Lists certificates permitted by an iOS provisioning profile

ios-profile-certs.sh

#!/bin/bash

readonly MODE_INFO=0
readonly MODE_VERBOSE=1
readonly MODE_EXTRACT=2

PLISTBUDDY=/usr/libexec/PlistBuddy
RUNMODE=$MODE_BASIC
TMP=`mktemp -t ios-profile-certs`

function print_usage () {
	cat <<EOF
Usage: ios-profile-certs -[ixVu] [file]

	file: .ipa, .mobileprovision, or .plist file

	-i, --info: mode to show basic certificate info (default)
	-x, --extract: mode to extract certificate in PEM format
	-V, --verbose: mode to show detailed certificate info
	-u, --usage: print this usage statement

EOF
}

function print_cert () {
	if [ $RUNMODE -eq $MODE_VERBOSE ]; then
		flags="-text"
	else
		flags="-fingerprint -subject -issuer -dates -alias"
	fi
	
	openssl x509 -inform der $flags -noout 2>/dev/null
}

function extract_cert () {
	openssl x509 -inform der 2>/dev/null
}

function extract_profile () {
	unzip -qq -c "$1" "Payload/*.app/embedded.mobileprovision"
}

while [ -n "$1" ]; do

	case "$1" in
		-i|--info)
			RUNMODE=$MODE_INFO
			;;
		-x|--extract)
			RUNMODE=$MODE_EXTRACT
			;;
		-V|--verbose)
			RUNMODE=$MODE_VERBOSE
			;;
		-h|-u|--help|--usage)
			print_usage
			true
			exit
			;;
		*)
			INFILE="$1"
			break
			;;
		esac
	shift
done

case `file -b --mime-type "$INFILE"` in
	application/zip)
		extract_profile "$INFILE" | security cms -D > "$TMP"
		INFILE="$TMP"
		;;
	application/octet-stream)
		security cms -D < "$INFILE" > "$TMP"
		INFILE="$TMP"
		;;
	application/xml)
		# already a plist
		;;
esac

i=0;
while true; do
	cmd=`printf 'Print DeveloperCertificates:%d' $i`

	set -o pipefail

	$PLISTBUDDY -c "$cmd" "$INFILE" 2>/dev/null | (
		case $RUNMODE in
			$MODE_INFO|$MODE_VERBOSE)
				print_cert
				;;
			$MODE_EXTRACT)
				extract_cert
				;;
		esac
	)

	if [ ${PIPESTATUS[0]} -ne 0 ]; then
		break
	fi

	echo
	
	((i++))

done

if [ -n "$TMP" ]; then
	rm "$TMP"
fi