简体繁体 English

Apple Developer / iOS分发证书管理

[英]Apple Developer /iOS Distribution Certificate Management

原文 2016-08-15 05:36:27 9 2 ios/ iphone/ xcode/ certificate

We are struggling with the Distribution Certificate handling from Apple. 我们正在努力处理Apple的分销证书处理。 We have several developers setup in the Apple Developer Portal, for the sake of the example: Alice: Team Admin Bob: Admin Charles: Admin Dan: Developer 为了示例，我们在Apple Developer Portal中设置了几个开发人员： Alice：Team Admin Bob：Admin Charles：Admin Dan：开发人员

Alice, Bob, and Charles should be able to build Apps for Distribution (Adhoc for internal testing, Testflight for external testing, and Appstore for distribution). Alice，Bob和Charles应该能够构建分发应用程序（Adhoc用于内部测试，Testflight用于外部测试，Appstore用于分发）。 Dan is only producing code and debugging on his local machine. Dan只在他的本地机器上生成代码和调试。 All users use individual accounts for the development. 所有用户都使用个人帐户进行开发。

From what we understood from the Apple documentation, Alice, Bob, Charles need a valid distribution certificate. 根据我们对Apple文档的理解，Alice，Bob，Charles需要有效的分发证书。 If xCode generates it for them, they will start playing “ping pong”, and keep revoking each other's certificate – at least this is what appears to be happening at the moment. 如果xCode为它们生成它，它们将开始播放“乒乓”，并继续撤销彼此的证书 - 至少这是目前正在发生的事情。 We are not sure why this would happen. 我们不确定为什么会这样。 One would think, that if you create a different new user this account can also maintain his own (distribution) certificates. 有人会认为，如果你创建一个不同的新用户，这个帐户也可以维护自己的（分发）证书。

Anyway, so they will need to share a distribution certificate, by sharing the private key (p12 file) of it, as you can find in the answer here . 无论如何，所以他们需要共享一个分发证书，通过共享它的私钥（p12文件），你可以在这里找到答案。

In our account, it appears as if we can have up to two valid distribution certificates. 在我们的帐户中，似乎我们最多可以拥有两个有效的分发证书。 We don't really know how this ultimately worked – we didn't do it manually over the developer portal, but used xCode for it. 我们真的不知道这最终是如何工作的 - 我们没有通过开发人员门户手动完成，而是使用xCode。 Alice generated her certificate, Bob revoked and regenerated, Alice did the same thing – but suddenly they both had a valid distribution certificate, instead of invalidating Bobs certificate. Alice生成了她的证书，Bob撤销并重新生成，Alice做了同样的事情 - 但突然他们都有一个有效的分发证书，而不是使Bobs证书无效。

In the documentation it was mentioned that you can have up to 2 valid distribution certificates. 在文档中提到您最多可以拥有2个有效的分发证书。 We have also manually tried to generate the distribution certificates and could confirm that it is limited to two. 我们还手动尝试生成分发证书，并确认它仅限于两个。

However, we then got recently invited to a customer's developer program to sign apps on his behalf. 然而，我们最近被邀请到客户的开发者计划代表他签署应用程序。 I assume the customer was not aware that we require the private key from his distribution certificate. 我假设客户不知道我们需要他的分发证书中的私钥。 We therefore tried to manually generate a distribution certificate, and saw that it was not possible. 因此，我们尝试手动生成分发证书，并发现它是不可能的。 To our surprise though, the customer managed to generate 3 valid distribution certificates. 令我们惊讶的是，客户设法生成了3个有效的分发证书。 Any idea how this worked? 知道这是如何工作的吗？

Our questions in a nutshell: 我们的问题简而言之：

1. What is best practice when you manage a team of developers? 1.管理开发团队时的最佳做法是什么？

Do you normally share the private key of the first developer who generated the certificate with all other team members, which should be able to sign the app? 您是否通常与所有其他团队成员共享第一个生成证书的开发人员的私钥，该团队成员应该能够签署该应用程序？

2. What is the best practice when you work with clients? 2.与客户合作时的最佳做法是什么？ Do you ask them to generate another private key, or is there some hidden functionality to generate as many distribution certificates as you want, given that every developer uses his own account? 您是否要求他们生成另一个私钥，或者是否有一些隐藏的功能可以生成任意数量的分发证书，因为每个开发人员都使用自己的帐户？

3. What happens when we revoke a certificate. 3.当我们撤销证书时会发生什么。 It doesn't affect the apps in the app store, but only seems to limit other developers to build their app. 它不会影响应用程序商店中的应用程序，但似乎只限制其他开发人员构建其应用程序。 However, what happens with APNS / Push Server certificates? 但是，APNS / Push Server证书会发生什么？ When we revoke a distribution certificate through xCode, will this also suddenly stop working for the sender? 当我们通过xCode撤销分发证书时，这也会突然停止为发件人工作吗？

Thank you for your help. 谢谢您的帮助。

2 个解决方案

After a long time of investigation and trying things out, here is what we think is the best fit for us. 经过长时间的调查和尝试，我们认为这是最适合我们的。 Not sure if it is best practice but it seems to work for us just fine. 不确定这是否是最佳做法，但它似乎对我们有用。

1. What is best practice when you manage a team of developers? 1.管理开发团队时的最佳做法是什么？

One person generates a distribution certificate using his mac. 一个人使用他的mac生成分发证书。 He then exports the certificate (public AND private key) in a p12 file, as suggested by washloops and shares it with the team. 然后，他按照washloops的建议将证书（公钥和私钥）导出到p12文件中，并与团队共享。

2. What is the best practice when you work with clients? 2.与客户合作时的最佳做法是什么？

We have two sorts of clients: 我们有两种客户：

Clients working with multiple suppliers (so we are just taking care of 1 app, out of their portfolio) - We ask them to share their distribution certificate (public + private key). 与多个供应商合作的客户（因此我们只是从他们的投资组合中处理1个应用程序） - 我们要求他们共享他们的分发证书（公共+私钥）。 If they don't have it, they need to get it from another vendor. 如果他们没有，他们需要从其他供应商那里获得它。

Clients working only with us - We generate the certificate and share it with the client later on. 仅与我们合作的客户 - 我们生成证书并稍后与客户共享。 This allows them to share it with other vendors if they need to. 这允许他们在需要时与其他供应商共享。

3. What happens when we revoke a certificate. 3.当我们撤销证书时会发生什么。

From our tests: "nothing". 从我们的测试：“没有”。 If you revoke a distribution certificate, it will prevent developers using this certificate from submitting / building apps. 如果您撤消分发证书，则会阻止使用此证书的开发人员提交/构建应用程序。 However, existing APNS / Push certificates are not affected. 但是，现有的APNS /推送证书不受影响。

For us it seems as APNS / Push certificates are totally independent, and if you wish to revoke them, you need to revoke both. 对我们来说，似乎APNS / Push证书是完全独立的，如果你想撤销它们，你需要撤销它们。

You have to create just 1 distribution certificate. 您只需创建1个分发证书。 After that you go to Keychain Access, select the certificate and export it as ".p12", and maybe add a password to it. 之后，您转到Keychain Access，选择证书并将其导出为“.p12”，并可能为其添加密码。

After that you just install it in the other computers. 之后，您只需将其安装在其他计算机上即可。

Regards :) 问候：）