1

When signed with a certificate which is not included in the provisioning profile, still app is able to install successfully on device,how ?

I have two wild card signing Identities A B

I created provisioning profile with Signing identity A

Now from command line i resigned it with B using the same provisioning profile.

App getting installed successfully, how ?

Madhu Avinash
  • 933
  • 2
  • 8
  • 27
  • First of all, without including certificate in provisioning profile it's not possible to install app on your device. May be your xcode created certificate for you. – Sivajee Battina May 10 '17 at 06:15
  • Because you are using wild card signing identities, chances of installing on the device are there if that wild card signing identity included in provisioning profile – Sivajee Battina May 10 '17 at 06:17
  • @SivajeeBattina Its not from Xcode its from command line I created a provisioning profile which i included some other wild card signing identity intentionally What error should i get in device log ? – Madhu Avinash May 10 '17 at 06:22
  • @SivajeeBattina Technically, you don't need to include the provisioning profile with the app. The only thing iOS cares about is if there is a valid provisioning profile for that signing identity on the device. Typically, that is done by packaging the profile with the app in the embedded.mobileprovision file as part of the bundle. However, there are other ways to get valid profiles on the device, such as previous installs (especially when using wildcard ids), or having MDM push the profile to a managed device. – wottle May 12 '17 at 00:59

1 Answers1

0

You need to understand that in order to run an app on an iOS device, you just need a valid provisioning profile.

You have two wildcard provisioning profiles, so technically both could work. However, you state that your provisioning profile was created with Signing identity A. First, confirm that your provisioning profile has only the Cert for identity A selected. Technically, a provisioning profile can be valid with multiple certificates.

If you confirm that your profile is not associated with the cert for signing identity, meaning the profile should not be valid if you signed the app with identity B, the other likely reason is that you already installed the app (or some other app) using the profile and signing identity A. If that is the case, there is a valid provisioning profile on the device that says your app should be allowed to run. I posted some more details about scenarios where the provisioning profile packaged with the app may be invalid / expired / etc. but the app will still run on the device in this post.

If you are expecting to use the code signing / provisioning profile to keep an app from successful install, you should have a dedicated, explicit bundle Id in your provisioning profile, along with a certificate specifically for that app ID. Then you can expire the profile and revoke the cert when you need to prevent the app from running on devices.

Edit: To check if this is due to an existing provisioning profiles, open Xcode, go to Window->Devices Right click on the device in question and select "Provisioning Profiles", like this:

enter image description here

If you want to try it out, you can remove all the provisioning profiles from the device and try to re-install. If you really only have a provisioning profile that is configured to accept the signing identity A, and you sign the binary with signing identity B, it should not work.

Community
  • 1
  • 1
wottle
  • 13,095
  • 4
  • 27
  • 68