It’s that time again: time for me to rotate some provisioning profiles. First up, I need to figure out which ones are expired. I built a handy script which will dump installed provisioning profiles:

  pushd ~/Library/MobileDevice/Provisioning\ Profiles
    for f in *.mobileprovision; do
      echo $f
      openssl asn1parse -inform DER -in $f | grep -A1 "<key>Name</key>" | tail -1
    done
  popd

This script will just dump the name the profile name. I renamed the profile, which I’m starting to think was a bad idea. But let’s see.

Hmm, I should probably make sure I’m replacing the correct provisioning profile. Let’s see. The script above will extract the name. How do I decipher the certificate itself?

profile=prod.mobileprovision /usr/libexec/PlistBuddy -c "Print :DeveloperCertificates:0" /dev/stdin <<< $(security cms -D -i $profile) >/tmp/example.cert
openssl x509 -inform der -text -in /tmp/example.cert

I tried it as a one-liner and OpenSSL just complained there was nothing on STDIN. But that does dump out the correct certificate. Hmm, I should really make this into a script.

For the provisioning profiles I’m wondering what the best format is. Matching the name directly to the profile name provided a bit confusion. To make it more explicit I’m using the interal short naems with the date range the certificate is good within. That way it’s very apparently which ones you can pull.

At this point I’m questioning storing these profiles under our SCM in general. To a limited sense it makes sense: it’s rediably available to anyone who has access to the source. It’s trusting and inline with our groups philosophy of trust. On the other hand, if we need to build a version of this more than a year from now then these aren’t really helpful. I’m going to punt and say it’s fine for now.

I got annoyed and wrote a script which will dump the certificate and clean up the temp file for me. I call this program mobile-provision-certificate.

#!/bin/bash -e

profile=$1

file_name=`mktemp`
function clean_cert {
	rm -f $file_name
}

trap clean_cert EXIT

/usr/libexec/PlistBuddy -c "Print :DeveloperCertificates:0" /dev/stdin <<< $(security cms -D -i $profile) >$file_name
openssl x509 -inform der -text -in $file_name