回答我的问题自己的问题，我希望这有助于其他人。

Answering my own question, I hope this helps someone else.

原来， mobileprovision 文件是PKCS7数字签名的邮件。它没有使用开发人员的证书签名，而是使用Apple的证书。

Turns out, the mobileprovision file is a PKCS7 digitally signed message. It is not signed with the developer's certificate, but with Apple's one.

但是，签名的数据是XML plist，其中包含您使用的证书的公钥签署你的二进制文件。

However, the data that's signed is an XML plist that contains the public key of the certificate you use to sign your binaries.

所以基本上，步骤如下：

So basically, the steps are as follows:

1. 从PKCS7文件中提取数据。


2. 从p12文件中提取公钥。


3. 比较两者，并检查它们是否为同样。

我设法用Ruby轻松完成这项工作，因为它为OpenSSL提供了很好的包装器。如果有人想使用的话，我在Github中留下了脚本。

I managed to do this easily with Ruby, since it provides nice wrappers to OpenSSL. I left a script in Github, if anyone wants to use.

代码的相关部分如下：

profile = File.read(@profile_file)
certificate = File.read(@certificate_file)

p7 = OpenSSL::PKCS7.new(profile)
cert = OpenSSL::PKCS12.new(certificate, @certificate_password)

store = OpenSSL::X509::Store.new
p7.verify([], store)

plist = REXML::Document.new(p7.data)

plist.elements.each('/plist/dict/key') do |ele|
  if ele.text == "DeveloperCertificates"
    keys = ele.next_element
    key = keys.get_elements('//array/data')[0].text

    profile_cert = "-----BEGIN CERTIFICATE-----" + key.gsub(/\t/, "") + "-----END CERTIFICATE-----\n"

    @provisioning_cert = OpenSSL::X509::Certificate.new(profile_cert)
  end
end

# Compare @provisioning_cert.to_s and cert.certificate.to_s