I have a requirement to deploy an enterprise application to my users. Vendor has give me an IPA/Xcarchive file. But, the files are signed using vendor’s signing certificate. We don’t want to share our distribution certificate with them and, they are unable to share the xcode with us. I want to know, how can I resign ipa/xcarchive for in-house distribution?
Any help is appreciated.
Thanks
Chetan
Certificates and provisioning profile used for generating IPA contains all the details on which all devices it can be installed, so it is not possible to resign the IPA file without the source code. Below are few available options:
Get the source code: If you can get the source code then you can generate IPA file with your certificates.
Share Device UDID: You can share the device UDIDs wherein you want to install the app with the vendor (might not be a good option for large audience)
TestFlight: You can ask the vendor to upload the app on Testflight and add the users as testers/users and they will be notified for any update available aswell.
Related
I try to deploy an app for my company use. So I do Product->Archive, select the good distribution cert/profil. I upload the file on the web, make the link to the manifest.plist to .ipa and then I try to install it on my ipad but ... unable to intall:
UPDATE: I don't want to install it directly on a Ipad, but download it from an url with the ipad and I'm using entreprise developper program and it work if I directly build it for the ipad
Here the ios console Log :
I find strange that in the log after
INVALID >> { 642AFE.... this number is not the same there is in my
ipa filename.
I also find strange to get many plist file (distribution, export ...) .
Here the folder i drop to the server :
Does anyone have some idea ?
thanks by adavance
If you are using the normal developer account then to install the application in device(either directly or from any third party sites) you have to sign the archive file either with development profile of AdHoc distribution profile. Here if you have selected the Appstore distribution certificate and profile then the application will not be able to install in any device.
If the device's UDID is added to the profile(development or AdHoc distribution) then you can install the app directly using Xcode or via an URL.
If you are using the enterprise program and the application is signed with the distribution certificate and profile then the application can be install in any device regardless of the existence of UDID in the profile.
Please check the profile when you are archiving the ipa.
Hope this helps you in some way.
We have a series of iOS Enterprise applications that were built with Telerik Cordova (discontinued in May 2018). Those apps are in the process of being converted to a new platform, but in the mean time they must continue to service client needs.
The distribution certificate the apps were built with is valid for another 14 months or so, but the provisioning profiles expire in a few days. Since these are Enterprise apps they will expire with the profiles.
Unfortunately, Telerik can no longer rebuild the apps using an updated profile for us. We have re-signed the apps using new provisioning profiles (using both iReSign and Terminal). When we try to side-load the resulting IPAs through the XCode Devices panel, we get an error stating that the entitlements do not match and the apps are not installed.
The question was raised as to whether or not we not need to re-sign the apps since the certificates are still valid. Perhaps it would be possible to just replace the .mobileprovision file on the device somehow? I gave it a try using iTunes Sync but I cannot confirm whether the file actually went to the device or not.
Question: Is it possible to just update the *.mobileprovision on the device without re-signing the app? If so, could someone please give me the steps or direct me to a link to perform the steps?
Alternate Question: Otherwise, any thoughts on how to resolve my Entitlements issue? The app only needs Push Notifications, but Game Center and In-App Purchases are also enabled. These are reflected in the App ID and provisioning profile, and the distribution certificate is of type Apple Push Services.
I should point out that I am not an admin on the Apple Developer portal for the project as I am an outside consultant, so my portal access is strictly read-only.
Thanks in advance for any direction provided!
If the applications were distributed to the devices by an MDM, then you can push a new provisioning profile to them using the MDM.
If the applications were installed over the air from a web server or directly using iTunes or Apple Configurator, then you need to replace the entire application package on the device. This requires the app to be re-signed, since the changed .mobileprovision file will change the package signature.
If you don't have the original, app ID with matching entitlements in the developer portal, then you will need to delete the existing application from the device before installing the new, re-signed application. You won't be able to do an in-place upgrade.
I'm developing apps for other companies. My customers want their app in App Store to show as published by their own company, not mine. Also, they don't want to give me their private key for signing apps for App Store distribution. I don't want the key myself, because I don't want any legal responsibility related to the key being lost or stolen.
They can add me as a developer on their company's team inside the Apple Developer portal, and this gives me access to publish new builds for testing. In this situation, I must sign my app with their distribution certificate, or my builds would be rejected when uploading them. Is that correct?
A possibility is that I send them the app as an IPA-file, using their app's bundle id, and sign it with my own certificate. They would then resign the app with their distribution certificate and submit it to iTunes Connect using Application Loader or similar. What is the easiest way for them to do the re-signing? Will they have to use Xcode to upload the IPA, or manually run codesign on the command line?
I'm looking to make this as easy as possible. The people receiving the builds (IPA-files) are not developers.
Try this one, you can sign IPA package by your certificate and send it to them, then ask them to re-sign it using their own certificate.
How to Re-Sign an iOS App from an External Developer
In this scenario, the customer will have to resign the IPA file they recieve from the developer and upload it to iTunes Connect themselves using Apple AppLoader or Xcode. To resign it, they will need the codesign binary provided by the Xcode command line tools (full Xcode not required, but will also work). Optionally, they can use Xcode to upload and re-sign an xcarchive.
There are some apps that give a UI to codesign, like iResign and AirSyncApp, that are more user-friendly than the command line.
Thanks to #alanc-liu for contributing information.
I am new to iOS app development. I have a standard Apple iOS developer license. When I build my app it creates an ipa file. If I send this file to someone, will they be able to install it? Or does that require an enterprise license?
You can share an ipa archive with testers/friends using Ad Hoc Distribution. You do not need an enterprise license to do it, team or individual is enough. You will need to register a device's ID in the Member Center and to generate an Ad Hoc provisioning profile with this ID:
Using this method, testers don’t need to be team members or iTunes
Connect users to run the app, but their devices need to be registered
in Member Center. You can register up to 100 devices per year that
your team can use for development and testing. Therefore, choose this
method if you can use a portion of these devices for testing and can
collect device IDs from testers. Also choose this method if you’re not
ready to create an app record in iTunes Connect. You don’t need to
validate or upload your app to iTunes Connect to distribute it using
an ad hoc provisioning profile.
As you have standard development licence, it's enough for distribution under 100 devices, and after one year, you can also remove previously registered devices from your member centre.
But as the answer above described, it should be ad hoc distribution only you can use any except Apple Store distribution, so the easiest way to do that is to just create a development provision with as many selected device as you want to distribute. After that, you just need to install a particular provision in your Mac by just clicking over it and then select the provision in your project.
Now compile your project.
After successful compilation, go to product folder, select the app, and reveal it in folder.
Copy the app file from this folder.
Just create one folder on your desktop and name it Payload.
Paste the app file you just copied inside the folder.
Place one image again on your desktop and name that iTunesArtwork but without extension.
Now select the payload folder and iTunesArtwork file together and compress it.
After compressing it, create archive.zip and rename it to may.ipa.
Now it will ask if you are sure you want to rename it. Press yes.
Now you have ipa read within few steps and you can use this payload and iTunesArtwork for making another .ipa or for any other project. Just leave this both folder and the file on your desktop. It will always help you.
Now go to http://diawi.com and upload your ipa file here which you just renamed, and then when it's done with uploading, press the send button. It will give you a URL. Share it with your testers or friends. They can directly download it in their device. No need to send ipa, and in this process, no one can use re-engineering in your .ipa. It's safe and secure.
We have developed an iOS app that has been delivered to the customer as an IPA with an ad-hoc distribution profile that allowed a set of their employees to install it on their devices. The customer now wishes to distribute that app internally to all their employees using their iOS Enterprise Developer program credentials.
I had hoped that the customer could simply re-codesign the ad-hoc IPA with their own enterprise identity. However, they say they can't do that. They say they "need an IPA file with the removal of the limitation to only certain devices".
So, what do I do?
Do I need to somehow create an "unsigned" IPA for them? (And if so, how do I do that?)
Do I need them to generate an Enterprise distribution provisioning profile for me so I can build the app with that profile?
Do I need to just send them the source or build output and let them build the package?
I have looked at the following documents, but they have not enlightened me:
TN2250: iOS code Signing Setup, Process, and Troubleshooting
Distributing Enterprise Apps for iOS Devices
It's completely possible to take any IPA and resign it with your own details, modifying the Info.plist, bundle ID, etc. in the process. I do this all the time with IPAs that have been signed by other developers using their own provisioning profiles and signing identities.
If they aren't familiar with the codesign command line tool and all the details of replacing embedded.mobileprovision files and entitlements, the easiest way for them to do this is for you to "Archive" the app via Xcode, and send them the generated archive file (*.xcarchive).
They can import that into Xcode so it is visible in the Organizer, and from there they can choose "Distribute" and sign it with their enterprise identity.
To import the .xcarchive file into Xcode, they just need to copy the file into the ~/Library/Developer/Xcode/Archives directory and it should appear in the Xcode organizer. Then they click "Distribute" and follow the instructions: