Resigned ipa do not install on ios devices - ios

My organization has developer account (not enterprise) and have added me as a "team member" to the organizations team account and shared the developer certificate and development provisioning profile(includes 1 device). Using those, I could develop an app, archive and created an IPA from XCode (selected method of distribution as "Development") and exported to a folder on disk. When exported I have the following files created on my disk
DistributionSummary.plist
ExportOptiona.plist
manifest.pList
Packaging.log
app.ipa
The admin of my organization wants to resign this ipa to distribute to app store and followed all the steps mentioned below, with distribution certificate and dist. provisioning profile (app store). The resigned ipa is then distributed(OTA) to users and it will not install on their phones.
I followed the below steps to re-sign our ipa
unzip the app
unzip -q *.ipa
Remove the old signature
rm -rf Payload/*.app/_CodeSignature/
Replace embedded provisioning profile
cp "XXXXXXXXXX_distribution.mobileprovision" Payload/*.app/embedded.mobileprovision
Extract entitlements from app
codesign -d --entitlements :entitlements.plist Payload/*.app/
Re-sign embedded frameworks
codesign -f -s "iPhone Distribution: Certificate Name. (ABC44343XZ)" --entitlements entitlements.plist Payload/.app/Frameworks/
Re-sign the app (with entitlements)
codesign -f -s "iPhone Distribution: Certificate Name. (ABC44343XZ)" --entitlements entitlements.plist Payload/*.app/
Zip re-signed app
zip -qr resigned.ipa Payload
Cleanup
rm entitlements.plist
rm -r Payload/
Can I re-sign an app from a developer to distribute to app store? Can somebody tell me where I am going wrong? Any help is greatly appreciated.

Note: I'm answering what you're saying in the comments
[Update] I received an email from apple with the following issue to be fixed "Invalid Swift Support - The SwiftSupport folder is missing. Rebuild your app using the current public (GM) version of Xcode and resubmit it." Can anyone help me here?
I can't do it directly on comments as I don't have enough reputation.
When you unzip the .ipa the first time, you should see at least four folders: one is the Payload (where you do all the signing operations, and changes regarding configuration), Symbols, BCSymbolMaps and a SwiftSupport folder. When you do the zip you have to add also the SwiftSupport folder to the .ipa:
zip -qr yourNewApp.ipa Payload/ SwiftSupport/
After doing this, you upload through Application Loader or you can validate your .ipa running this:
/Applications/Xcode.app/Contents/Applications/Application\ Loader.app/Contents/Frameworks/ITunesSoftwareService.framework/Support/altool -v -f yourNewApp.ipa -u yourItunesConnectUser#mail.com

Related

Is entitlement.plist file required while re-signing a development IPA with distribution certificate and profile of same account?

In my organization, the distribution certificate and app store provisioning profile are located and installed on a Mac machine present inside a Lab environment to which only a lab manager has access to.
For me to upload an app's IPA to app store, I need to archive a development IPA (using dev cert and profile in Release configuration mode) on my local Mac and then send across this IPA to the lab manager.
The lab manager uses a python re-signing script to re-sign the IPA on the lab Mac.
Do I also need to explicitly send a entitlements.plist file along with the IPA. My app does not use any capabilities as of now, not even Push Notifications. All Capabilities in Xcode are Off and on developer portal also the app identifier has Game Center and In-House Purchase as checked by default under the Capabilities.
I am assuming since it is the same Apple account using which lab manager will be re-signing the IPA and the app store profile present on the lab Mac contains its own entitlements, I do not need to send an explicit entitlements.plist file. Also, I assume the app will not get rejected in review.
Are these assumptions correct? Thanks in advance.
You can not magically attach an entitlements file during export; it has to be there during archiving. But you do not find out whether you got it "right" (in Apple's eyes) until distribution time.
So a situation where archiving happens in one place and exporting happens in another is not going to be a happy one.
I would describe this entire situation as unacceptable. I have had many occasions, just working on my own machine, where I was able to archive but then unable to upload to the app store or TestFlight because of an entitlements issue. And often there was no "real" issue: I just needed to do a bunch of goat sacrifices and fooling around with the settings (e.g. turn entitlements on and off). The point is, you don't know there's an issue until you export — and then to find out whether you fixed it you have to build / archive again.
1) Entitlement plist can be given while resining an ipa like below but this is optional.
codesign --entitlements entitlements.xml -f -s "IDENTITY" Payload/<app_name>.app
Please refer How do I resign app with entitlements?
2) To resign an ipa, you can follow below procedure (without giving Entitlement).
Requisites:
Distribution profile
Distribution certificate
Assuming Distribution profile stored in Desktop ~/Desktop/AdHoc.mobileprovision
Procedure :
1) unzip ipa using following command,
unzip app.ipa
2) When you unzip it You will have as an output a directory called “Payload”.
3) remove _CodeSignature file from unzipped folder “Payload” as below
rm -rf Payload/MyApp.app/_CodeSignature/
4) Rename distribution profile which is stored in Desktop to embedded.mobileprovision
5) Copy distribution profile(embedded.mobileprovision from Desktop) to Payload/.app
cp ~/Desktop/AdHoc.mobileprovision Payload/MyApp.app/embedded.mobileprovision
6) Resign using below commands,
codesign -f -s “IDENTITY” --resource-rules Payload/MyApp.app/ResourceRules.plist Payload/MyApp.app
7) Zip payload to form an ipa as below
zip -qr <app_name>.ipa Payload/

Resign iOS App (ipa) for distribution

I've successfully resigned my app. However there are still some open questions. These are the steps i did to resign the app:
I downloaded the appropriate provision profile from the apple member center.
I unzipped the ipa file: unzip {AppName}.ipa
Removed the old signature: rm -rf Payload/{AppName}.app/_CodeSignature/
Copied the new provisioning profile into the App:
cp new.mobileprovision Payload/{AppName}.app/embedded.mobileprovision
Resign the App: codesign -f -s "iPhone Distribution: {CertificateName}" --entitlements Entitlements.plist Payload/{AppName}.app/
Repack the App: zip -qr resigned.ipa Payload
I've looked up the {CertificateName} from the my Keychain under My Certificates. To get the entitlements.plist i used the following command:
codesign -d --entitlements :entitlements.plist Payload/{AppName}.app/
Now the open questions are:
Can i use this to resign an app and upload it to the app store? Is there anyone who actually did it this way successfully?
I have another folder besides Payload which is called Symbols. I suspect that this was added when the ipa was created for the app store. Do i need to repack it this way then: zip -qr resigned.ipa Payload Symbols to ensure that the Symbols are also within the app?
Within the Entitlements there is a part keychain-access-groups. Is this only relevant if i would use the keychain? Can i use the following value for it: {Prefix}.* or should it be more explicit?
Thank you in advance for any help!
Take a look at this, does the most of work for you when you upload your app FastLane

ipa file does not contain a provisioning profile

I am facing an issue in Re signing of IPA file. My requirement is to rename the app and resign it with new provisioning profile and certificate. So i have changed the "CFBundleIdentifier" to the new app name. Then I followed the below steps to re sign the IPA file.
extract the IPA file:unzip Myapp.ipa
remove existing code signature:
rm -r "Payload/MyApp Mobile.app/_CodeSignature" "Payload/MyApp Mobile.app/CodeResources" 2> /dev/null | true
replace the existing Provisioning Profile:
cp "MyEnterprise.mobileprovision" "Payload/MyApp Mobile.app/embedded.mobileprovision"
re-sign the executable:
/usr/bin/codesign -f -s "iPhone Distribution: Certificate Name" --resource-rules "Payload/MyApp Mobile.app/ResourceRules.plist" "Payload/MyApp Mobile.app"
re-package the IPA file for distribution:
zip -qr "MyApp.resigned.ipa" Payload
I am just re signing this IPA with the new Provisioning profile and the certificate which i have received from my vendor. I have followed the steps and resigned the app. While installing in Mobile Iron it is giving error as "ipa file does not contain provisioning profile". But i can see that my new provisioning profile is inside the IPA file.
Please anyone tell what could be the issue. I am new to this Apple app.
I think your device UDID is not added in your provisioning profile.Most probably this error comes at this point.The following link can help you-
A valid provisioning profile for this executable was not found for debug mode

Publishing IOS app on client's Enterprise App Store without source coce

I am developing an IOS app for a client. My client would like to publish the app on their private Enterprise App Store which is provided by MobileIron. However, I will not disclose the source code to my client. Is anyone familiar to MobileIron? Can my client publish the app on their Enterprise App Store if only an api file is provided? How to achieve it? Thank you!
Path of least resistance:
ask them for an invitation as a member of their Enterprise portal
archive and sign the app with a development cert & provisioning profile out of that portal
send them the .xcarchive file out of Organizer
they can then pop open the .xcarchive file in XCode, won't see the code, and can re-sign with their Enterprise cert and profile
The other answer will work but it's a pain in the neck compared to the above.
To resign an existing IPA do following steps in the terminal:
rm -rf Payload/<yourapp>.app/_CodeSignature/
cp <a valid and made for your bundle>.mobileprovision Payload/<yourapp>.app/embedded.mobileprovision
codesign -f -s "iPhone Distribution: <company>" --resource-rules Payload/<yourapp>.app/ResourceRules.plist Payload/<yourapp>.app
zip -r render3d.ipa Payload
Then remove the app from the device with Xcode
and drag the new ipa into xcode onto the device
EDIT:
see also:
Re-sign IPA (iPhone) and
How to re-sign the ipa file?

How to re-sign the ipa file?

How do I sign the .ipa file with a provisioning profile after I generate an IPA like the following with a different provision profile? I would like to sign the IPA with an ad-hoc provisioning profile for beta testing, and then re-sign the exact IPA with an app submission provisioning profile for the app store.
/usr/bin/xcrun -sdk iphoneos PackageApplication -v "${RELEASE_BUILDDIR}/${APPLICATION_NAME}.app" -o "${BUILD_HISTORY_DIR}/${APPLICATION_NAME}.ipa" --sign "${DEVELOPER_NAME}" --embed "${PROVISONING_PROFILE}"
It's really easy to do from the command line. I had a gist of a script for doing this. It has now been incorporated into the ipa_sign script in https://github.com/RichardBronosky/ota-tools which I use daily. If you have any questions about using these tools, don't hesitate to ask.
The heart of it is this:
CODESIGN_ALLOCATE=`xcrun --find codesign_allocate`; export CODESIGN_ALLOCATE
IPA="/path/to/file.ipa"
PROVISION="/path/to/file.mobileprovision"
CERTIFICATE="Name of certificate: To sign with" # must be in keychain
# unzip the ipa
unzip -q "$IPA"
# remove the signature
rm -rf Payload/*.app/_CodeSignature
# replace the provision
cp "$PROVISION" Payload/*.app/embedded.mobileprovision
# sign with the new certificate (--resource-rules has been deprecated OS X Yosemite (10.10), it can safely be removed)
/usr/bin/codesign -f -s "$CERTIFICATE" Payload/*.app
# zip it back up
zip -qr resigned.ipa Payload
Your new signed app is called resigned.ipa
Check iResign for an easy tool on how to do this!
[edit] after some fudling around, I found a solution to keychain-aware resigning. You can check it out at https://gist.github.com/Weptun/5406993
Kind of old question, but with the latest XCode, codesign is easy:
$ codesign -s my_certificate example.ipa
$ codesign -vv example.ipa
example.ipa: valid on disk
example.ipa: satisfies its Designated Requirement
The answers posted here all didn't quite work for me. They mainly skipped signing embedded frameworks (or including the entitlements).
Here's what's worked for me (it assumes that one ipa file exists is in the current directory):
PROVISION="/path/to/file.mobileprovision"
CERTIFICATE="Name of certificate: To sign with" # must be in the keychain
unzip -q *.ipa
rm -rf Payload/*.app/_CodeSignature/
# Replace embedded provisioning profile
cp "$PROVISION" Payload/*.app/embedded.mobileprovision
# Extract entitlements from app
codesign -d --entitlements :entitlements.plist Payload/*.app/
# Re-sign embedded frameworks
codesign -f -s "$CERTIFICATE" --entitlements entitlements.plist Payload/*.app/Frameworks/*
# Re-sign the app (with entitlements)
codesign -f -s "$CERTIFICATE" --entitlements entitlements.plist Payload/*.app/
zip -qr resigned.ipa Payload
# Cleanup
rm entitlements.plist
rm -r Payload/
Fastlane's sigh provides a fairly robust solution for resigning IPAs.
From their README:
Resign
If you generated your ipa file but want to apply a different code signing onto the ipa file, you can use sigh resign:
fastlane sigh resign
sigh will find the ipa file and the provisioning profile for you if they are located in the current folder.
You can pass more information using the command line:
fastlane sigh resign ./path/app.ipa --signing_identity "iPhone Distribution: Felix Krause" -p "my.mobileprovision"
It will even handle provisioning profiles for nested applications (eg. if you have watchkit apps)
I've updated Bryan's code for my Sierra iMac:
# this version was tested OK vith macOs Sierra 10.12.5 (16F73) on oct 0th, 2017
# original ipa file must be store in current working directory
IPA="ipa-filename.ipa"
PROVISION="path-to.mobileprovision"
CERTIFICATE="hexadecimal-certificate-identifier" # must be in keychain
# identifier maybe retrieved by running: security find-identity -v -p codesigning
# unzip the ipa
unzip -q "$IPA"
# remove the signature
rm -rf Payload/*.app/_CodeSignature
# replace the provision
cp "$PROVISION" Payload/*.app/embedded.mobileprovision
# generate entitlements for current app
cd Payload/
codesign -d --entitlements - *.app > entitlements.plist
cd ..
mv Payload/entitlements.plist entitlements.plist
# sign with the new certificate and entitlements
/usr/bin/codesign -f -s "$CERTIFICATE" '--entitlements' 'entitlements.plist' Payload/*.app
# zip it back up
zip -qr resigned.ipa Payload
Unzip the .ipa file by changing its extension with .zip
Go to Payload. You will find .app file
Right click the .app file and click Show package contents
Delete the _CodeSigned folder
Replace the embedded.mobileprovision file with the new provision profile
Go to KeyChain Access and make sure the certificate associated with the provisional profile is present
Execute the below mentioned command:
/usr/bin/codesign -f -s "iPhone Distribution: Certificate Name" --resource-rules "Payload/Application.app/ResourceRules.plist" "Payload/Application.app"
Now zip the Payload folder again and change the .zip extension with .ipa
Hope this helpful.
For reference follow below mentioned link:
http://www.modelmetrics.com/tomgersic/codesign-re-signing-an-ipa-between-apple-accounts/
Try this app
http://www.ketzler.de/2011/01/resign-an-iphone-app-insert-new-bundle-id-and-send-to-xcode-organizer-for-upload/
It supposed to help you resign the IPA file. I tried it myself but couldn't get pass an error with Entitlements.plist. Could just be a problem with my project. You should give it a try.
I have been using https://github.com/xndrs/XReSign and it is working really well.

Resources