Question
Is it possible to resign/provision IPA's exported for the AppStore with a development certificate and profile?
I can do the actual resign and upon manual verification things seem fine, however any application I try this on crashes on launch. I am not trying to resign an app downloaded form the AppStore, these are applications built on my computer.
None of the popular tools seem to do it right either. Did anyone ever pull this off or is it impossible for some reason?
Findings
In the device log I don't see anything reported by the App process itself so the OS must have killed it before launch. I do see this:
securityd[101] <Notice>: cert[0]: CheckLeafMarkerOid =(leaf)[]> 0
securityd[101] <Notice>: cert[0]: SubjectCommonName =(leaf)[]> 0
securityd[101] <Notice>: cert[0]: IssuerCommonName =(path)[]> 0
amfid(Security)[196] <Notice>: [leaf CheckLeafMarkerOid IssuerCommonName SubjectCommonName]
amfid(libmis.dylib)[196] <Info>: Blacklist does not exist.
amfid(libmis.dylib)[196] <Info>: Using empty blacklist.
amfid(libmis.dylib)[196] <Info>: CreateMISAuthListWithStream: open stream failed (may be non-existing)
amfid(libmis.dylib)[196] <Info>: CreateMISAuthListWithStream: creating empty auth list
assertiond[66] <Notice>: Unable to obtain a task name port right for pid 1683: (os/kern) failure (5)
SpringBoard(FrontBoard)[57] <Error>: Unable to register for exec notifications: No such process
SpringBoard(BaseBoard)[57] <Error>: Unable to get short BSD proc info for 1683: No such process
SpringBoard(BaseBoard)[57] <Error>: Unable to get proc info for 1683: No such process
SpringBoard(BaseBoard)[57] <Error>: Unable to obtain a task name port right for pid 1683: (os/kern) failure (0x5)
SpringBoard(BaseBoard)[57] <Error>: Unable to get short BSD proc info for 1683: No such process
SpringBoard(FrontBoard)[57] <Error>: Unable to obtain a process handle for <FBApplicationProcess: 0x10bc26cd0; com.company.product.name; pid: 1683>
This seemed to indicate an issue with the entitlements. However, when I manually print them (/usr/libexec/PlistBuddy -x -c "print :Entitlements " /dev/stdin <<< $(security cms -D -i "$1"/embedded.mobileprovision) > entitlements.plist
) from the IPA I installed I have:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>application-identifier</key>
<string>TEAMID.*</string>
<key>com.apple.developer.default-data-protection</key>
<string>NSFileProtectionComplete</string>
<key>com.apple.developer.team-identifier</key>
<string>TEAMID</string>
<key>get-task-allow</key>
<true/>
<key>keychain-access-groups</key>
<array>
<string>TEAMID.*</string>
</array>
</dict>
</plist>
This clearly shows the get-task-allow entitlement to be true.
Tools
Whichever tool I try I end up with the same result, e.g
https://dantheman827.github.io/ios-app-signer/
https://github.com/nowsecure/node-applesign
https://github.com/fastlane/fastlane/blob/master/sigh/lib/assets/resign.sh
Similar Questions
can we resign the appstore build with our development certificates? Simple no answer, seems incorrect since I'm able to perform the actual resign operation without warnings or errors.
Resign iOS App from a distribution identity to a developer identity Show how to verify and/or adapt the final entitlements in the resigned IPA.
iOS resign IPA from appstore with developer profile Question bit older but one of the commenters eventually reports the same observed behaviour: "but it can't run normally, it flashback. till now i have no idea about it".
Update 1
(reaction to #Yoshkebab)
Output of otool suggest the binary is not encrypted:
otool -l App/Payload/App.app/App | grep -A 4 -i encrypt:
cmd LC_ENCRYPTION_INFO
cmdsize 20
cryptoff 0
cryptsize 0
cryptid 0
--
cmd LC_ENCRYPTION_INFO_64
cmdsize 24
cryptoff 0
cryptsize 0
cryptid 0
However e.g. Hopper can not disassemble it... Are there any references apple applies the encryption in Xcode? That would indicate they have a that key on user's systems? Also I don't see build steps that would indicate this (codesign is just adding the signature, no?)
Clutch fails to see my application and Stefan Esser's dumpdecrypted library doesn't work because the app crashes immediately I suspect (my setup is ok because it works for other apps).
AppStore signed apps are not only signed by the developer's certificate, but the binary is also encrypted by Apple's private key.
Thus you can resign the App's but unless you decrypt the binary you wont be able to run them.
Check out the binary's LC_ENCRYPTION_INFO load command (easiest way is to use MachoView) , if you see a flag Crypt ID != 0, the binary is encrypted.
Assuming that it is, you can still do it, this is a bit tedious and you'll need a jail broken device with the App installed.
Connect to your device with SSH. Easiest way to do it with with gandalf
Get Clutch and install it on your device - follow their instructions (I found that the easiest way to compile it is to change the package name)
Dump the decrypted app into a new IPA (Clutch -d "YOUR_PACKAGE_ID")
Now you have a decrypted IPA that you can resign
Related
I'm gonna try to explain the problem as clearly as possible, here are the steps:
I compile the app on the device (width bundled file on disk - Options 2)
The app starts, and work
After a few days, when i click on the app's icon, it open the 'powered by react-native' screen, then it crash
I had the same problem over multiple devices, and multiple times
I'm pretty sure it is not a JS error, since nothings change between the day it work, and the day it doesnt
here's the app logs on app start:
$ cat crachReport|grep MyApp
Aug 29 14:26:47 Abels-iPhone amfid[1524] <Notice>: /private/var/containers/Bundle/Application/BDC567B0-B341-4B9A-8329-90B5CEC26440/MyApp.app/MyApp not valid: 0xe8008015: A valid provisioning profile for this executable was not found.
Aug 29 14:26:47 Abels-iPhone SpringBoard(BaseBoard)[1682] <Error>: Unable to get pid for 'UIKitApplication:org.reactjs.native.example.MyApp[0x9347]': No such process (err 3)
Aug 29 14:26:47 Abels-iPhone SpringBoard(FrontBoard)[1682] <Error>: Bootstrapping failed for <FBApplicationProcess: 0x1705f9500; org.reactjs.native.example.MyApp; pid: -1>
Aug 29 14:26:47 Abels-iPhone sharingd[62] <Notice>: SystemUI unknown identifier: 'org.reactjs.native.example.MyApp'
the unfound provisionning profile error does not appear on the logs when the app work, so i think it may come from here.
However i'm not sure since i'm new to ios developpement,
Thanks in advance
After compilation with a valid provisionning profile, this problem does not appear.
The default provisionning profile was valid for 7 days, so the error was coming from there.
I am trying to use Xcode 6.2 to install a development build of an iOS app onto my iPod touch (running iOS 8.2).
The installation keeps failing with the message
App instalation failed
The packet is unknown.
The console reports the following details:
Mar 27 12:53:52 iPod-touch com.apple.StreamingUnzipService[164] <Warning>: -[StreamingUnzipState finishStream]:476: Finishing an incomplete stream! This stream will not be resumable.
Mar 27 12:53:52 iPod-touch streaming_zip_conduit[163] <Warning>: __dispatch_source_read_socket_block_invoke_2:171: Failed to finish extraction: Error Domain=SZExtractorErrorDomain Code=3 "Finishing an incomplete stream! This stream will not be resumable." UserInfo=0x17e33b50 {SZExtractorFunctionNameErrorKey=-[StreamingUnzipState finishStream], SZExtractorSourceFileLineErrorKey=476, NSLocalizedDescription=Finishing an incomplete stream! This stream will not be resumable.}
Mar 27 12:53:52 iPod-touch streaming_zip_conduit[163] <Warning>: secure_send_message:105: Got error 1 from lockdown_send_message
Mar 27 12:53:52 iPod-touch streaming_zip_conduit[163] <Warning>: secure_send_error:137: Could not send error response to host
These messages seem to imply that the IPA file is somehow corrupted, and can't be extracted, but I had no problem unziping the IPA with Archive Utility on my Mac.
I also already ran codesign -dvvv on Payload/<my-app-name>.app and don't see any obvious problems with the certificate used to sign the app.
What does this error message indicate, and how can the issue be resolved?
note:
I already found this similar question but the only current answer does not help me. Since I have some, possibly relevant, details that may not apply to the previous question, I am asking a new question.
So I was getting this exact error and I tried switching USB ports (from the device plugged into the USB port on my keyboard to the USB port on my laptop) and now it works.
I have final version of XCode 6 (version 6.0.1). In my project, I have problem when running it.
I got
"App installation failed - Could not inspect the application package."
If I run project again, it runs ok. Another run, problem again... etc. So every second run ends in this error, right after that application run just fine.
I have no problem in XCode 5.
If you have moved or copied a folder named resources or resource into your project, try renaming it. Then perform a clean.
I had the same issue, And was unable to install the ipa. It always ended with an error "Could not inspect the application package." and some warnings in device console
Feb 10 17:38:16 iPhone mobile_installation_proxy[356] <Warning>: LaunchServices: Please include the kCFBundleIdentifierKey in the options dictionary when installing an app.
Feb 10 17:38:16 iPhone mobile_installation_proxy[356] <Warning>: LaunchServices: installing app with unknown bundleID
.
.
Feb 10 17:38:16 iPhone installd[44] <Error>: 0x101bcc000 -[MIBundle _validateWithError:]: 28: Failed to load Info.plist from bundle at path
Feb 10 17:38:16 iPhone installd[44] <Error>: 0x101bcc000 + [MIInstallable installablesAtURL:packageFormat:userOptions:error:]: Failed to create bundle for …
After spending hours, I got it fixed by adding the "Application requires iPhone environment" in info.plist
<key>LSRequiresIPhoneOS</key>
<true/>
I work for a big company, and I'm developing an iOS app for iOS 5+. The only way the app will be distributed will be through ad-hoc deployment.
I have had my own server for some time, hosted by o2switch (french hoster). As I started the development, we used it to deploy the app for beta testing purposes. It was working pretty well.
As the app entered its final phase, the company bought the same (in fact, they only have a single one) plan at o2switch (as it was working fine on my server). The "new" server works fine, we have the files required by the iOS app on it and we access them correctly.
My problem is that when I deploy over to the company's server, the install keeps crashing ! The bar below the app's icon is empty, the almost full (in no time), and I get an error saying the app could not be installed. (classic)
I have the so-well-known crash log :
unknown itunesstored[1657] <Notice>: MS:Notice: Installing: com.apple.itunesstored [itunesstored] (690.10)
unknown wifid[23] <Error>: WiFi:[375199765.346102]: Client itunesstored is background application
unknown securityd[1659] <Notice>: MS:Notice: Installing: (null) [securityd] (690.10)
unknown SpringBoard[62] <Warning>: could not save thumbnail for downloading icon: image=(null) path='/var/mobile/Library/SpringBoard/DownloadingIconImageCache/***********'
unknown sandboxd[1661] <Notice>: MS:Notice: Installing: (null) [sandboxd] (690.10)
unknown installd[1663] <Notice>: MS:Notice: Installing: (null) [installd] (690.10)
unknown SpringBoard[62] <Warning>: could not save thumbnail for downloading icon: image=(null) path='/var/mobile/Library/SpringBoard/DownloadingIconImageCache/***********'
unknown keybagd[1665] <Notice>: MS:Notice: Installing: (null) [keybagd] (690.10)
unknown securityd[1667] <Notice>: MS:Notice: Installing: (null) [securityd] (690.10)
unknown SpringBoard[62] <Warning>: Killing *********** for app installation
unknown installd[1663] <Error>: 2ffc1000 extract_package: Could not extract archive
unknown installd[1663] <Error>: 2ffc1000 stage_package: Could not extract /var/tmp/install_staging.I0rwBH/foo.zip to /var/tmp/install_staging.I0rwBH/foo_extracted
unknown com.apple.itunesstored[1657] <Notice>: MobileInstallationInstall: failed with -1
unknown installd[1663] <Error>: 2ffc1000 MobileInstallationInstall: Could not stage the package
unknown installd[1663] <Error>: 2ffc1000 handle_install: API failed
unknown installd[1663] <Error>: 2ffc1000 send_message: failed to send mach message of 71 bytes: 10000003
unknown installd[1663] <Error>: 2ffc1000 send_error: Could not send error response to client
I've tried a lot to get rid of this error, but nothing seemed to work. I've read every single answer on SO talking about this issue, and tried everything I could. I re-downloaded the profiles, updated the build number, checked the ipa's url, and so many other things.. Nothing worked.
I had to deliver the app quickly, so I tried one last thing : put it on my server. And it worked perfectly. First try, and with no problem (maybe one, the bar did not load progressively but stayed grey then filled in blue very quick, but that's not a problem, I know it downloaded the online version). Then I re-tried uploading to the new server, same problem.
BTW, I tested with: iPhone4/iOS5, iPhone4S/iOS6, iPhone5/iOS6, iPad3/iOS6 and a couple other devices, over 3G (3 different providers) and Wifi, same problem every single time.
So, my question is the following :
Does / how can the server impact the ad-hoc deployment ?
I can give information on the server's config if required. Please tell me what info you need.
O2switch is investigating, but they don't know much about iOS ad-hoc deployment, so they don't really know where to look, what service the install calls, etc.
So I'm turning (once again) to you, SO's community ! Any ideas ?
Check the mime-type configuration in the web-server. You need:
application/xml for the .plist file, and
application/octet-stream for the .ipa file.
Did you edit the App.plist file before you moved it to the new server?
The assets url must be absolute, like this: <string>http://someurl.com/App-1.0.0.ipa</string>.
If you are absolutely sure that server returns proper mime types, checked by:
lynx -mime_header http://www.serveraddress/App.plist | head -10
If you are sure that you don't have spaces or new lines in link to your .plist file in your html file.
If you are sure that you have added devices to provisioning profile
And if you have read: http://www.informit.com/articles/article.aspx?p=1829415&seqNum=16
I have all files: .plist, .html, .ipa in the same folder
Then I don't know what is the issue and would suggest you to distribute it from your working server.
Developed my first iPhone app for internal use and it should be distributed internally.
I am able to successfully install it on to the device when I code sign the build with my developer profile. But not able to install the same app(.ipa) using iTunes when code sign the build with App store distribution profile. I am getting the following error.
Oct 1 15:52:32 unknown installd[462] <Error>: profile not valid: 0xe8008012
Oct 1 15:52:32 unknown installd[462] <Error>: 001d7000 install_embedded_profile: Could not install embedded profile: -402620398
Oct 1 15:52:32 unknown installd[462] <Error>: 001d7000 verify_signer_identity: Could not copy validate signature: -402620395
Oct 1 15:52:32 unknown installd[462] <Error>: 001d7000 preflight_application_install: Could not verify executable at /var/tmp/install_staging.1JP9zU/foo_extracted/Payload/mi-ios.app
Oct 1 15:52:32 unknown installd[462] <Error>: 001d7000 install_application: Could not preflight application install
Oct 1 15:52:32 unknown installd[462] <Error>: 001d7000 handle_install: API failed
Oct 1 15:52:32 unknown installd[462] <Error>: 001d7000 send_message: failed to send mach message of 71 bytes: 10000003
Oct 1 15:52:32 unknown installd[462] <Error>: 001d7000 send_error: Could not send error response to client
I made sure the distribution profile is valid(have private key and certificate installed on my mac).
I am not sure what i am missing here. I followed every step given at iOS dev center. Any help would be appreciated.
The App Store profile is, as its name implies, for use only when distributing via the App Store. It exists for signing your app for distribution via the App Store and can't be used for any other purpose. Unless you install an app that has been signed by it via the App Store it will, quite correctly, fail.
If you want to distribute an app for internal use to a few devices and for a relatively short period, you should use an ad hoc profile; if to a lot if users for an extended period, you need to register as a corporate developer and follow a different process.