Develop Reference

Resigned ipa do not install on ios devices

My organization has developer account (not enterprise) and have added me as a "team member" to the organizations team account and shared the developer certificate and development provisioning profile(includes 1 device). Using those, I could develop an app, archive and created an IPA from XCode (selected method of distribution as "Development") and exported to a folder on disk. When exported I have the following files created on my disk
DistributionSummary.plist
ExportOptiona.plist
manifest.pList
Packaging.log
app.ipa
The admin of my organization wants to resign this ipa to distribute to app store and followed all the steps mentioned below, with distribution certificate and dist. provisioning profile (app store). The resigned ipa is then distributed(OTA) to users and it will not install on their phones.
I followed the below steps to re-sign our ipa
unzip the app
unzip -q *.ipa
Remove the old signature
rm -rf Payload/*.app/_CodeSignature/
Replace embedded provisioning profile
cp "XXXXXXXXXX_distribution.mobileprovision" Payload/*.app/embedded.mobileprovision
Extract entitlements from app
codesign -d --entitlements :entitlements.plist Payload/*.app/
Re-sign embedded frameworks
codesign -f -s "iPhone Distribution: Certificate Name. (ABC44343XZ)" --entitlements entitlements.plist Payload/.app/Frameworks/
Re-sign the app (with entitlements)
codesign -f -s "iPhone Distribution: Certificate Name. (ABC44343XZ)" --entitlements entitlements.plist Payload/*.app/
Zip re-signed app
zip -qr resigned.ipa Payload
Cleanup
rm entitlements.plist
rm -r Payload/
Can I re-sign an app from a developer to distribute to app store? Can somebody tell me where I am going wrong? Any help is greatly appreciated.

Note: I'm answering what you're saying in the comments
[Update] I received an email from apple with the following issue to be fixed "Invalid Swift Support - The SwiftSupport folder is missing. Rebuild your app using the current public (GM) version of Xcode and resubmit it." Can anyone help me here?
I can't do it directly on comments as I don't have enough reputation.
When you unzip the .ipa the first time, you should see at least four folders: one is the Payload (where you do all the signing operations, and changes regarding configuration), Symbols, BCSymbolMaps and a SwiftSupport folder. When you do the zip you have to add also the SwiftSupport folder to the .ipa:
zip -qr yourNewApp.ipa Payload/ SwiftSupport/
After doing this, you upload through Application Loader or you can validate your .ipa running this:
/Applications/Xcode.app/Contents/Applications/Application\ Loader.app/Contents/Frameworks/ITunesSoftwareService.framework/Support/altool -v -f yourNewApp.ipa -u yourItunesConnectUser#mail.com

Resigning an iOS app (.monotouch-32 symlink)

I'm attempting to resign an app with a new provisioning profile. My generic steps are:
unzip *.ipa
rm *.app/_CodeSignature
cp Payload/*.app/embedded.mobileprovision
codesign -f -s "Cert" --entitlements entitlements.plist Payload/*.app
zip -r Resigned.ipa Payload
When I verify the app with verbose output I receive the message
A sealed resource is missing or invalid
This is followed by a list of .dll files in the .monotouch-32 folder with a message such as:
"file modified: /foo/bar/Payload/foo.app/.monotouch-32/Xamarin.Forms.Core.dll".
When I inspect the listed dll's, they are all .symlink's to their .monotouch-64 counterpart. Any specific .monotouch-32 file is not listed as modified.
Any ideas how I can get around this issue?

It might not be your only issue but zip requires the use of -y for symlinks.
If that does not help then please edit your question to add the commands (and their outputs) used to sign and verify. You should also compare the .ipa (.zip) before and after.

Hi I was facing similar issue. For Xamarin related ipa's its always better o resign the Monotouch and .dll files separately.Please check below command for same
sudo codesign -f -s "iPhone Distribution: abcd" --entitlements
entitlements.plist Payload/myApp.app/.monotouch-32/*.dll
Same for Monotouch-64
sudo codesign -f -s "iPhone Distribution: abcd" --entitlements
entitlements.plist Payload/myApp.app/.monotouch-64/*.dll
By executing the above commands all the files inside the Payload file will get resigned properly

ipa file does not contain a provisioning profile

I am facing an issue in Re signing of IPA file. My requirement is to rename the app and resign it with new provisioning profile and certificate. So i have changed the "CFBundleIdentifier" to the new app name. Then I followed the below steps to re sign the IPA file.
extract the IPA file:unzip Myapp.ipa
remove existing code signature:
rm -r "Payload/MyApp Mobile.app/_CodeSignature" "Payload/MyApp Mobile.app/CodeResources" 2> /dev/null | true
replace the existing Provisioning Profile:
cp "MyEnterprise.mobileprovision" "Payload/MyApp Mobile.app/embedded.mobileprovision"
re-sign the executable:
/usr/bin/codesign -f -s "iPhone Distribution: Certificate Name" --resource-rules "Payload/MyApp Mobile.app/ResourceRules.plist" "Payload/MyApp Mobile.app"
re-package the IPA file for distribution:
zip -qr "MyApp.resigned.ipa" Payload
I am just re signing this IPA with the new Provisioning profile and the certificate which i have received from my vendor. I have followed the steps and resigned the app. While installing in Mobile Iron it is giving error as "ipa file does not contain provisioning profile". But i can see that my new provisioning profile is inside the IPA file.
Please anyone tell what could be the issue. I am new to this Apple app.

I think your device UDID is not added in your provisioning profile.Most probably this error comes at this point.The following link can help you-
A valid provisioning profile for this executable was not found for debug mode

Archive & Distribute iOS app to App Store via command line

Normally when submitting an iOS app to the App Store I do Product -> Archive from Xcode and then choose distribute to the App Store. I can successfully archive a build with:
xcodebuild -scheme "myScheme" archive -archivePath /my/path/myArchive
but how do I do the signing process with the correct provisioning profile and also distribute via command line?
For ad hoc builds, I generate my ipa after archiving with:
xcodebuild -exportArchive -exportFormat IPA -archivePath myArchive.xcarchive -exportPath /my/path/myFile.ipa -exportProvisioningProfile 'my adhoc profile name'
But do I even need to generate an ipa when distributing to the app store? Either way, how do I do the signing with correct profile and distributing via command line?

See update for Xcode 8 at bottom of answer.
To answer the last part of the question first - Yes an App Store Provisioning Profile is needed to submit your app through iTunes connect. It will not pass the preverification steps unless it has a correct provisioning profile. You will need to create an App Store distribution profile in the Member Centre
Select "App Store" and click on continue
The first part of the question is a little more difficult, as creating, signing and distributing archives and IPA files using command line tools is poorly documented. Implementing a scripted solution is full of pitfalls because tools don't behave as expected under some circumstances and a more detailed knowledge of the relationship between your developer account, your keychain, the signing certs and the provisioning profiles is required.
Here is a sample of a script that can be used to create an archive with an embedded Ad Hoc provisioning profile, create an IPA for Ad Hoc distribution. As a bonus the DSYMs zip file is created for upload to TestFlight. Then two more scripts are presented. The first will create an App Store version of the IPA from the existing xcarchive, the second will show how to modify an xcarchive so it can be resigned by a third party for Enterprise In House distribution.
This automated build script assumes that the Provisioning Profiles are available in a directory called ProvisioningProfiles checked in with the source code. It is also assumes the password to unlock the keychain holding the signing cert is stored in a protected file in the build users home directory.
#!/bin/sh
# SETME
# set to name of signing certification usually starts something like "iPhone Distribution: ...."
# (the associated private key must be available in the key store)
#
# use the command "security find-identity" to list all the possible values available
#
codeSignIdentity="iPhone Distribution"
# SETME
# set to location of Ad Hoc provisioning profile
# (this profile must have the codeSignIdentity specified above included in it)
#
provisioningProfile=ProvisioningProfiles/MyAppAdHocDistribution.mobileprovision
# The keychain needs to be unlocked for signing, which requires the keychain
# password. This is stored in a file in the build account only accessible to
# the build account user
if [ ! -f $HOME/.pass ] ; then
echo "no keychain password file available"
exit 1
fi
case `stat -L -f "%p" $HOME/.pass`
in
*400) ;;
*)
echo "keychain password file permissions are not restrictive enough"
echo "chmod 400 $HOME/.pass"
exit 1
;;
esac
#
# turn off tracing if it is on for security command
# to prevent logging of password
#
case `set -o | grep xtrace`
in
*on) xon=yes ;;
*) xon=no ;;
esac
#
# unlock the keychain, automatically lock keychain on script exit
#
[ $xon == yes ] && set +x
security unlock-keychain -p `cat $HOME/.pass` $HOME/Library/Keychains/login.keychain
[ $xon == yes ] && set -x
trap "security lock-keychain $HOME/Library/Keychains/login.keychain" EXIT
#
# Extract the profile UUID from the checked in Provisioning Profile.
#
uuid=`/usr/libexec/plistbuddy -c Print:UUID /dev/stdin <<< \
\`security cms -D -i $provisioningProfile\``
#
# Copy the profile to the location XCode expects to find it and start the build,
# specifying which profile and signing identity to use for the archived app
#
cp -f $provisioningProfile \
"$HOME/Library/MobileDevice/Provisioning Profiles/$uuid.mobileprovision"
#
# Build the xcarchive - this will only be done once, will will then
# distribute it for Ad Hoc, App Store and Enterprise In House scenarios
# (profile must be specified by UUID for this step)
#
xcodebuild \
-workspace MyApp.xcworkspace \
-scheme MyApp \
-archivePath build/MyApp.xcarchive \
archive \
PROVISIONING_PROFILE="$uuid" \
CODE_SIGN_IDENTITY="$codeSignIdentity"
#
# Create a zip of the DSYMs for TestFlight
#
/usr/bin/zip -r MyApp.dSYM.zip build/MyApp.xcarchive/dSYMs/MyApp.app.dSYM
#
# now distribute the xcarchive using an Ad Hoc profile
# (for QA testing for example)
#
profileName=`/usr/libexec/plistbuddy -c Print:Name /dev/stdin <<< \
\`security cms -D -i $provisioningProfile\``
#
# The profile must be specified by name for this step
#
xcodebuild \
-exportArchive \
-exportFormat IPA \
-archivePath build/MyApp.xcarchive \
-exportPath MyAppForAdHoc.ipa \
-exportProvisioningProfile "$profileName"
To redistribute the xcarchive with the App Store Distribution profile, re-export the xcarchive with a new profile (the signing identity is the same for both the Ad Hoc and the App Store profiles).
# SETME
# set to location of App Store provisioning profile
#
appStoreProvisioningProfile=ProvisioningProfiles/MyAppAppStoreDistribution.mobileprovision
#
# Extract the App Store profile UUID from the checked in Provisioning Profile.
#
uuid=`/usr/libexec/plistbuddy -c Print:UUID /dev/stdin <<< \
\`security cms -D -i $appStoreProvisioningProfile\``
#
# Copy the profile to the location XCode expects to find it and start the export,
# specifying which profile to use for the archived app
# (Profile must match with signing identity used to create xcarchive)
#
cp -f $appStoreProvisioningProfile \
"$HOME/Library/MobileDevice/Provisioning Profiles/$uuid.mobileprovision"
#
# Extract the enterprise profile name from the checked in App Store Provisioning Profile.
# and redistribute the xcarchive as an App Store ready IPA
#
profileName=`/usr/libexec/plistbuddy -c Print:Name /dev/stdin <<< \
\`security cms -D -i $appStoreProvisioningProfile\``
#
# Profile must be specified by name for this step
#
xcodebuild \
-exportArchive \
-exportFormat IPA \
-archivePath build/MyApp.xcarchive \
-exportPath MyAppForStore.ipa \
-exportProvisioningProfile "$profileName"
Finally just to be complete, what if you want to resign the xcarchive with a new identity and provisioning profile? This might happen if you distribute xcarchives for in-house distribution to third party companies. The recipient needs to sign your xcarchive for distribution using their enterprise certificate. xcodebuild cannot be coerced into overwriting the existing code signature in the xcarchive, therefore codesign must be used directly.
# SETME
# set to name of enterprise signing certification usually starts something like
# "iPhone Distribution: ...."
#
# use the command "security find-identity" to list all the possible values available
#
enterpriseCodeSignIdentity="iPhone Distribution: Acme Ltd"
# SETME
# set to location of Enterprise In-House provisioning profile
# (this profile must be associated with the enterprise code signing identity)
#
enterpriseProvisioningProfile=ProvisioningProfiles/MyAppInHouseDistribution.mobileprovision
# SETME
# A resigning of the app with a different certificate requires a new bundle ID
# that is registered by the Enterprise and is included in the In-House distribution
# profile (This could be automatically extracted from the Enterprise In-House distribution
# profile, I leave that as an ETTR)
enterpriseBundleId="com.enterprise.myapp"
#
# Extract the enterprise profile UUID from the checked in Provisioning Profile.
#
euuid=`/usr/libexec/plistbuddy -c Print:UUID /dev/stdin <<< \
\`security cms -D -i $enterpriseProvisioningProfile\``
#
# Copy the profile to the location XCode expects to find it and start the build,
# specifying which profile and signing identity to use for the archived app
#
cp -f $enterpriseProvisioningProfile \
"$HOME/Library/MobileDevice/Provisioning Profiles/$euuid.mobileprovision"
#
# Copy, modify and resign the xcarchive ready for Enterprise deployment
# (has to be resigned as the production certificate is different for enterprise)
#
cp -Rp build/MyApp.xcarchive build/MyAppEnterprise.xcarchive
#
# Remove old code signature
#
rm -rf build/MyAppEnterprise.xcarchive/Products/Applications/MyApp.app/_CodeSignature
#
# copy in the enterprise provisioning profile
#
cp $enterpriseProvisioningProfile \
build/MyAppEnterprise.xcarchive/Products/Applications/MyApp.app/embedded.mobileprovision
#
# Modify the bundle id to that of the enterprise bundle id
#
/usr/libexec/plistbuddy -c "Set:CFBundleIdentifier $enterpriseBundleId" \
build/MyAppEnterprise.xcarchive/Products/Applications/MyApp.app/Info.plist
#
# resign the xcarchive with the enterprise code signing identity
#
/usr/bin/codesign -f -v -s $enterpriseCodeSignIdentity \
build/MyAppEnterprise.xcarchive/Products/Applications/MyApp.app
#
# Update the DSYM bundle id and create a zip of the DSYMs for TestFlight (if applicable)
#
/usr/libexec/plistbuddy -c "Set:CFBundleIdentifier com.apple.xcode.dsym.${enterpriseBundleId}" \
build/MyAppEnterprise.xcarchive/dSYMs/MyApp.app.dSYM/Contents/Info.plist
/usr/bin/zip -r MyAppEnterprise.dSYM.zip build/MyAppEnterprise.xcarchive/dSYMs/MyApp.app.dSYM
#
# Extract the enterprise profile Name from the checked in Provisioning Profile.
#
enterpriseProfileName=`/usr/libexec/plistbuddy -c Print:Name /dev/stdin <<< \
l\`security cms -D -i $enterpriseProvisioningProfile\``
#
# Profile must be specified by name for this step
#
xcodebuild \
-exportArchive \
-exportFormat IPA \
-archivePath build/MyAppEnterprise.xcarchive \
-exportPath MyAppEnterprise.ipa \
-exportProvisioningProfile "$enterpriseProfileName"
If the script is being run from as a launchd daemon, see this answer https://stackoverflow.com/a/9482707/2351246 to solve the problem with accessing the login keychain from a launchd daemon.
UPDATE for OSX Mavericks and Yosemite
On OSX Mavericks (v10.9.5) and OSX Yosemite you may see code signing errors:
Codesign check fails : ...../MyApp.app: resource envelope is obsolete
Check this posting here for the cause xcodebuild - codesign -vvvv says"resource envelope is obsolete"
To implement the change suggested by Apple Support in the referenced post, run the following command:
sudo perl -pi.bak -e 's/--verify"./--verify", "--no-strict",/ if /codesign.*origApp/;' `xcrun -sdk iphoneos -f PackageApplication`
UPDATE for Xcode8
In Xcode8, the procedure described in my previous answer no longer works with the new Automatically manage signing feature, so you will need to select manual signing to use this method.
If you wish to use automatic signing, here are some observations based on our attempts to get it working with both a IBM Jazz and a Jenkins a CI environment.
It is possible if you have one CI machine to get auto code signing working. I found you had to create and assign a developer account to the instance of Xcode on the CI machine. This was a manual step and I found no way to import a developer profile from the commandline.
If you use a distributed CI environment with multiple build machines, it just doesn't work well. First you have the issue above, you have to manually add a developer account to all instances of Xcode, and second, each of those accounts has to be a different Apple ID, otherwise you get certificate generation issues for the common build account (All machines are sharing an account which causes a collision in the developer certificate because it is tied to a specific machine).
We run a distributed Jenkins CI environment, so we stuck with manual signing, but the method of exporting IPA changed, the -exportOptionsPlist option must be used now.
Change the archiving command:
#
# Build the xcarchive - this will only be done once, will will then
# distribute it for Ad Hoc, App Store and Enterprise In House scenarios
#
xcodebuild \
-workspace MyApp.xcworkspace \
-scheme MyApp \
-archivePath build/MyApp.xcarchive \
archive
The archive is signed with the iOS Developer certificate associated with the build account (so make sure it has one installed in the keychain). Now the archive can be exported to IPA format for Ad-hoc, Enterprise and App Store using the -exportOptionsPlist option to xcodebuild.
Create a file called exportAppStore.plist with the following contents and save it in your top level project directory.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>method</key>
<string>app-store</string>
</dict>
</plist>
See the output xcodebuild -help for a complete list of keys available for the -exportOptionsPlist option.
Now modify the export archive command to use the new export options plist file
xcodebuild \
-exportArchive \
-archivePath build/MyApp.xcarchive \
-exportOptionsPlist exportAppStore.plist \
-exportPath MyAppForStore.ipa

How to re-sign the ipa file?

How do I sign the .ipa file with a provisioning profile after I generate an IPA like the following with a different provision profile? I would like to sign the IPA with an ad-hoc provisioning profile for beta testing, and then re-sign the exact IPA with an app submission provisioning profile for the app store.
/usr/bin/xcrun -sdk iphoneos PackageApplication -v "${RELEASE_BUILDDIR}/${APPLICATION_NAME}.app" -o "${BUILD_HISTORY_DIR}/${APPLICATION_NAME}.ipa" --sign "${DEVELOPER_NAME}" --embed "${PROVISONING_PROFILE}"

It's really easy to do from the command line. I had a gist of a script for doing this. It has now been incorporated into the ipa_sign script in https://github.com/RichardBronosky/ota-tools which I use daily. If you have any questions about using these tools, don't hesitate to ask.
The heart of it is this:
CODESIGN_ALLOCATE=`xcrun --find codesign_allocate`; export CODESIGN_ALLOCATE
IPA="/path/to/file.ipa"
PROVISION="/path/to/file.mobileprovision"
CERTIFICATE="Name of certificate: To sign with" # must be in keychain
# unzip the ipa
unzip -q "$IPA"
# remove the signature
rm -rf Payload/*.app/_CodeSignature
# replace the provision
cp "$PROVISION" Payload/*.app/embedded.mobileprovision
# sign with the new certificate (--resource-rules has been deprecated OS X Yosemite (10.10), it can safely be removed)
/usr/bin/codesign -f -s "$CERTIFICATE" Payload/*.app
# zip it back up
zip -qr resigned.ipa Payload
Your new signed app is called resigned.ipa

Check iResign for an easy tool on how to do this!
[edit] after some fudling around, I found a solution to keychain-aware resigning. You can check it out at https://gist.github.com/Weptun/5406993

Kind of old question, but with the latest XCode, codesign is easy:
$ codesign -s my_certificate example.ipa
$ codesign -vv example.ipa
example.ipa: valid on disk
example.ipa: satisfies its Designated Requirement

The answers posted here all didn't quite work for me. They mainly skipped signing embedded frameworks (or including the entitlements).
Here's what's worked for me (it assumes that one ipa file exists is in the current directory):
PROVISION="/path/to/file.mobileprovision"
CERTIFICATE="Name of certificate: To sign with" # must be in the keychain
unzip -q *.ipa
rm -rf Payload/*.app/_CodeSignature/
# Replace embedded provisioning profile
cp "$PROVISION" Payload/*.app/embedded.mobileprovision
# Extract entitlements from app
codesign -d --entitlements :entitlements.plist Payload/*.app/
# Re-sign embedded frameworks
codesign -f -s "$CERTIFICATE" --entitlements entitlements.plist Payload/*.app/Frameworks/*
# Re-sign the app (with entitlements)
codesign -f -s "$CERTIFICATE" --entitlements entitlements.plist Payload/*.app/
zip -qr resigned.ipa Payload
# Cleanup
rm entitlements.plist
rm -r Payload/

Fastlane's sigh provides a fairly robust solution for resigning IPAs.
From their README:
Resign
If you generated your ipa file but want to apply a different code signing onto the ipa file, you can use sigh resign:
fastlane sigh resign
sigh will find the ipa file and the provisioning profile for you if they are located in the current folder.
You can pass more information using the command line:
fastlane sigh resign ./path/app.ipa --signing_identity "iPhone Distribution: Felix Krause" -p "my.mobileprovision"
It will even handle provisioning profiles for nested applications (eg. if you have watchkit apps)

I've updated Bryan's code for my Sierra iMac:
# this version was tested OK vith macOs Sierra 10.12.5 (16F73) on oct 0th, 2017
# original ipa file must be store in current working directory
IPA="ipa-filename.ipa"
PROVISION="path-to.mobileprovision"
CERTIFICATE="hexadecimal-certificate-identifier" # must be in keychain
# identifier maybe retrieved by running: security find-identity -v -p codesigning
# unzip the ipa
unzip -q "$IPA"
# remove the signature
rm -rf Payload/*.app/_CodeSignature
# replace the provision
cp "$PROVISION" Payload/*.app/embedded.mobileprovision
# generate entitlements for current app
cd Payload/
codesign -d --entitlements - *.app > entitlements.plist
cd ..
mv Payload/entitlements.plist entitlements.plist
# sign with the new certificate and entitlements
/usr/bin/codesign -f -s "$CERTIFICATE" '--entitlements' 'entitlements.plist' Payload/*.app
# zip it back up
zip -qr resigned.ipa Payload

Unzip the .ipa file by changing its extension with .zip
Go to Payload. You will find .app file
Right click the .app file and click Show package contents
Delete the _CodeSigned folder
Replace the embedded.mobileprovision file with the new provision profile
Go to KeyChain Access and make sure the certificate associated with the provisional profile is present
Execute the below mentioned command:
/usr/bin/codesign -f -s "iPhone Distribution: Certificate Name" --resource-rules "Payload/Application.app/ResourceRules.plist" "Payload/Application.app"
Now zip the Payload folder again and change the .zip extension with .ipa
Hope this helpful.
For reference follow below mentioned link:
http://www.modelmetrics.com/tomgersic/codesign-re-signing-an-ipa-between-apple-accounts/

Try this app
http://www.ketzler.de/2011/01/resign-an-iphone-app-insert-new-bundle-id-and-send-to-xcode-organizer-for-upload/
It supposed to help you resign the IPA file. I tried it myself but couldn't get pass an error with Entitlements.plist. Could just be a problem with my project. You should give it a try.

I have been using https://github.com/xndrs/XReSign and it is working really well.