Code signing across platform

Code_signing.md

Proposal

Introduce new package command to cordova-cli

Use existing <preference /> tag to specify code signing specific parameters (certificate path, certificate storage, etc.)

<!-- Windows 8 -->
<preference name="CodeSignCertificate" value="cert/windows/build-release.pfx" />
<!-- Android -->
<preference name="CodeSignCertificateStore" value="cert/android/build-release.keystore" />
<preference name="CodeSignCertificate" value="build-release" />
<!-- iOS -->
<preference name="CodeSignIdentity" value="build-release" />

Realization details

Windows phone

Store apps no need to be signed (http://stackoverflow.com/questions/19816197/wp8-app-signing-does-not-always-work)

Windows 8

1. Replace default certificate file in platform root folder with one specified in config.xml
2. Build release configuration

Quirks

• Default certificate will be replaced with release one. This may be potential risky. Need to discuss.
• Certificate publisher should be same as app publisher, specified in .appxmanifest file.
• Windows certificate generation

Android

1. Provide certificate options (keystore, alias, passwords) via ant.properties file and specify -sign-release target for ant. (Options also can be provided via ant's command-line args)

Quirks

Generating certificate for Android

iOS

1. Specify CODE_SIGN_IDENTITY = <IDENTITY> in .xcconfig file at the patform root and then exec build --relese

Quirks

• User should retrieve developer certificate from Apple and install it into keychain manually.
• Signing at PhoneGap Build
• code signing parameters in .xcconfig

Here's a suggestion: Use the platform element.

Ex:

     <platform name="android">
             <preference name="package-id" value="com.my.package.id.overrride" />
              <preference name="package-version" value="1.0.0.0" />
             <preference name="package-display-name" value="My App" />
             <preference name="package-key-store" value=”res/cert/android/build-release.keystore" />
             <preference name="package-key-alias" value=”alias" />
             <preference name="package-key-store-password" value=”mypass" />
             <preference name="package-key-alias-password" value=”mypass" />
   </platform>
     <platform name="ios">
              <preference name="package-id" value=”com.my.package.id.override”/>
              <preference name="package-version" value="1.0.0.0" />
             <preference name="package-display-name" value="My App" />
             <preference name="package-signing-identity" value=”identity" />
             <preference name="package-certificate" value=”res/cert/ios/signing-cert.cer" />
             <preference name="package-provisioning-profile" value=”res/cert/ios/provisioning.cer" />
     </platform>

The package-id, package-name, and package-version values would be optional and are there to deal with issues where a particular store requires different values.

Windows and Windows Phone 8.1 need different values for these since the stores are separate at the moment. Perhaps this is an option for the unified platform implementation:

     <platform name="windows">
              <preference name="package-id" value="{23423-23234-23422342}" />
              <preference name="package-version" value="1.0.0.0" />
             <preference name="package-display-name" value="My App" />
             <preference name="package-certificate" value=”res/cert/windows/build-release.pfx" />
              <preference name="phone-package-id" value="{23423-23234-23422342}" />
              <preference name="phone-package-version" value="1.0.0.0" />
             <preference name="phone-package-display-name" value="My App" />
             <preference name="phone-package-certificate" value=”res/cert/windows/build-release.pfx" />
     </platform>

The phone-* preferences could then be optional overrides for phone.