In an Enterprise iOS app, how to replace the *.mobileprovision file on device after existing profile expired, but without re-signing the IPA? - ios

We have a series of iOS Enterprise applications that were built with Telerik Cordova (discontinued in May 2018). Those apps are in the process of being converted to a new platform, but in the mean time they must continue to service client needs.
The distribution certificate the apps were built with is valid for another 14 months or so, but the provisioning profiles expire in a few days. Since these are Enterprise apps they will expire with the profiles.
Unfortunately, Telerik can no longer rebuild the apps using an updated profile for us. We have re-signed the apps using new provisioning profiles (using both iReSign and Terminal). When we try to side-load the resulting IPAs through the XCode Devices panel, we get an error stating that the entitlements do not match and the apps are not installed.
The question was raised as to whether or not we not need to re-sign the apps since the certificates are still valid. Perhaps it would be possible to just replace the .mobileprovision file on the device somehow? I gave it a try using iTunes Sync but I cannot confirm whether the file actually went to the device or not.
Question: Is it possible to just update the *.mobileprovision on the device without re-signing the app? If so, could someone please give me the steps or direct me to a link to perform the steps?
Alternate Question: Otherwise, any thoughts on how to resolve my Entitlements issue? The app only needs Push Notifications, but Game Center and In-App Purchases are also enabled. These are reflected in the App ID and provisioning profile, and the distribution certificate is of type Apple Push Services.
I should point out that I am not an admin on the Apple Developer portal for the project as I am an outside consultant, so my portal access is strictly read-only.
Thanks in advance for any direction provided!

If the applications were distributed to the devices by an MDM, then you can push a new provisioning profile to them using the MDM.
If the applications were installed over the air from a web server or directly using iTunes or Apple Configurator, then you need to replace the entire application package on the device. This requires the app to be re-signed, since the changed .mobileprovision file will change the package signature.
If you don't have the original, app ID with matching entitlements in the developer portal, then you will need to delete the existing application from the device before installing the new, re-signed application. You won't be able to do an in-place upgrade.

Related

Appcenter iOS install error "this app cannot be installed because its integrity could not be verified"

I see that this question has been asked many times but I see no solution that works for me so I'm hoping that providing more info might shed some light.
We use appcenter.ms to test iOS apps. Until our iOS certificate expired this method worked fine. We generated a new enterprise certificate and ad hoc provisioning profile for new releases of the iOS app. Which led to the first curiosity.
I see how to upload a certificate on appcenter.ms but not a provisioning profile. I thought there was an option to do this in the past but perhaps I am mistaken. However, the app is signed with a provisioning profile before upload, so perhaps this is not needed now.
Once the app is uploaded, it can't be installed. It remains grey and when you tap it, you get the "this app cannot be installed because its integrity could not be verified" error. Again, that the .ipa is created with an ad hoc certificate and profile in Xamarin (VS for Mac).
Also, I can't install the provisioning profile on a device from appcenter.ms. You basically get stuck in a loop where you seem to successfully install the profile but have to keep doing it because it never actually installs.
I hope this is enough info for some insight and thanks in advance for any feedback.
We were able to solve this by redoing and downloading development certs and via
And also downloading and double clicking the apple development certificate here
After that our keychain showed both as trusted and we could build to the iPhone again.
The issue can be the your device is simply not registered on the developer portal and/or that ad-hoc provisioning profiles have not been regenerated.
You need to register your device, regenerate a provisioning profile with this device in it and rebuild your app using this profile.
This can also happen because of
Developer ID Notary Service - Outage
which can be checked on https://developer.apple.com/system-status/
Notarization is well explained here:
Notarization gives users more confidence that the Developer ID-signed
software you distribute has been checked by Apple for malicious
components. Notarization is not App Review. The Apple notary service
is an automated system that scans your software for malicious content,
checks for code-signing issues, and returns the results to you
quickly. If there are no issues, the notary service generates a ticket
for you to staple to your software.
Work around fix:
Select your app.
Navigate to TextFlight tab
Create External Testing group
Add one tester
Add build which you want to download using TestFlight
Open TestFlight and download an app.
In my case this was caused by trying to include an entitlement for aps-environment "development" when using an Ad-Hoc provisioning profile. The value for this environment in Entitlements.plist must match what is hard coded into the provisioning profile file - if you open an Ad-Hoc profile in a text editor you will see it expects the "production" environment.
The possible solutions depending on your requirements are to either use the Development profile/certificate, or change the aps-environment to "production" to continue using an Ad-Hoc provisioning profile.
It can also happen if you have other incorrect entitlements - worth checking what entitlements are enabled under the Identifier in Apple Developer portal and removing unnecessary ones.
I had this issue because when building the app on xCode for distribution (Product->Archive then Distribute App), I chose automatic signing. After manually signing the app and choosing my own generated certificate and profile, everything worked again fine.
I removed the Entitlements file from the Addition Resources in iOS Bundle Signing and it worked.
I think the MSAL configuration was set to debug in entitlements.plist
I have also face this issue before but for me the reason was little different
First the build was enterprise one and the build was made on the earlier Xcode version on which the iOS version you are using on the device was not supported by the Xcode.
All I did was to update my Xcode and make a new build and shared the build. After that we were able to install that build over device Hope it works for you as well
This is how I solved for myself.
In you iPhone Settings > General > VPN & Device Management you should see your company name (if an app from it is installed), and if you click on it, you will see a button like "Verify" above the list of apps installed provided by the company. Just click on "Verify".

How to submit app made by third party to iTunes Connect without giving away the distribution certificate?

I'm developing apps for other companies. My customers want their app in App Store to show as published by their own company, not mine. Also, they don't want to give me their private key for signing apps for App Store distribution. I don't want the key myself, because I don't want any legal responsibility related to the key being lost or stolen.
They can add me as a developer on their company's team inside the Apple Developer portal, and this gives me access to publish new builds for testing. In this situation, I must sign my app with their distribution certificate, or my builds would be rejected when uploading them. Is that correct?
A possibility is that I send them the app as an IPA-file, using their app's bundle id, and sign it with my own certificate. They would then resign the app with their distribution certificate and submit it to iTunes Connect using Application Loader or similar. What is the easiest way for them to do the re-signing? Will they have to use Xcode to upload the IPA, or manually run codesign on the command line?
I'm looking to make this as easy as possible. The people receiving the builds (IPA-files) are not developers.
Try this one, you can sign IPA package by your certificate and send it to them, then ask them to re-sign it using their own certificate.
How to Re-Sign an iOS App from an External Developer
In this scenario, the customer will have to resign the IPA file they recieve from the developer and upload it to iTunes Connect themselves using Apple AppLoader or Xcode. To resign it, they will need the codesign binary provided by the Xcode command line tools (full Xcode not required, but will also work). Optionally, they can use Xcode to upload and re-sign an xcarchive.
There are some apps that give a UI to codesign, like iResign and AirSyncApp, that are more user-friendly than the command line.
Thanks to #alanc-liu for contributing information.

iOS app Certificaction and ad hoc testing

I work for a company developing their iPad app. None in the company is a technological geek to handle Xcode app deployment themselves. So for now, we do this:
I develop the app.
Create an ad hoc testing version and share the .ipa file with them.
They test and then I make a distribution version for further release.
What I want to establish as a permanent solution is
I develop and share the Xcode archive
They make all different versions for testing and release.
However I have been largely unsuccessful in doing so: for creating the archive, I have to sign/certify with my development profile. They could deploy it further from Xcode archive to an .ipa file, using their distribution certificate. However, they can not install it on their devices. I believe mainly because the development version requires my certificate/profile to be enabled on their devices :(.
Is there a way out? I need to provide them an archive which they could further sign and do whatever they want to do (either test on whatever devices they want to or release).
Thanks,
Nikhil
If you don't want to manage the device identifiers where you are deploying the device, you could use:
1) TestFlightApp.com (although I don't know what the current status of their offerings are -- since they've been acquired by Apple -- but they still have a "Sign Up" link on the top of their home page).
or
2) Apple's Enterprise Developer Program, which allows you to "Distribute In-house Apps".
You can sign application using their distribution certificate.
To do so c'est have to send you a p12 export of the certificate, the p12 contains the private key of the one creating the certificate and the certificate.
To export a certificate :
Go to the keychain access
Right click on the certificate
click export

Can't install my app on IPAD (freeze at "installing")

I've created an AS3 app with Adobe Flash CC. I'm using AIR 3.9.
It works great on android devices but when I've created an .ipa file and transfer it to my Ipad (with IO7), my app is visible but freeze on "installing" (nothing's happening.)
Do you know what could be the problem ?
Thank you very much for your answers,
EDIT : I'm using the ALPACA Source engine (Infos Here)
This happens when an improper certificate and/or mobile provisioning file was used to compile the app (and is a known bug on iOS 7. It never gives an error message and just tries to keep installing the app).
You need to make sure the following are true:
The app was compiled with either a development or distribution certificate made using Apple's developer portal. It must come from that portal. I have never seen a working way to do it without a certificate generated there and I do not believe it is possible.
The mobile provisioning file used matches the certificate. A developer certificate is used for a development provisioning profile and a distribution certificate is used for an ad hoc or app store provisioning file.
Again, make sure the provisioning profile comes from Apple's developer portal. This one is a little more flexible and I believe it can be faked by other sources, but why bother?
The provisioning profile must include your device's UDID. This is the only way an app can be installed on your device without it coming from the app store
You must use either a development (if your device is set up for development) or ad hoc provisioning profile. An App Store provisioning profile will fail to install.
It only worked for me when i created ad-hoc provisioning profile and used in the intellij project settings

Having issues distributing third party iOS app

I am very new to iOS development and am in a bit of a bind. Another company has made an app for us and we are to deploy it. I have an enterprise development account and have successfully deployed one of my own apps to my own secured app store.
I have received a .ipa and a .plist file from company B and tried to put it up on my app store as I did with my app using the special href tag.
a href="itms-services://?action=download-manifest&url=http://www.myurl.com/app/company_b.plist">link</a>
The app downloads about 90% then fails. I have ensured that it is a valid plist file pointing to the .ipa.
Company-B had to add my iOS device to their device list at https://developer.apple.com/account/ios/device/deviceList.action. After they did this the app would download correctly.
I need to deploy this app to a number of people and Company B cannot add all the devices to their device list.
What can I do to deploy this app properly?
Any and all help is greatly appreciated!
Use a script like https://gist.github.com/RichardBronosky/2878446 to re-sign the ipa with your enterprise certificate. This way you don't need to give the 3rd party developer your signing identity.
You should never give out the private key for your enterprise certificate or give developer.apple.com access to anyone outside of your company.
The company has not properly signed the application. Get them to rebundle the ipa with the proper enterprise certificate

Resources