iOS code signing

Question

I understand the math behind RSA cryptography, however, I'm having trouble reconciling that with Apple's lingo and authentication process. We have the following entities:

• My personal key pair
• Apple's key pair
• My development certificate
• My distribution certificate
• Apple's Apple Worldwide Developer Relations certificate
• My development provisioning profile
• My distribution provisioning profile

And the following different run modes:

• Run apps from App Store
• Run apps distributed for beta-testing
• Run apps in a development environment/debugging

How do all these work together to accomplish the goal? And by "work together", I mean explicitly what signs what, when, and where.

My current stab is:

1. I generate a public/private key
2. I issue a certificate request from Apple: I send them my public key, and some info about who I am, and sign this using my private key. Apple then uses some crypto hash to verify the info, and that I indeed own that public key. Apple then checks my info against the registered Apple developers, and if everything checks out, issues a certificate (including my public key), and signs the whole thing using their private key. Can have different certificates signed by Apple for different purposes.
3. I include this certificate any provisioning profile I want to run my code on (either as apart of an ipa, or otherwise)
4. When I try to run an app on a device, and the device realizes it isn't signed directly by Apple, it looks at the provisioning profile I installed on it
5. If the App ID checks out, and it is one of the listed registered devices, it looks at the certificates
6. It checks the signature of the certificate, using Apple's public key, to verify that the certificate was signed by Apple, and thus that the device can trust the certificate's authenticity
7. It then checks the code-signed app using my public key included in the certificate, and if it matches, then it knows a trusted developer code-signed the app
8. Can now run the app

I'm at a loss for what Apple's Worldwide certificate is for though?

Answer 1

Provisioning profiles created via developer portal are signed by Apple. Your provisioning profiles contain your certificate in them, thus the codesign identity of the ipa must match the one in profile. When app is launched, iOS is probably checking if the codesign matches the provisioning profile, and if the provisioning profile is valid. When profile is development/ad-hoc, it also checks if the device has permissions to launch the app. And in addition, when app is submitted to ITC (for AppStore or TestFlight), it is signed and encrypted by Apple using their cert/keys.