t=169s
Code Signing Process:
Coming back to Code Signing, let us see how things work under the hood.
First we need a Certificate from Apple for Code Signing identity. We need to generate a certificate signing request (CSR) in order to apply for the certificate.
What is CSR?
A CSR or Certificate Signing request is a block of encoded text that is given to a Certificate Authority when applying for a certificate. The CSR can be generated using Keychain Access.
Please refer to this documentation for a detailed process:
https: //support.apple.com/en-in/guide/keychain-access/kyca2793/mac
Following things take place when we create CSR in our local machine:
- The public/private key pair is generated under the hood.
- The public key is attached to our CSR.
- The private key is kept inside our local machine.
- certSigningRequest file is downloaded which we need to upload to Apple
Apple certificate authority will use this CSR to create our certificate which will have our public key embedded in it. The certificate created with a particular CSR will only work with the private key that was generated with it. So if you lose the private key, the certificate will no longer work.
After the certificate is downloaded it will be pushed into your keychain and paired with a private key to form the Code Signing Identity.
Benefits of Code Signing
iPhone users feel secure when they download any apps from the app store, because the code signing ensures that,
- The Developer/Owner of the App is legitimate and verified by Apple.
- Code has not been modified by some middle party after it was signed by Developer.
Although Code signing ensures that App is downloaded from a Verified account but doesn’t guarantee that the code itself is free from security vulnerabilities.
In the next article, we will see how a provisioning profile is used along with code signing to make the App installation process more secured.
Thanks for reading. Please share your feedback for improvements.
