De Tout Et De Rien

To content | To menu | To search

Thursday, December 1 2011

01Dec2011

How-to: Testing the Mac App Store receipt validation

If you are developping an application for the Mac App Store, then you have to implement and test receipt validation. This entry details all the steps needed to be able to test the Map App Store receipt validation.

Note: This entry is based on various information gathered from the Apple website and especially from the Validating Mac App Store Receipts and the Technical Note 2259 documents.

Member Center

As a Mac developer, you must use the Developer Certificate Utility available in the Member Center to complete the following steps:

  • Register an explicit your App ID for your application.
    Explicit App IDs are App IDs whose Bundle Identifier portion is a string without the wildcard ("*") character. If you are the Team Agent, you should be able to navigate to the App IDs section of the Developer Certificate Utility to register an App ID for your application.
  • Certificates
    Create, download, and install a Mac Signing Certificate that uses your App ID.
    If you are the Team Agent, you should be able to navigate to the Certificates section of the Developer Certificate Utility to create a Mac signing certificate.
  • Download the WWDR Intermediate Certificate.
    You also have to download the WWDR Intermediate Certificate available in the Developer Certificate Utility. This certificate is needed to validate developer certificates.

iTunes Connect

To test receipt validation, you need to create test accounts to simulate the purchase. iTunes Connect allows you to create and manage Test User accounts.

  • Create a test user account.
    Apple provides a testing environment, called the sandbox environment, which allows you to test an application purchase without incurring any financial changes. The sandbox environment uses special test user accounts rather than your regular iTunes Connect accounts to test receipt retrieval.
    Your Admin or Technical users should navigate to the Manage Users module on the iTunes Connect home page to create test user accounts. Read the Test User Setup section of the iTunes Connect Developer Guide for more information about creating test user accounts.
  • Declare your application.
    In order for Apple to generate testing receipt, you need to declare your application. Add a new application by providing all the required fields, and at least a screenshot. Leave the application as is; you don't need to upload anything to test receipt validation.

Note: You can use the same test user accounts to test both your iOS and Mac applications. Each test user account is tied to one and only one email address. As such, you cannot reuse an existing email address with another test user account. You can create as many test user accounts as you want in iTunes Connect. Furthermore, you can use the "+" alias provided that it is allowed by your webmail service. For instance, if your email is foo@example.com, then you can use the foo+us@example.com, foo+uk@example.com, and foo+fr@example.com emails when creating test user accounts in iTunes Connect. All communications sent to foo+us@example.com, foo+uk@example.com, and foo+fr@example.com will be routed to foo@example.com.

What's Next?

You have successfully set up your application, and you are ready to test the receipt validation.

  • Launch or create your project in Xcode.
  • Add the receipt validation code (if you look for an easy way to do so, then check out Receigen). Make sure that the bunlde identifier and the bundle version match between your application and the generated code.
  • Build your application in Xcode.
  • Run your application.

Note: You must launch your application from the Finder rather than from Xcode the first time in order to obtain a receipt. When your application is launched, Mac OS X displays a "Sign in to download from the App Store." dialog. Enter your test user account and password as requested. The sandbox provides you with a new receipt upon successful authentication.

Note: Launch your application from the Finder whenever you need a new receipt.

Important: You must not use your test user account to sign into the production environment. This will result in your test user account becoming invalid. Invalid test accounts cannot be used to test receipt validation.

  • Submit your products for review.

Log in to iTunes Connect to submit your application for review by Apple, after you are done thoroughly testing them in the sandbox environment.

one comment

Apple

Sunday, November 6 2011

06Nov2011

Mac OS X Application SandBoxing: what about Apple ?

There is a lot of discussions around the upcoming sandboxing requirement for all the Mac App Store published applications.

There were several publications on the subject with sometimes very elaborate discussion:

These articles lead me to wondering:

  • Apple is going to enforce sandboxing on third-party applications, but what about Apple's own applications ?
  • Sandboxing is said to be a work in progress; the current entitlement keys are sparse and most of the time, developers relies on temporary exceptions to keep their application fully functional. Is there anything in Apple's applications that give a clue of possible entitlement keys ?

So, I decided to take my Terminal and play with the codesign tool. This tool is very useful because if can sign binaries (obviously), but it can also print what is contained in the signature (certificate chain, requirements, entitlements). So I ran it on my Application folder.

cd /Applications
find . -type d -name "*.app" -exec echo {} \; -exec codesign -d --entitlements - {} \;

Here are the applications that contain entitlements (as on 2011-11-06). I have indicated if they mandate the use of sandbox:

  • Address Book
  • App Store
  • FaceTime
  • Font Book
  • Preview (SANDBOXED)
  • TextEdit (SANDBOXED)
  • Activity Monitor
  • Boot Camp Assistant
  • RAID Utility
  • iCal
  • PhotoStreamAgent (in iPhoto)
  • iTunes

Here are the key points:

  • All the Apple applications are signed
  • Only a few of them contain entitlements
  • Only two of them are sandboxed

Digging further into the entitlements, I found:

  • Preview is actually using a temporary entitlement key for global Mach lookup. So don't be shy using them into your applications !
  • A bunch of private entitlement keys: they may be migrated to public entitlement keys as they seems generic.

And finally, here are the private entitlement keys I found:

  • com.apple.private.aps-connection-initiate: it seems related to iCloud, as applications like Address Book, FaceTime, iCal, iTunes and iPhoto (PhotoStreamAgent) have this one.
  • com.apple.private.dark-wake-push: a key to wake up the computer ???
  • com.apple.private.AuthorizationServices: widely used, it seems a good candidate for a future entitlement key.

I hope that by March 2012, Apple would have solved all the details about sandboxing. It would be nice to see a set of versatile entitlement that could protect the end-user and let the developer be inventive.

Apple

Saturday, October 29 2011

29Oct2011

Receigen, a smart code generator for Mac App Store receipt validation

Receigen has just been made available in the Mac App Store.

If you are developing an application for Mac and want to distribute it in the Mac App Store, you will be inevitably faced to receipt validation. This entry explains what is receipt validation and why Receigen can help you.

What is receipt validation ?

When you purchase an application from the Mac App Store, it installs into the /Applications folder of your Mac. Inside the application bundle, the Mac App Store application places a receipt file. This file is a record of sale that can be used to check if the installed copy of the application is authorized to run. Apple is providing a comprehensive documentation on the technical issues.

Why do I need receipt validation ?

If you fail to property validate the receipt file, anybody with a copy of your application can run it, with or without proper authorization. This happened to some developpers in the early days of Mac App Store.

What are the steps of validation ?

In order to code the receipt validation, you need to understand:

  • how asymetric cryptography works
  • how signature are attached to a container
  • how ASN.1 encodng/decoding works
  • how to obfuscate code to harden the reverse engineering.

Here is the basic workflow to use when validating a receipt:

  1. Locate the receipt file to load it: this is an easy part as its location is fixed inside the application bundle.
  2. Verify that the receipt is properly signed: the receipt file is a PKCS#7 container that contains the receipt data and that is signed by Apple.
  3. Extract the receipt data: the receipt data are encoded in ASN.1 format, which is a compact binary format widely used in cryptography.
  4. Check that the receipt data matches the bundle information and the machine the application is running on.
  5. Make sure that the checking code is secure. You should hide strings, constants, function calls and make sure that the validation code changes between each release of your application.

Damn, that seems a lot of work

Yes, it is. And I am sure that you have better to do than spending hours on this topic. Receigen has been designed to cope with all this tedious work, by ensuring that you can focus on your application and only your application.

Here is what Receigen brings you:

  • Smart generation of validation code: all it needs is the bundle identifier and version.
  • Seamless integration with Xcode: Receigen can be invoked on the command line easily.
  • Human readable code: Receigen produces a human readable code but still obfuscated when compiled.
  • Never twice the same code: Receigen embeds a code generator that produce a different output each time it is invoked.
  • A tiny price: think about the time you will have spent to produce the same code.

So, go and try out Receigen on the Mac App Store.

Apple

Wednesday, October 19 2011

19Oct2011

Mac AppStore receipt validation testing

This entry tries to list all the required step in order to test a Mac App Store receipt validation.

If you look a smart and simple way to generate the receipt validation code, try Receigen on the Mac App Store.

Previously on receipt validation...

For those who are still wondering what is receipt validation, I suggest them to read this document from Applethat explains what receipt validation is; then this page should give them a good reason to properly implement it.

What is required

In order to correctly test receipt validation, you need to:

  • Declare your application on the iTunes Connect portal. Go to Manage Your Applications and file the form. Note that the bundle identifier and the bundle version are important, as they will be used to generate the receipt. Don't forget to file all the information (even the sales/pricing ones).
  • Declare a test account on the iTunes Connect portal. Go to Manage Users and create it.
  • Sign the application with a valid certificate. The receipt retrieval process is only triggered if the application bundle has been properly signed. Development certificate can be fetched from the Mac Dev Center.

How to proceed

Now that all the pre-requisites are ready, you can test your receipt validation code.

  • Launch the application in the Finder. DO NOT LAUNCH it from Xcode !!! The application must be launched by the launchd daemon.
  • If your receipt validation code is ok, then the lack of receipt should make the application exit with a code 173.
  • This exit will trigger the request for a valid receipt. You should see a Mac App Store login window by now. Use the test account credentials to log-in.
  • If the credentials are valid and that the bundle information match the one you entered, then a valid is generated and installed in the application bundle.
  • After the receipt is installed, the application is re-launched automatically.

Conclusion

Comments and feedback are welcomed to improve this entry.

Apple

Sunday, October 2 2011

02Oct2011

How to upgrade Jenkins on Mac OS X (daemon mode)

Jenkins, the continuous integration server, provides a nice package to run it on Mac OS X. It installs as a launch daemon and runs smoothly. But when a new version of Jenkins is available, there is no automatic upgrade feature. So here is how to upgrade this kind of installtion:

  • Download the latest war of Jenkins from the website
  • Stop the Jenkins daemon: in a Terminal window, type
sudo launchctl unload /Library/LaunchDaemons/org.jenkins-ci.plist
  • Copy the downloaded "war" from your download directory to the "/Applications/Jenkins/" folder.
  • Start the Jenkins daemon: in a Terminal window, type
sudo launchctl load /Library/LaunchDaemons/org.jenkins-ci.plist

Once Jenkins has restarted, you should have an up-to-date installation.

Java

Sunday, September 18 2011

18Sep2011

Monobjc Continuous Integration

The upcoming version of Monobjc 4.0, will be able to run on Mac OS X 10.5, 10.6 and 10.7 operating systems under both i386 and x86_64 architectures. For a complete coverage of this platforms and architectures, the goal is to have these three platforms readily available so non-regression and deployment testing occurs almost seamlessly.

Thanks to Parallels Desktop, I was able to quickly setup two virtual machines running respectively Mac OS X 10.5 and 10.6, on top of a Mac OS X 10.7 system. Then I setp up a Jenkins based continuous integration system driving all the platforms; non-regression testing can now be run on the three platforms easily.

Monobjc CI Infrastructure

Monobjc

Monday, September 12 2011

12Sep2011

NAnt - Mono 4.0 Profile

This entry describes how to build the Mono 4.0 profile for NAnt. This is needed if you want to target the Mono 4.0 profile with NAnt, as the Mono framework does ship with a rather old version of NAnt.

Getting the source

The source code can be fetched with CVS. Refer to the NAnt source code page on SourceForge for more details.

Patching the Makefile

First, you need to patch the Makefile so the right compiler is picked-up. Open the Makefile file with your favorite text editor and replace

MCS=mcs

with

MCS=dmcs

Building

Open a Terminal window and go the folder where you have checked out the source code. Type the following command:

make TARGET=mono-4.0 clean all

Installing

Once NAnt is build for the Mono 4.0 profile, you can replace the built-in NAnt that comes with the Mono framework, by copying the output result.

sudo mv /Library/Frameworks/Mono.framework/Versions/Current/share/NAnt /Library/Frameworks/Mono.framework/Versions/Current/share/NAnt.old
sudo cp -R ./build/mono-4.0.unix/nant-0.91-debug /Library/Frameworks/Mono.framework/Versions/Current/share/NAnt

DotNet

Sunday, September 4 2011

04Sep2011

Xcode 3.2.6, Lion and PPC support

Note: this entry is a follow-up of this StackOverflow entry. It gathers tricks from Anatomic Wax, StackOverflow and my personal experience.

Installing Xcode 3.2.6

In order to install Xcode 3.2.6 correctly on Lion, you need to use a trick to fool the installer so it installs everything (via ):

  • Mount the Xcode 3.2.6 disk image
  • Open a terminal
  • Enter the commands:
export COMMAND_LINE_INSTALL=1
open "/Volumes/Xcode and iOS SDK/Xcode and iOS SDK.mpkg"

The open command will launch the installer app and allow you to install Xcode 3.2.6 on Lion with no package modifications.

You can choose not to install the MacOSX 10.4 SDK if you don't need it. Adapt the remaining steps if you don't.

When installing Xcode 3.2.6, choose a destination folder other than Developer. For the sake of this guide, the destination folder is Developer-3.2.

Installing Xcode 4.1

Installing Xcode 4.1 is done from the Mac AppStore. Once it is downloaded, click on the installer to start the installation.

Restoring 10.4/10.5 SDK Support

Open a terminal and run the following commands:

cd /Developer/SDKs
sudo ln -s /Developer-3.2/SDKs/MacOSX10.4u.sdk .
sudo ln -s /Developer-3.2/SDKs/MacOSX10.5.sdk .

Restoring GCC 4.0/GCC 4.2 Support

A lot of links should be added so the compiler executables are found. Moreover, the platform suffix should also be changed from darwin10 to darwin11.

Run the following commands (there should be some errors, but you can safely ignore them):

cd /Developer/usr/bin
sudo ln -s /Developer-3.2/usr/bin/*4.0* .
sudo ln -s /Developer-3.2/usr/bin/*4.2* .
sudo ln -s powerpc-apple-darwin10-g++-4.0.1 powerpc-apple-darwin11-g++-4.0.1
sudo ln -s powerpc-apple-darwin10-gcc-4.0.1 powerpc-apple-darwin11-gcc-4.0.1
sudo ln -s powerpc-apple-darwin10-g++-4.2.1 powerpc-apple-darwin11-g++-4.2.1
sudo ln -s powerpc-apple-darwin10-gcc-4.2.1 powerpc-apple-darwin11-gcc-4.2.1

These commands are meant to make the platform match:

cd /usr/bin
sudo ln -s /Developer/usr/bin/powerpc-apple-darwin10-g++-4.2.1 powerpc-apple-darwin11-g++-4.2.1
sudo ln -s /Developer/usr/bin/powerpc-apple-darwin10-gcc-4.2.1 powerpc-apple-darwin11-gcc-4.2.1

cd /Developer/usr/libexec/gcc/
sudo ln -s /Developer-3.2/usr/libexec/gcc/powerpc-apple-darwin10 .
sudo ln -s powerpc-apple-darwin10 powerpc-apple-darwin11

These commands add the as support for PPC:

cd /Developer/usr/libexec/gcc/darwin/
sudo mkdir ppc
cd ppc
sudo ln -s /Developer-3.2/usr/bin/as .

These commands are needed if you plan to use Xcode in GUI mode:

cd /Developer/Library/Xcode/PrivatePlugIns
cd Xcode3Core.ideplugin/Contents/SharedSupport/Developer/Library/Xcode/Plug-ins
sudo ln -s "/Developer-3.2/Library/Xcode/Plug-ins/GCC 4.0.xcplugin" .

These commands will restore the PPC support for GCC 4.2:

cd /Developer/usr/libexec/gcc/powerpc-apple-darwin10/4.2.1
sudo mv as as.bak
sudo ln -s /Developer-3.2/usr/bin/as .

How to use

Once you have done all these command line works, you should be able to compile executable for PowerPC architecture on Lion. The typical command line looks like:

gcc-4.2 -arch ppc -isysroot /Developer/SDKs/MacOSX10.5.sdk main.c -o HelloWorld

One more thing

Comments and feedback are welcome to correct/fix this entry.

2 comments

Apple

Thursday, July 21 2011

21Jul2011

Monobjc under Mac OS X 10.7 (Lion)

As some of you may have noticed, Monobjc is under heavy development to support the newly released version of Mac OS X 10.7, also known as Lion. Thanks to the architecture redesign performed under the version 3.0 (the native runtime), the transition is smooth and easy. A preview release of Monobjc for Lion should be out by the end of the month.

Monobjc

Sunday, July 10 2011

10Jul2011

Better than TRIM (but slower)

Yesterday, I give a shot on SuperDuper. It is a small but amazing utility that can backup whole disks and has many neat options. After backing up and restoring my system, I was surprised when it booted a little faster and was freed from all the temporary files. It is actually better than TRIM, but slower (2 hours for more than 200 Gb)...

Apple

- page 1 of 12