Resign iOS App (ipa) for distribution - ios

I've successfully resigned my app. However there are still some open questions. These are the steps i did to resign the app:
I downloaded the appropriate provision profile from the apple member center.
I unzipped the ipa file: unzip {AppName}.ipa
Removed the old signature: rm -rf Payload/{AppName}.app/_CodeSignature/
Copied the new provisioning profile into the App:
cp new.mobileprovision Payload/{AppName}.app/embedded.mobileprovision
Resign the App: codesign -f -s "iPhone Distribution: {CertificateName}" --entitlements Entitlements.plist Payload/{AppName}.app/
Repack the App: zip -qr resigned.ipa Payload
I've looked up the {CertificateName} from the my Keychain under My Certificates. To get the entitlements.plist i used the following command:
codesign -d --entitlements :entitlements.plist Payload/{AppName}.app/
Now the open questions are:
Can i use this to resign an app and upload it to the app store? Is there anyone who actually did it this way successfully?
I have another folder besides Payload which is called Symbols. I suspect that this was added when the ipa was created for the app store. Do i need to repack it this way then: zip -qr resigned.ipa Payload Symbols to ensure that the Symbols are also within the app?
Within the Entitlements there is a part keychain-access-groups. Is this only relevant if i would use the keychain? Can i use the following value for it: {Prefix}.* or should it be more explicit?
Thank you in advance for any help!

Take a look at this, does the most of work for you when you upload your app FastLane

Related

Is entitlement.plist file required while re-signing a development IPA with distribution certificate and profile of same account?

In my organization, the distribution certificate and app store provisioning profile are located and installed on a Mac machine present inside a Lab environment to which only a lab manager has access to.
For me to upload an app's IPA to app store, I need to archive a development IPA (using dev cert and profile in Release configuration mode) on my local Mac and then send across this IPA to the lab manager.
The lab manager uses a python re-signing script to re-sign the IPA on the lab Mac.
Do I also need to explicitly send a entitlements.plist file along with the IPA. My app does not use any capabilities as of now, not even Push Notifications. All Capabilities in Xcode are Off and on developer portal also the app identifier has Game Center and In-House Purchase as checked by default under the Capabilities.
I am assuming since it is the same Apple account using which lab manager will be re-signing the IPA and the app store profile present on the lab Mac contains its own entitlements, I do not need to send an explicit entitlements.plist file. Also, I assume the app will not get rejected in review.
Are these assumptions correct? Thanks in advance.
You can not magically attach an entitlements file during export; it has to be there during archiving. But you do not find out whether you got it "right" (in Apple's eyes) until distribution time.
So a situation where archiving happens in one place and exporting happens in another is not going to be a happy one.
I would describe this entire situation as unacceptable. I have had many occasions, just working on my own machine, where I was able to archive but then unable to upload to the app store or TestFlight because of an entitlements issue. And often there was no "real" issue: I just needed to do a bunch of goat sacrifices and fooling around with the settings (e.g. turn entitlements on and off). The point is, you don't know there's an issue until you export — and then to find out whether you fixed it you have to build / archive again.
1) Entitlement plist can be given while resining an ipa like below but this is optional.
codesign --entitlements entitlements.xml -f -s "IDENTITY" Payload/<app_name>.app
Please refer How do I resign app with entitlements?
2) To resign an ipa, you can follow below procedure (without giving Entitlement).
Requisites:
Distribution profile
Distribution certificate
Assuming Distribution profile stored in Desktop ~/Desktop/AdHoc.mobileprovision
Procedure :
1) unzip ipa using following command,
unzip app.ipa
2) When you unzip it You will have as an output a directory called “Payload”.
3) remove _CodeSignature file from unzipped folder “Payload” as below
rm -rf Payload/MyApp.app/_CodeSignature/
4) Rename distribution profile which is stored in Desktop to embedded.mobileprovision
5) Copy distribution profile(embedded.mobileprovision from Desktop) to Payload/.app
cp ~/Desktop/AdHoc.mobileprovision Payload/MyApp.app/embedded.mobileprovision
6) Resign using below commands,
codesign -f -s “IDENTITY” --resource-rules Payload/MyApp.app/ResourceRules.plist Payload/MyApp.app
7) Zip payload to form an ipa as below
zip -qr <app_name>.ipa Payload/

Resigned ipa do not install on ios devices

My organization has developer account (not enterprise) and have added me as a "team member" to the organizations team account and shared the developer certificate and development provisioning profile(includes 1 device). Using those, I could develop an app, archive and created an IPA from XCode (selected method of distribution as "Development") and exported to a folder on disk. When exported I have the following files created on my disk
DistributionSummary.plist
ExportOptiona.plist
manifest.pList
Packaging.log
app.ipa
The admin of my organization wants to resign this ipa to distribute to app store and followed all the steps mentioned below, with distribution certificate and dist. provisioning profile (app store). The resigned ipa is then distributed(OTA) to users and it will not install on their phones.
I followed the below steps to re-sign our ipa
unzip the app
unzip -q *.ipa
Remove the old signature
rm -rf Payload/*.app/_CodeSignature/
Replace embedded provisioning profile
cp "XXXXXXXXXX_distribution.mobileprovision" Payload/*.app/embedded.mobileprovision
Extract entitlements from app
codesign -d --entitlements :entitlements.plist Payload/*.app/
Re-sign embedded frameworks
codesign -f -s "iPhone Distribution: Certificate Name. (ABC44343XZ)" --entitlements entitlements.plist Payload/.app/Frameworks/
Re-sign the app (with entitlements)
codesign -f -s "iPhone Distribution: Certificate Name. (ABC44343XZ)" --entitlements entitlements.plist Payload/*.app/
Zip re-signed app
zip -qr resigned.ipa Payload
Cleanup
rm entitlements.plist
rm -r Payload/
Can I re-sign an app from a developer to distribute to app store? Can somebody tell me where I am going wrong? Any help is greatly appreciated.
Note: I'm answering what you're saying in the comments
[Update] I received an email from apple with the following issue to be fixed "Invalid Swift Support - The SwiftSupport folder is missing. Rebuild your app using the current public (GM) version of Xcode and resubmit it." Can anyone help me here?
I can't do it directly on comments as I don't have enough reputation.
When you unzip the .ipa the first time, you should see at least four folders: one is the Payload (where you do all the signing operations, and changes regarding configuration), Symbols, BCSymbolMaps and a SwiftSupport folder. When you do the zip you have to add also the SwiftSupport folder to the .ipa:
zip -qr yourNewApp.ipa Payload/ SwiftSupport/
After doing this, you upload through Application Loader or you can validate your .ipa running this:
/Applications/Xcode.app/Contents/Applications/Application\ Loader.app/Contents/Frameworks/ITunesSoftwareService.framework/Support/altool -v -f yourNewApp.ipa -u yourItunesConnectUser#mail.com

Publishing IOS app on client's Enterprise App Store without source coce

I am developing an IOS app for a client. My client would like to publish the app on their private Enterprise App Store which is provided by MobileIron. However, I will not disclose the source code to my client. Is anyone familiar to MobileIron? Can my client publish the app on their Enterprise App Store if only an api file is provided? How to achieve it? Thank you!
Path of least resistance:
ask them for an invitation as a member of their Enterprise portal
archive and sign the app with a development cert & provisioning profile out of that portal
send them the .xcarchive file out of Organizer
they can then pop open the .xcarchive file in XCode, won't see the code, and can re-sign with their Enterprise cert and profile
The other answer will work but it's a pain in the neck compared to the above.
To resign an existing IPA do following steps in the terminal:
rm -rf Payload/<yourapp>.app/_CodeSignature/
cp <a valid and made for your bundle>.mobileprovision Payload/<yourapp>.app/embedded.mobileprovision
codesign -f -s "iPhone Distribution: <company>" --resource-rules Payload/<yourapp>.app/ResourceRules.plist Payload/<yourapp>.app
zip -r render3d.ipa Payload
Then remove the app from the device with Xcode
and drag the new ipa into xcode onto the device
EDIT:
see also:
Re-sign IPA (iPhone) and
How to re-sign the ipa file?

Need to re-sign the IPA file with my ad hoc profile

I tried to resign one IPA file (Project is build under HTML 5) using this following scripts,
unzip application.ipa
rm -r "Payload/Application.app/_CodeSignature" "Payload/Application.app/CodeResources" 2> /dev/null | true
cp "/Users/playdom/Desktop/BA/Code/Profiles/something.mobileprovision" "Payload/Application.app/embedded.mobileprovision"
/usr/bin/codesign -f -s "iPhone Distribution: something" --resource-rules "Payload/Application.app/ResourceRules.plist" "Payload/Application.app"
zip -qr "Application.test.ipa" Payload
=========================
And it changes the sign and I can install the Build at my device. But the problem is whenever I tried to start my application it shows the splash screen and crash!!! I checked the IPA with default Profile (I wanted to change...) and it works ok. That means the problem is in the resign process!!!
I tried check the Xcode/Organizer/Console and saw it shows entitlement issue!!. I followed the same script and process with other IPA (Build under Obj C) it works fine. I don't understand what is the issue? Do I need to change the info.plist, Bundle identifier? I tried that but after that it don't even install!!. Any body has any idea?
I don't know how that's supposed to work. You can't run a build that's signed for the App Store distribution on a device. I always take my App Store builds and re-sign them with a development provisioning profile to test them on a device.

Name of the Certificate/Authority who signed IPA [iOS]

Other question show how you can sign an already signed IPA, like this, or this. Specially this part is what interests me:
/usr/bin/codesign -f -s "iPhone Distribution: Certificate Name" --resource-rules "Payload/Application.app/ResourceRules.plist" "Payload/Application.app"
Once I have the re-signed ipa, how can I see/know that in fact the IPA I currently have has been signed by "iPhone Distribution: Certificate Name"?
codesign -d -vvvv /path/to/The.app
-d for displaying signature info, lots of vs for lots of verbosity.
I don't know if its the best way. By using Terminal you can browse the contents of signed ipa file. Change the extension to zip and extract it. Then try browsing to following path >Payload/AppName.app/embedded.mobileprovision.
You can copy the embedded.mobileprovision to some other location and open in text editor to see the details.
To my knowledge, 'codesign' do not have any option to actually check that the resigning of the app is ok.
Actually, it can go wrong for many reasons (entitlements, provisioning, id mismatch ...).
The only way to check is to install the IPA (via Xcode, iPhone Configurator or iTunes if no other choice) on a device and see if the app launches.

Resources