I need to get the expiry date of our iOS enterprise certificate used in an ipa's embedded.mobileprovision file using the command line.
I've got this so far:
security cms -D -i Payload/*.app/embedded.mobileprovision > tmp.plist && /usr/libexec/PlistBuddy -c 'Print :DeveloperCertificates' tmp.plist | base64 -d - | openssl x509 -inform DER -noout -text
The response:
Apr 22 12:28:47 c01892 base64[14721] <Info>: Read 510 bytes.
Apr 22 12:28:47 c01892 base64[14721] <Info>: Wrote 680 bytes.
Apr 22 12:28:47 c01892 base64[14721] <Info>: Read 510 bytes.
Apr 22 12:28:47 c01892 base64[14721] <Info>: Wrote 680 bytes.
Apr 22 12:28:47 c01892 base64[14721] <Info>: Read 440 bytes.
Apr 22 12:28:47 c01892 base64[14721] <Info>: Wrote 588 bytes.
unable to load certificate
14722:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:/SourceCache/OpenSSL098/    OpenSSL098-52.20.2/src/crypto/asn1/tasn_dec.c:1323:
14722:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:/SourceCache/    OpenSSL098/OpenSSL098-52.20.2/src/crypto/asn1/tasn_dec.c:379:Type=X509
The openssl command works on our certificate file just fine:
openssl x509 -inform DER -noout -text -in "iPhone Distribution: XXXX.cer"
So what I am missing is getting the certificate out of the embedded.mobileprovision, decode it and save it to a file or pass it by piping.
If I split the sommand up, we get the following:
a. Get the certificate out of the embedded.mobileprovision:
security cms -D -i Payload/*.app/embedded.mobileprovision > tmp.plist && /usr/libexec/PlistBuddy -c 'Print :DeveloperCertificates' tmp.plist > encodedcert.b64
b. Decode the retrieved base64 to a .cer file:
base64 -d encodedcert.b64 certificate.cer
c. Read it with openssl:
openssl x509 -inform DER -noout -text -in certificate.cer
Unfortunatly, the generated certificate.cer file by my base64 command is zero bytes long...
Who can help me out further?
I've successfully been able to get to the certificate information.
The problem was that my PlistBuddy command was wrong. I should have used 'DeveloperCertificates:0' instead of ':DeveloperCertificates'.
I also did not need the base64 stuff.
So the working commandline to get the info from the enterprise certificate in an embedded.mobileprovision profile is
security cms -D -i Payload/*.app/embedded.mobileprovision > tmp.plist && /usr/libexec/PlistBuddy -c 'Print DeveloperCertificates:0' tmp.plist | openssl x509 -inform DER -noout -enddate
Split up into three parts:
Get a plist from the embedded.mobileprovision:
security cms -D -i Payload/*.app/embedded.mobileprovision > tmp.plist
Get the first certificate from the plist:
/usr/libexec/PlistBuddy -c 'Print DeveloperCertificates:0' tmp.plist |
Read the certificate passed through the pipe and extract the enddate (-text instead of -enddate gives you the entire certificate information):
openssl x509 -inform DER -noout -enddate
Edit: Here is the command without a temporary plist file:
 /usr/libexec/PlistBuddy -c 'Print DeveloperCertificates:0' /dev/stdin <<< $(security cms -D -i Payload/*.app/embedded.mobileprovision) | openssl x509 -inform DER -noout -enddate
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With