What is the binary data around the plist in a provisioning profile file?

Question

The structure of a .mobileprovision file looks something like this:

<!-- small binary data -->

<?xml version="1.0" encoding="UTF-8"?>
<!-- plist data -->
</plist>

<!-- large binary data -->

I have a few questions around this:

1. What is this binary data?
2. Is it useful?
3. How can I extract the plist from a .mobileprovision file without searching for XML boundaries?

Specifically, I will consider this question as answered (and award the +100 bounty alongwith it) when both Q1 and Q3 above are answered.

Answer 1

I finally got the answer from an answer to another question on SO.

Basically the .mobileprovision file is a CMS encrypted XML file. It can be decoded using security on OS X:

security cms -D -i /path/to/profile.mobileprovision

Answer 2

I don't have an answer to your initial question, but I can explain how to extract the signing certificate from the .mobileprovision file:

1. The plist part of the .mobileprovision has a key 'DeveloperCertificates', whose value is an array of NSData.
2. Each NSData is a .cer file - the signing certificate you are looking for.

I have a short shell script for extracting the subject of the signing certificate directly from the .mobileprovision file here: https://gist.github.com/2147247 - the script works with only one certificate in the array mentioned earlier, which should be the common case.

As you can see in the script, I have no answer to your third question, I am just cutting away the first line and everything after the closing tag.

Answer 3

use

security cms -D -i /path/to/profile.mobileprovision

if you get the error message security: SecPolicySetValue: One or more parameters passed to a function were not valid just pipe the error to /dev/null

security cms -D -i /path/to/profile.mobileprovision 2> /dev/null

Answer 4

The .mobileprovision file is a DER encoded ASN.1,

The plist is one of the values stored in this ASN.1 message.

Answer 5

The file is basically the public distribution key + Apple public certificate chain + allowed devices that can be installed on to - as long as the IPA file is likewise signed.

Your key is encoded in to the plist entry. and the binary data after the plist are the associated public certficates: the Apple Root public certificate (downloadable from Apple and the Apple iPhone Certification Authority (downloadable via your Apple portal).

[Updated based on comments]

The real goal is to work out the certificate "common name" used my the mobile provision file so that the app can be re-signed.

Inside the mobile provisioning file ApplicationIdentifierPrefix tag contains the certificate UserID. This number could be used to find the certificate in the keychain tool.

So manually, the steps would be:

1. Extract the ApplicationIdentifierPrefix number from the .mobileprovision file
2. Open the keychain app. Look through each login/certificate to find the one with matching UserId

To automate the process

1. run some fancy unix command to extract the ID
2. run security find-certificate -a >a.out then grep for the ID. Then find the common name from the same record.