I tried to resign one IPA file (Project is build under HTML 5) using this following scripts,
unzip application.ipa
rm -r "Payload/Application.app/_CodeSignature" "Payload/Application.app/CodeResources" 2> /dev/null | true
cp "/Users/playdom/Desktop/BA/Code/Profiles/something.mobileprovision" "Payload/Application.app/embedded.mobileprovision"
/usr/bin/codesign -f -s "iPhone Distribution: something" --resource-rules "Payload/Application.app/ResourceRules.plist" "Payload/Application.app"
zip -qr "Application.test.ipa" Payload
=========================
And it changes the sign and I can install the Build at my device. But the problem is whenever I tried to start my application it shows the splash screen and crash!!! I checked the IPA with default Profile (I wanted to change...) and it works ok. That means the problem is in the resign process!!!
I tried check the Xcode/Organizer/Console and saw it shows entitlement issue!!. I followed the same script and process with other IPA (Build under Obj C) it works fine. I don't understand what is the issue? Do I need to change the info.plist, Bundle identifier? I tried that but after that it don't even install!!. Any body has any idea?
I don't know how that's supposed to work. You can't run a build that's signed for the App Store distribution on a device. I always take my App Store builds and re-sign them with a development provisioning profile to test them on a device.
Related
I am using this tutorial to install my app with Frida on an Iphone 8: https://www.secjuice.com/objection-frida-guide/
To get the duplicates out of the way:
Building and deploying via Xcode works fine
The app is deleted several times before deploying again
I've focused on doing the magic of re-signing manually, so without Frida yet, it basically comes down to these few commands, I've first archived via xcode to get an ipa file, I know that it is signed with the distribution profile, so I have also tried to get the contents of the debug build (under Products in XCode), zip that as an ipa and go from there.
Get the certificates identities:
security find-identity -p codesigning -v
Use applesign to sign the ipa:
applesign -i E3990....1881149 -m iOS_Development.mobileprovision -o patched_codesign.ipa MyApp.ipa
iOS_Development.mobileprovision is the Development provisioning profile. I've tried to use the one that is available within the debug build (embedded.mobileprovision) and downloaded from the developer portal. I've also tried to use the iOS Distribution provisioning profile in combination with the correct certificate identifier.
Unzip the re-signed ipa: unzip patched_codesign.ipa
Deploy: ios-deploy --bundle Payload/*.app -W -d
Receive the error:
2020-10-27 08:41:40.304 ios-deploy[4282:27558] [ !! ] Error 0xe800003a: The application could not be verified. AMDeviceSecureInstallApplication(0, device, url, options, install_callback, 0)
Just to clarify that I have chosen the right certificate with the correct provisioning profile:
Also used security cms -D -i some.mobileprovision to verify that the provision profile is indeed a development profile as expected.
What am I doing wrong?
In my organization, the distribution certificate and app store provisioning profile are located and installed on a Mac machine present inside a Lab environment to which only a lab manager has access to.
For me to upload an app's IPA to app store, I need to archive a development IPA (using dev cert and profile in Release configuration mode) on my local Mac and then send across this IPA to the lab manager.
The lab manager uses a python re-signing script to re-sign the IPA on the lab Mac.
Do I also need to explicitly send a entitlements.plist file along with the IPA. My app does not use any capabilities as of now, not even Push Notifications. All Capabilities in Xcode are Off and on developer portal also the app identifier has Game Center and In-House Purchase as checked by default under the Capabilities.
I am assuming since it is the same Apple account using which lab manager will be re-signing the IPA and the app store profile present on the lab Mac contains its own entitlements, I do not need to send an explicit entitlements.plist file. Also, I assume the app will not get rejected in review.
Are these assumptions correct? Thanks in advance.
You can not magically attach an entitlements file during export; it has to be there during archiving. But you do not find out whether you got it "right" (in Apple's eyes) until distribution time.
So a situation where archiving happens in one place and exporting happens in another is not going to be a happy one.
I would describe this entire situation as unacceptable. I have had many occasions, just working on my own machine, where I was able to archive but then unable to upload to the app store or TestFlight because of an entitlements issue. And often there was no "real" issue: I just needed to do a bunch of goat sacrifices and fooling around with the settings (e.g. turn entitlements on and off). The point is, you don't know there's an issue until you export — and then to find out whether you fixed it you have to build / archive again.
1) Entitlement plist can be given while resining an ipa like below but this is optional.
codesign --entitlements entitlements.xml -f -s "IDENTITY" Payload/<app_name>.app
Please refer How do I resign app with entitlements?
2) To resign an ipa, you can follow below procedure (without giving Entitlement).
Requisites:
Distribution profile
Distribution certificate
Assuming Distribution profile stored in Desktop ~/Desktop/AdHoc.mobileprovision
Procedure :
1) unzip ipa using following command,
unzip app.ipa
2) When you unzip it You will have as an output a directory called “Payload”.
3) remove _CodeSignature file from unzipped folder “Payload” as below
rm -rf Payload/MyApp.app/_CodeSignature/
4) Rename distribution profile which is stored in Desktop to embedded.mobileprovision
5) Copy distribution profile(embedded.mobileprovision from Desktop) to Payload/.app
cp ~/Desktop/AdHoc.mobileprovision Payload/MyApp.app/embedded.mobileprovision
6) Resign using below commands,
codesign -f -s “IDENTITY” --resource-rules Payload/MyApp.app/ResourceRules.plist Payload/MyApp.app
7) Zip payload to form an ipa as below
zip -qr <app_name>.ipa Payload/
I'm using the following terminal commands to re-sign an ipa: I unzip the ipa, copy in a new mobile provisioning profile, run codesign with a sign identity, and zip it back up into an ipa.
unzip -q My_App_Name.app
cp New_Mobile_Provision Payload/My_App_Name.app/embedded.mobileprovision
codesign -f -s 'my certificate' Payload/My_App_Name.app
zip -qr My_App_Name_Resigned.ipa Payload/
But when I use ios-deploy to try installing the result to an iPhone 5 (on iOS 9), it gets to 70% - verifying ipa- and fails. Anyone else seen this?
Look at files in .app directory.
There may be more than one executable, library or framework.
You need to replace all the signature of them.
I've successfully resigned my app. However there are still some open questions. These are the steps i did to resign the app:
I downloaded the appropriate provision profile from the apple member center.
I unzipped the ipa file: unzip {AppName}.ipa
Removed the old signature: rm -rf Payload/{AppName}.app/_CodeSignature/
Copied the new provisioning profile into the App:
cp new.mobileprovision Payload/{AppName}.app/embedded.mobileprovision
Resign the App: codesign -f -s "iPhone Distribution: {CertificateName}" --entitlements Entitlements.plist Payload/{AppName}.app/
Repack the App: zip -qr resigned.ipa Payload
I've looked up the {CertificateName} from the my Keychain under My Certificates. To get the entitlements.plist i used the following command:
codesign -d --entitlements :entitlements.plist Payload/{AppName}.app/
Now the open questions are:
Can i use this to resign an app and upload it to the app store? Is there anyone who actually did it this way successfully?
I have another folder besides Payload which is called Symbols. I suspect that this was added when the ipa was created for the app store. Do i need to repack it this way then: zip -qr resigned.ipa Payload Symbols to ensure that the Symbols are also within the app?
Within the Entitlements there is a part keychain-access-groups. Is this only relevant if i would use the keychain? Can i use the following value for it: {Prefix}.* or should it be more explicit?
Thank you in advance for any help!
Take a look at this, does the most of work for you when you upload your app FastLane
I have a problem with creating IPA files and TestFlight is showing me this reason.
http://help.testflightapp.com/customer/portal/articles/402843-mismatched-keychain-access-groups
I get a mismatch with keychain access groups but it takes a while to upload the IPA file to TestFlight before it can tell me the file is not valid. I'd like to test the file before I even upload it. I would also like to know how to get information abou the IPA file so that I can diagnose and fix the problem. I have no idea how it is failing since I am using the same Code Signing Identity in the Debug/Release builds as well as signing the IPA from the Archive. I have no idea what is wrong or how to fix it.
Any help is appreciated.
If your Distribution Provisioning profile bundle identifier matches your App's bundle identifier (eg your bundle id is com.mycompany.appname and your App's bundle id has at least com.mycompany.* then you shouldn't run into this error.
Another way to check validity feedback in Xcode 4.3 is to archive the app, and hit the Validate button in the Archives section of your Organizer. (Note that it won't allow you to to validate and gives a 'No application records found' error until you've created an App ID in your iTunes Connect account, and followed the steps until you've set it to "Waiting for Upload ". Don't worry if you're not ready to upload to the store yet, you can still validate without uploading anything.)
Go to terminal and use it like below
/Applications/Xcode.app/Contents/Applications/Application\ Loader.app/Contents/Frameworks/ITunesSoftwareService.framework/Support/altool -v -f APP.ipa -u itunesconnect#user.com -p password
You can use the altool that comes with Xcode
cd /Applications/Xcode.app/Contents/Applications/Application\ Loader.app/Contents/Frameworks/ITunesSoftwareService.framework/Versions/A/Support/
./altool --validate-app -f <'ipaFile'>
You can use the command to extract entitlements info from the signed application:
codesign -d --entitlements
Then try to compare it with the Entitlements part of provision profile. If they dont match there must be some problem with your signing process.