Why can't I add APNs Development iOS typed certificate to provisioning profile

I am trying to implement APNS for my application. I created an APP id and was able to generate an SSL certificate for my application (type shown as development APNs IOS). However, when I try to create a provisioning profile following the screen where I select the AppID of my application, I cannot see the SSL certificate that I am creating for this application. In the list of certificates, I only see IOS development type certificates that were created earlier.

+3


source to share


1 answer


The APN certificate you create is used by what the documentation is called "APNs Provider". In the simplest case, this is your own server, which is responsible for tracking APN device tokens and creating APNs. Push Payloads that instruct APNs on what message, sound, or icon to send to a specific device token. Just as the location of executable code and other assets in your application is secured by a cryptographic signature (via an iPhone Development or iPhone Distribution certificate and associated provisioning profile), you must also provide communication between your server and the Apple APN gateway to prevent rogue third parties from disguising your server and send spam messages to your users.This SSL APNs certificate is used to secure and authenticate your server's APN connection, allowing it to deliver push apps for your app to user devices. Keep these certificates safe! If someone gains access to the private key of the SSL certificate, they can send spam messages to your application!

The APNs provider will need access to the private key for this SSL certificate. Without it, Apple APN gateways will reject any connection attempts. Your ISP does not need to have provisioning profiles - this APN certificate is completely isolated from the mechanisms used to denote the iOS app code, meaning the server only needs the server certificate, and the app requires the code signing certificate + profiling. These two elements do not overlap and do not exchange data with each other.

It is true that your provisioning profiles (Development, Ad-Hoc Distribution, and App Store Distribution) need to be reissued, but this is specifically in order to add the right aps-environment

to each of these profiles so that applications signed with these profiles to connect to the APN environment ... To be absolutely clear, re-issuing these profiles should not and should not add your SSL APN certificate anywhere in the profile ... your application code should not use this certificate in any way and will result in a slight increase in the size of your application.

You can check if your current entitlement profiles include by aps-environment

opening a terminal, copy and paste the following, taking care to update the path to your specific one .mobileprovision

:

/usr/libexec/PlistBuddy -c 'Print :Entitlements' /dev/stdin <<< $(security cms -D -i /path/to/your/application.mobileprovision)

This command has two functions:

  • Uses a tool security

    in OS X to extract the content of a plist from the file .mobileprovision

    identified after the argument -i

    , and passes all of that content to ...
  • PlistBuddy

    print the entire contents of the key Entitlements

    on the screen.

The output for a basic development profile that was not enabled for push notifications will look like this:

Dict {
  get-task-allow = true
  com.apple.developer.team-identifier = ABC1DEF2G3
  application-identifier = XYZW1ABC2D.com.mycompany.niftyapp
  keychain-access-groups = Array {
      XYZW1ABC2D.*
  }
}

      

Whereas the output for the main Ad-Hoc or App Store schedule that was not enabled for Push notifications will remind:



Dict {
  get-task-allow = false
  com.apple.developer.team-identifier = ABC1DEF2G3
  application-identifier = XYZW1ABC2D.com.mycompany.niftyapp
  keychain-access-groups = Array {
      XYZW1ABC2D.*
  }
}

      

Now that you have APN certificates issued for your AppId, you need to go through and republish the Development, Ad-Hoc, and Distribution Provisioning Profiles to add the entitlement aps-environment

to each of your profiles.

  • Go to the Certificates, Identifiers and Profiles tool and find one of the profiles associated with this application.
  • Click the "Edit" button and walk through each step of the wizard - you don't need to make any changes to the previously defined settings, you just need the current profile that has been re-issued!
  • Click the Download button at the end of the wizard.
  • Drag the updated profile onto the Xcode icon on your dock for installation.

If you run the same set of terminal commands again on these new files (remember to update the path to the new .mobileprovision

one if needed!), You will now see that your applications will display aps-environment

:

Dict {
  get-task-allow = true
  aps-environment = development
  com.apple.developer.team-identifier = ABC1DEF2G3
  application-identifier = XYZW1ABC2D.com.mycompany.niftyapp
  keychain-access-groups = Array {
      XYZW1ABC2D.*
  }
}

      

There are two meanings for this new key:

  • aps-environment = development

    - This will only show up in Provisioning Provisioning Profiles and allows apps to sign with certificates iPhone Developer

    and can only connect to APN Sandbox environment.
  • aps-environment = production

    - This will only show up in Provisioning Provisioning Profiles (Ad-Hoc or App Store), allowing applications signed with certificates iPhone Distribution

    to connect to the APN Production environment.

Depending on which certificate you use to sign the assembly, it determines which APN gateways connect to your app and retrieve the Push token, as well as which gateway your apps receive with push messages. One of the most common pitfalls encountered by developers regarding push notifications is inconsistent with how the app is signed with the way their server connects to Apple APN gateways:

  • Apps signed with development certificates can only successfully negotiate APNs and receive Push messages when the Provider also connects with the development APS SSL certificate to the APN Sandbox gateway and uses the sandbox device token in the payloads they generate.
  • Applications signed with distribution certificates can only successfully negotiate APNs and receive Push messages when the Provider also connects the production APN APN SSL certificate to the Production APN gateway and uses the production device token in the payloads they generate.

Take a photo and let us know how things are going!

+26


source







All Articles