PKI for Code-Signing
The x509 public key infrastructure is a very complex system of checks and balances that helps to ensure that digital information can be transmitted between two parties while maintaining the security of the message and verifying the identities of both parties.
Imagine that you want to send a letter to your friend across the country, but your friend wants to make sure that the letter is coming from you. In order to prove your identity, you put your hand-written signature on the letter before you send it. This way, when your friend sees your handwriting (which your friend already knows and trusts) he can be assured that you must have written it, and so the letter must be from you.
Of course, this is a very general analogy to how PKI works. I should also mention that just by putting the signature on the letter, there was no added security, just added identity. If anyone intercepted our letter, they could plainly see the message that was written, and they would know where it came from. This highlights the separation between code-signing (applying the signature) and encryption (adding security and privacy to the message).
The x509 PKI contains both processes mentioned above, but they are applied separately. The common link between both processes is the use of public-key cryptography, a group of mathematical algorithms, that ensure privacy and validity through use of very large prime numbers. For now, I’ll leave the low-level details of PKI for another article.
The main takeaway from this section is to note that code-signing by itself doesn’t make your file secure, it just helps the recipient know that you created the file. One of the added features of this system comes from the fact that if the contents of the file are changed in any way, the signature is broken, and the recipient will know it’s not the message you intended them to receive.
Signing with Apple Developer Certificates
In order to use the Development and Distribution certificates that Apple provides to you’ll have to ensure that you have it installed in your workstation’s keychain.
First, you’ll want to go to https://developer.apple.com, sign in, and head to the certificates section. From there, you should be able to download the iOSDevelopment and iOSDistribution certificates.
Opening those files once they are downloaded will install the certificates into the keychain. We should verify that the code-signing identities are installed. We can do this with the
/usr/bin/security find-identity -p codesigning -v command in the terminal, which will list the installed certificates. Our certificate from above should be in the list now.
In the keychain, right click the new certificate and export it out to a .p12 bundle. We will convert this .p12 bundle into the .pem format we need by using
openssl pkcs12 -in mycertfile.p12 -out mycertfile.pem -nodes in the terminal. The result will be a cert.pem file, with both the private-key and certificate installed inside. We are almost ready to sign the files.
You see, if we only use our certificate to sign our file, we will only establish the very last link in the public key chain. This means that only people who know our signature specifically can verify its validity. PKI goes one better and uses a chain of trust to provide validity to more people. In basic terms, as you move up the chain, there are more credible sources to verify the identity.
Imagine the post office had a database of everyones’ signatures. As mail came into each office, they could verify the signature, and when the recipient came to retrieve the letter, they could say “trust me, it’s legitimate”. This is virtually how the PKI trust chain works, each higher link in the chain verifying the identity of those below them.
If we want more people to be able to verify our signed file, we want to sign it not only with our certificate, but also with the certificates of the rest of the trust chain. That way if those people have the higher up certificates pre-installed on their devices (as they all do in the case of the Apple Root Certificate), they will receive trust up the chain.
To prepare our chain for signing, we must download the intermediate certificates, convert them into a usable form, and then combine them into one master chain file.
The Apple PKI certificates can be found at http://www.apple.com/certificateauthority/. For using the developer certificates, we want the World Wide Developer Relations Certificate Authority and it’s parent, the Apple Root Certificate Authority. You will now have AppleWWDRCA1.cer and AppleIncRootCertificate.cer downloaded.
To convert them to .pem format, we can use
openssl x509 -inform der -in certname.cer -out certname.pem in the terminal on each file. Now, we can combine them both into a combined chain by calling
cat AppleWWDRCA1.pem AppleIntRootCertificate.pem > IntermediateChain.pem in the terminal. The result is the chain file that we were after, and we can delete the
.cer files and the two
.pem files we combined together. Now we have everything we need to apply our signature.
Signing Your File
Now we have our signing certificate and our intermediate chain files ready to sign our XML configurations. By issuing a
openssl smime -sign -in unsigned.xml -out signed.xml -signer mycertfile.pem -certfile IntermediateChain.pem -outform der -nodetach in the terminal, the result will be a signed XML file called signed.xml with the applied signature.