ios 如何管理企业分发证书到期?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/9216485/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
How to manage Enterprise Distribution certificate expiration?
提问by zapador
Our customer has just joined the iOS Developer Enterprise Program. They have signed the app (developed by us) with their Enterprise Distribution and installed it succesfully in some devices via MDM.
我们的客户刚刚加入了 iOS 开发者企业计划。他们已经使用他们的 Enterprise Distribution 签署了该应用程序(由我们开发),并通过 MDM 成功地将其安装在某些设备中。
As far as I know when my non-enterprise distribution certificate expires I have to renew it. This expiration disables all apps signed with the expired certificate as soon as the devices checks the certificate's validity against Apple's OCSP server.
据我所知,我的非企业经销证书什么时候到期,我必须更新它。一旦设备根据 Apple 的 OCSP 服务器检查证书的有效性,此过期将禁用所有使用过期证书签名的应用程序。
Alternatively, I can revoke my non-enterprise distribution before the expiration date and ask for a new one to Apple. Applications signed with the revoked certificate, for example Ad Hoc beta apps, will be disabled according to the same mechanism.
或者,我可以在到期日期之前撤销我的非企业分发,并向 Apple 请求一个新分发。使用已撤销证书签名的应用程序(例如 Ad Hoc beta 应用程序)将根据相同的机制被禁用。
So with my developer program I can't have two valid distribution certificates at the same time. Ok, as developers we can live with that.
因此,对于我的开发人员程序,我不能同时拥有两个有效的分发证书。好的,作为开发人员,我们可以接受。
Can our customer have two valid Enterprise Distribution certificates at the same time with the iOS Developer Enterprise Program?
我们的客户能否通过 iOS Developer Enterprise Program 同时拥有两个有效的 Enterprise Distribution 证书?
According to Apple:
据苹果称:
Certificate Validation
The first time an application is opened on a device, the distribution certificate is validated by contacting Apple's OCSP server. Unless the certificate has been revoked, the app is allowed to run. Inability to contact or get a response from the OCSP server is not interpreted as a revocation. To verify the status, the device must be able to reach ocsp.apple.com. See“Network Configuration Requirements”(page 9).
The OCSP response is cached on the device for the period of time specified by the OCSP server—currently between 3 and 7 days. The validity of the certificate will not be checked again until the device has restarted and the cached response has expired. If a revocation is received at that time, the app will be prevented from running. Revoking a distribution certificate will invalidate all of the applications you have distributed.
An app will not run if the distribution certificate has expired. Currently, distribution certificates are valid for one year. A few weeks before your certificate expires, request a new distribution certificate from the iOS DevCenter, use it to create new distribution provisioning profiles, and then recompile and distribute the updated apps to your users. See “Providing Updated Apps” (page 10)
证书验证
第一次在设备上打开应用程序时,分发证书通过联系 Apple 的 OCSP 服务器进行验证。除非证书已被吊销,否则允许应用程序运行。无法联系 OCSP 服务器或从 OCSP 服务器获得响应不被解释为撤销。要验证状态,设备必须能够访问 ocsp.apple.com。请参阅“网络配置要求”(第 9 页)。
OCSP 响应在 OCSP 服务器指定的时间段内缓存在设备上 - 当前为 3 到 7 天。在设备重新启动并且缓存的响应过期之前,不会再次检查证书的有效性。如果当时收到撤销,应用程序将被阻止运行。撤销分发证书将使您分发的所有应用程序无效。
如果分发证书已过期,应用程序将不会运行。目前,分发证书的有效期为一年。在您的证书到期前几周,从 iOS DevCenter 请求一个新的分发证书,使用它来创建新的分发配置文件,然后重新编译并将更新的应用程序分发给您的用户。请参阅“提供更新的应用程序”(第 10 页)
Am I missing something or is is possible that the employees, with potentially hundreds of iOS devices with several In House apps, can't open their applications while they wait for the resigned apps?
我是否遗漏了什么,或者员工可能有数百个带有多个内部应用程序的 iOS 设备,在等待辞职的应用程序时无法打开他们的应用程序?
回答by Vin
This is an issue that we have been dealing since the last 2 years. The in-house applications do stop working after 1 year. It is a massive exercise for an organization like ours to rebuild hundreds of apps and redeploy it on thousands of devices every year.
这是我们自过去两年以来一直在处理的问题。内部应用程序在 1 年后停止工作。对于像我们这样的组织来说,每年重建数百个应用程序并将其重新部署到数千台设备上是一项艰巨的任务。
For us it is a month long exercise where we rebuild all our apps and inform all users to get new ones through the distribution channel. Still every year some users are left with non-functional apps.
对我们来说,这是一个为期一个月的练习,我们重建所有应用程序并通知所有用户通过分发渠道获得新应用程序。仍然每年都有一些用户留下非功能性应用程序。
I have filed an enhancement request with Apple(Bug ID#9848075) for this and am still waiting for a reply.
我已为此向 Apple(错误 ID#9848075)提交了增强请求,并且仍在等待回复。
EDIT: The above mentioned bug is closed now. Here's the official response:
编辑:上述错误现已关闭。以下是官方回复:
Distribution certs for enterprise are now 3 years in duration.
企业分发证书的有效期现在为 3 年。
回答by Anton
The "missing" link is now http://help.apple.com/iosdeployment-apps/?lang=en#app43ad74a3
“缺失”链接现在是 http://help.apple.com/iosdeployment-apps/?lang=en#app43ad74a3
A few weeks before your certificate expires, request a new distribution certificate from the iOS Dev Center, use it to create new distribution provisioning profiles, and then recompile and distribute the updated apps to your users.
在您的证书到期前几周,从 iOS 开发中心申请新的分发证书,使用它来创建新的分发配置文件,然后重新编译并将更新的应用程序分发给您的用户。
The document describes also how to update Apps. There are frameworks that include the update mechanism easily into your app. Eg "Hockey", https://github.com/therealkerni/HockeyKit
该文档还介绍了如何更新应用程序。有些框架可以轻松地将更新机制包含到您的应用程序中。例如“曲棍球”,https://github.com/therealkerni/HockeyKit
Quoting the full article:
引用全文:
Certificate validation
The first time a user opens an app, the distribution certificate is validated by contacting Apple's OCSP server. Unless the certificate has been revoked, the app is allowed to run. Inability to contact or get a response from the OCSP server isn't interpreted as a revocation. To verify the status, the device must be able to reach ocsp.apple.com. See Network configuration requirements.
The OCSP response is cached on the device for the period of time specified by the OCSP server—currently, between 3 and 7 days. The validity of the certificate isn't checked again until the device has restarted and the cached response has expired. If a revocation is received at that time, the app is prevented from running. Revoking a distribution certificate invalidates all of the apps you've distributed.
An app won't run if the distribution certificate has expired. Currently, distribution certificates are valid for one year. A few weeks before your certificate expires, request a new distribution certificate from the iOS Dev Center, use it to create new distribution provisioning profiles, and then recompile and distribute the updated apps to your users. See Providing updated apps.
证书验证
用户第一次打开应用程序时,会通过联系 Apple 的 OCSP 服务器来验证分发证书。除非证书已被吊销,否则允许应用程序运行。无法联系 OCSP 服务器或从 OCSP 服务器获得响应不被解释为撤销。要验证状态,设备必须能够访问 ocsp.apple.com。请参阅网络配置要求。
OCSP 响应在 OCSP 服务器指定的时间段内缓存在设备上,目前为 3 到 7 天。在设备重新启动并且缓存的响应过期之前,不会再次检查证书的有效性。如果当时收到撤销,应用程序将无法运行。撤销分发证书会使您分发的所有应用程序失效。
如果分发证书已过期,应用程序将不会运行。目前,分发证书的有效期为一年。在您的证书到期前几周,从 iOS 开发中心申请新的分发证书,使用它来创建新的分发配置文件,然后重新编译并将更新的应用程序分发给您的用户。请参阅提供更新的应用程序。
回答by tdios
Apple revised the documentation...
苹果修改了文档...
An app won't run if its distribution certificate has expired. Currently, distribution certificates are valid for one year, and you can have two certificates active at the same time. The second certificate is intended to provide an overlapping period during which you can update your apps before the first certificate expires.
For example, six months before your distribution certificate expires, create a new certificate and use it to update your apps for the next year. To do this, you request a new distribution certificate from the iOS Dev Center (do not revoke your first certificate), use it to create new distribution provisioning profiles for each of your apps, and then you recompile and distribute the updated apps to your users. See Providing updated apps.
如果分发证书已过期,应用程序将不会运行。目前,分发证书的有效期为一年,您可以同时拥有两个有效的证书。第二个证书旨在提供一个重叠的时间段,在此期间您可以在第一个证书到期之前更新您的应用程序。
例如,在您的分发证书到期前六个月,创建一个新证书并使用它来更新下一年的应用程序。为此,您需要从 iOS 开发中心申请新的分发证书(不要撤销您的第一个证书),使用它为您的每个应用程序创建新的分发配置文件,然后重新编译并将更新的应用程序分发给您的用户. 请参阅提供更新的应用程序。
回答by Alex Zavatone
Note: The hierarchical text below indicates the path to the information that explains the solution. You must navigate to (expand the arrows next to) the items in the sidebar to see the solution (Mani, please don't delete this info - it's there to direct the viewer to the solution.)
注意:下面的分层文本指示说明解决方案的信息的路径。您必须导航到(展开旁边的箭头)侧栏中的项目才能查看解决方案(Mani,请不要删除此信息 - 它是为了将查看者定向到解决方案。)
Current documentation from Apple:
来自 Apple 的当前文档:
Distributing Enterprise Apps for iOS Devices
In-house apps
Certificate validation
Providing updated apps
From Providing updated apps:
从提供更新的应用程序:
You can have two distribution certificates active at the same time; each is independent from the other. The second certificate is intended to provide an overlapping period during which you can update your apps before the first certificate expires. When requesting your second distribution certificate from the iOS Dev Center, be sure you don't revoke your first certificate.
您可以同时激活两个分发证书;每个都是相互独立的。第二个证书旨在提供一个重叠的时间段,在此期间您可以在第一个证书到期之前更新您的应用程序。从 iOS 开发人员中心申请第二个分发证书时,请确保不要撤销您的第一个证书。
That there is not a seamless way to do this so that all our internal customers don't need to see this is rather terrible lack of functionality.
没有一种无缝的方式来做到这一点,所以我们所有的内部客户都不需要看到这是相当糟糕的功能缺乏。
回答by Kost
Just a small follow up.
只是一个小的跟进。
Original:
原来的:
"As far as I know when my non-enterprise distribution certificate expires I have to renew it. This expiration disables all apps signed with the expired certificate as soon as the devices checks the certificate's validity against Apple's OCSP server."
“据我所知,我的非企业分发证书何时到期,我必须更新它。一旦设备根据 Apple 的 OCSP 服务器检查证书的有效性,此过期将禁用所有使用过期证书签名的应用程序。”
This is not quite true, if I understand it correct. Thisinfo from Apple and as explained heresays the opposite.
如果我理解正确的话,这并不完全正确。来自 Apple 的这个信息和这里的解释相反。
What happens if my certificate expires or has been revoked?
...
iOS Distribution Certificate (App Store)
- If your iOS Developer Program membership is valid, your existing apps on the App Store will not be affected. However, you will no longer be able to submit new apps or updates to the App Store.
如果我的证书过期或被吊销会怎样?
...
iOS 分发证书(App Store)
- 如果您的 iOS 开发者计划会员资格有效,则您在 App Store 上的现有应用不会受到影响。但是,您将无法再向 App Store 提交新应用或更新。
