iOS 代码签名

iOS 上需要代码签名，以便通过官方 Apple App Store 或欧盟可能的替代市场分发你的应用，并且通常在终端用户设备上安装和执行。

¥Code signing on iOS is required to distribute your application through the official Apple App Store or possibly alternative marketplaces in the European Union and in general to install and execute on end user devices.

先决条件

¥Prerequisites

iOS 上的代码签名需要注册 Apple 开发者程序，在撰写本文时，该程序每年的费用为 99 美元。你还需要一台执行代码签名的 Apple 设备。这是签名过程所必需的，也是 Apple 的条款和条件所要求的。

¥Code signing on iOS requires enrolling to the Apple Developer program, which at the time of writing costs 99$ per year. You also need an Apple device where you perform the code signing. This is required by the signing process and due to Apple’s Terms and Conditions.

要分发 iOS 应用，你必须在 App Store Connect 中注册你的打包包标识符、适当的 iOS 代码签名证书和将它们链接在一起并启用你的应用使用的 iOS 功能的移动配置文件。这些要求可以由 Xcode 自动管理，也可以手动提供。

¥To distribute iOS applications you must have your bundle identifier registered in the App Store Connect, an appropriate iOS code signing certificate and a mobile provisioning profile that links them together and enables the iOS capabilities used by your app. These requirements can be either automatically managed by Xcode or provided manually.

自动签名

¥Automatic Signing

让 Xcode 管理应用的签名和配置是导出要分发的 iOS 应用最方便的方式。它会自动注册你的打包包标识符、管理 iOS 功能更改并根据你的导出方法配置适当的证书。

¥Letting Xcode manage the signing and provisioning for your app is the most convenient way to export your iOS app to be distributed. It automatically registers your bundle identifier, manages iOS capabilities changes, and configures an appropriate certificate based on your export method.

默认情况下启用自动签名，并在本地计算机上使用时使用 Xcode 中配置的账户进行身份验证。要注册你的账户，请打开 Xcode 应用并打开 Xcode > Settings 菜单中的“设置”页面，切换到“账户”选项卡并单击 + 图标。

¥Automatic signing is enabled by default, and uses the account configured in Xcode to authenticate when used on your local machine.\ To register your account, open the Xcode application and open the Settings page in the Xcode > Settings menu, switch to the Accounts tab and click the + icon.

要在 CI/CD 平台中使用自动签名，你必须创建 App Store Connect API 密钥并定义 APPLE_API_ISSUER、APPLE_API_KEY 和 APPLE_API_KEY_PATH 环境变量。打开 App Store Connect 的用户和访问页面，选择集成选项卡，单击添加按钮并选择名称和管理员访问权限。APPLE_API_ISSUER（发行者 ID）显示在密钥表上方，APPLE_API_KEY 是该表上密钥 ID 列的值。你还需要下载私钥，该操作只能执行一次，并且仅在页面重新加载后可见（按钮显示在新创建密钥的表格行上）。私钥文件路径必须通过 APPLE_API_KEY_PATH 环境变量设置。

¥To use the automatic signing in CI/CD platforms you must create an App Store Connect API key and define the APPLE_API_ISSUER, APPLE_API_KEY and APPLE_API_KEY_PATH environment variables.\ Open the App Store Connect’s Users and Access page, select the Integrations tab, click on the Add button and select a name and the Admin access. The APPLE_API_ISSUER (Issuer ID) is presented above the keys table, and the APPLE_API_KEY is the value on the Key ID column on that table. You also need to download the private key, which can only be done once and is only visible after a page reload (the button is shown on the table row for the newly created key). The private key file path must be set via the APPLE_API_KEY_PATH environment variable.

手动签名

¥Manual Signing

要手动签署你的 iOS 应用，你可以通过环境变量提供证书和移动配置文件：

¥To manually sign your iOS app you can provide the certificate and mobile provisioning profile via environment variables:

IOS_CERTIFICATE:从 Keychain 导出的证书的 base64 表示形式。

¥IOS_CERTIFICATE: base64 representation of the certificate exported from the Keychain.
IOS_CERTIFICATE_PASSWORD:从 Keychain 导出证书时设置的证书密码。

¥IOS_CERTIFICATE_PASSWORD: password of the certificate set when exporting it from the Keychain.
IOS_MOBILE_PROVISION:配置文件的 base64 表示形式。

¥IOS_MOBILE_PROVISION: base64 representation of the provisioning profile.

以下部分说明如何获取这些值。

¥The following sections explain how to get these values.

签名证书

¥Signing Certificate

注册后，导航到证书页面以创建新的 Apple 分发证书。下载新证书并将其安装到 macOS 密钥串。

¥After enrolling, navigate to the Certificates page to create a new Apple Distribution certificate. Download the new certificate and install it to the macOS Keychain.

要导出证书密钥，请打开 “Keychain Access” 应用，展开证书的条目，右键单击密钥项并选择 “导出 <key-name>” 项。选择导出的 .p12 文件的路径并记住其密码。

¥To export the certificate key, open the “Keychain Access” app, expand the certificate’s entry, right-click on the key item and select “Export <key-name>” item. Select the path of the exported .p12 file and remember its password.

运行以下 base64 命令将证书转换为 base64 并将其复制到剪贴板：

¥Run the following base64 command to convert the certificate to base64 and copy it to the clipboard:

base64 -i <path-to-certificate.p12> | pbcopy

剪贴板中的值现在是签名证书的 base64 表示形式。保存它并将其用作 IOS_CERTIFICATE 环境变量值。

¥The value in the clipboard is now the base64 representation of the signing certificate. Save it and use it as the IOS_CERTIFICATE environment variable value.

必须将证书密码设置为 IOS_CERTIFICATE_PASSWORD 变量。

¥The certificate password must be set to the IOS_CERTIFICATE_PASSWORD variable.

配置配置文件

¥Provisioning Profile

此外，你必须为你的应用提供配置文件。在标识符页面中，创建一个新的 App ID，并确保其 “Bundle ID” 值与 identifier 配置中设置的标识符匹配。

¥Additionally, you must provide the provisioning profile for your application. In the Identifiers page, create a new App ID and make sure its “Bundle ID” value matches the identifier set in the identifier configuration.

导航到配置文件页面以创建新的配置文件。对于 App Store 分发，它必须是 “App Store Connect” 配置文件。选择适当的 App ID 并链接你之前创建的证书。

¥Navigate to the Profiles page to create a new provisioning profile. For App Store distribution, it must be an “App Store Connect” profile. Select the appropriate App ID and link the certificate you previously created.

创建配置文件后，下载它并运行以下 base64 命令以转换配置文件并将其复制到剪贴板：

¥After creating the provisioning profile, download it and run the following base64 command to convert the profile and copy it to the clipboard:

base64 -i <path-to-profile.mobileprovision> | pbcopy

剪贴板中的值现在是配置文件的 base64 表示形式。保存它并将其用作 IOS_MOBILE_PROVISION 环境变量值。

¥The value in the clipboard is now the base64 representation of the provisioning profile. Save it and use it as the IOS_MOBILE_PROVISION environment variable value.

现在你可以构建你的 iOS 应用并在 App Store 上分发！

¥Now you can build your iOS application and distribute on the App Store!