3

Has anyone done any investigation as to whether the Apple AppStore distribution private key/certificate can be stored on a smartcard? I work for a large company that is about to release several iOS applications and we're concerned about the best way to protect our production distribution keys and certificates. Is it possible to generate and store these keys/certs on a smartcard and then use that smartcard when signing the app for distribution? Are their particular smartcard vendors that work well on OSX?

Shadowman
  • 11,150
  • 19
  • 100
  • 198

3 Answers3

1

You should be able to code sign any app given that your certificate and its matching keys are available in your Keychain.

SmartCard Services looks like the tool you need for the case these assets (cert+keys) are stored on a smart card.

Danra
  • 9,546
  • 5
  • 59
  • 117
0

An Enterprise Program will let you make distribution builds that will run on all devices without needed to resign.

Sending your key & certificate out is unadvisable, not only does it mean that anyone who gets hold of them can build apps in your name; but it will also become problematic when you have to update the certificate.

Though in direct answer to your question - yes you can store them anywhere you want. They are just files.

Wex
  • 4,434
  • 3
  • 33
  • 47
  • 1
    No, I'm not talking about a memory card or anything like that. I'm talking about a cryptographic smart card that will be used to protect the certificate and private key. They would not be "just files". – Shadowman Feb 05 '12 at 03:28
0

EDIT:

After your comment, further investigations, and from memory, there are two elements/files to sign an app:

  1. Keychain: The Developer/Distribution Certificate (the one created by you to request a distribution certificate from apple)
  2. MobileProvision: The Provisioning profile (the certificate provided by Apple, which is invalid without the previous keychain certificate #1 and used by Xcode to sign an app)

These two files are at separate places:

  1. The developer certificate is in the keychain, according to wikipedia by default in ~/Library/Keychains (session) and /Library/Keychains (system), and after checking a bit with "keychain" utility app, it appears that you can register/create any ".keychain" file at any path. So I guess you can add your certificates from an external .keychain file using a smartcard, w/o copying them to your mac (to be verified, would be surprising/strange, but maybe these are cloned to some cache or whatever). I haven't tested this, but then that would makes sense that Xcode use "Keychain services", making these underlying .keychain files transparent. So Xcode should just find "automagically" the certificate from an external keychain file.
  2. MobileProvision: ~/Library/MobileDevice/Provisioning Profiles/SOME-UUID.mobileprovision I'm afraid you can't tell Xcode to look to another path.

In both case, I guess you can probably trick the apps (Xcode..)/services(Keychain...) using symlinks... (ln -s ...)

I hope these informations might help you to do the job... Good luck!

Not so off-topic, but I would be curious to know what kind of scenario makes this kind of security legitimate. Once again, only the apple developer admin account has the "god powers"... certificates are pretty much useless w/o that account, unless you are doing ad-hoc/enterprise distribution...

ENDOFEDIT

AFAIK, Apple generates all the certificates = Files. You can protect these files the way you want, but anyway, to sign an app you will need to copy them on a mac at signing time. (in a particular place, the keychain, where Xcode gets them) I doubt any "smartcard" or similar solution will be reliable...

What you can do is dedicate one mac to app signing and secure its access (via smartcard, biometrics, just a login/password... or even a locked door!)

Assuming AppStore is your target:

IMHO, being scared of stolen distribution certificates is a bit paranoid and useless. To submit an app to the AppStore you will need anyway the iTunes account administrator account, the only one that has that power. In other words, a signed package can't be submitted to Apple w/o that account.

So Only that itunes connect admin account/password must really be secured. (And in worse case I'm pretty sure Apple can block/restitute stolen account)

And with that administrator account, you can cancel any app submission, revoke / regenerate all certificates... (No app is immediatly validated, you have a ~10days approval period to cancel it, with admin notified via email)

Vincent Guerci
  • 14,379
  • 4
  • 50
  • 56
  • Yes, I know that the certificate and private key need to be available via the keychain in order to sign the app. My real question is, if the keys and cert are on a smartcard (the contents of which should be visible within the keychain, with the appropriate drivers) will XCode be able to leverage them to sign the app? Or, does it strictly require that they be files stored on the hard drive? We have a legitimate use case for this, so we're not just being paranoid. (Although, being a security guy I'm ALWAYS paranoid) – Shadowman Feb 07 '12 at 14:57
  • See my edit on further detail about signing mechanism/involved files – Vincent Guerci Feb 07 '12 at 23:15