Other question show how you can sign an already signed IPA, like this, or this. Specially this part is what interests me:
/usr/bin/codesign -f -s "iPhone Distribution: Certificate Name" --resource-rules "Payload/Application.app/ResourceRules.plist" "Payload/Application.app"
Once I have the re-signed ipa, how can I see/know that in fact the IPA I currently have has been signed by "iPhone Distribution: Certificate Name"?
codesign -d -vvvv /path/to/The.app
-d for displaying signature info, lots of vs for lots of verbosity.
I don't know if its the best way. By using Terminal you can browse the contents of signed ipa file. Change the extension to zip and extract it. Then try browsing to following path >Payload/AppName.app/embedded.mobileprovision.
You can copy the embedded.mobileprovision to some other location and open in text editor to see the details.
To my knowledge, 'codesign' do not have any option to actually check that the resigning of the app is ok.
Actually, it can go wrong for many reasons (entitlements, provisioning, id mismatch ...).
The only way to check is to install the IPA (via Xcode, iPhone Configurator or iTunes if no other choice) on a device and see if the app launches.
Related
I am developing an IOS app for a client. My client would like to publish the app on their private Enterprise App Store which is provided by MobileIron. However, I will not disclose the source code to my client. Is anyone familiar to MobileIron? Can my client publish the app on their Enterprise App Store if only an api file is provided? How to achieve it? Thank you!
Path of least resistance:
ask them for an invitation as a member of their Enterprise portal
archive and sign the app with a development cert & provisioning profile out of that portal
send them the .xcarchive file out of Organizer
they can then pop open the .xcarchive file in XCode, won't see the code, and can re-sign with their Enterprise cert and profile
The other answer will work but it's a pain in the neck compared to the above.
To resign an existing IPA do following steps in the terminal:
rm -rf Payload/<yourapp>.app/_CodeSignature/
cp <a valid and made for your bundle>.mobileprovision Payload/<yourapp>.app/embedded.mobileprovision
codesign -f -s "iPhone Distribution: <company>" --resource-rules Payload/<yourapp>.app/ResourceRules.plist Payload/<yourapp>.app
zip -r render3d.ipa Payload
Then remove the app from the device with Xcode
and drag the new ipa into xcode onto the device
EDIT:
see also:
Re-sign IPA (iPhone) and
How to re-sign the ipa file?
I tried to resign one IPA file (Project is build under HTML 5) using this following scripts,
unzip application.ipa
rm -r "Payload/Application.app/_CodeSignature" "Payload/Application.app/CodeResources" 2> /dev/null | true
cp "/Users/playdom/Desktop/BA/Code/Profiles/something.mobileprovision" "Payload/Application.app/embedded.mobileprovision"
/usr/bin/codesign -f -s "iPhone Distribution: something" --resource-rules "Payload/Application.app/ResourceRules.plist" "Payload/Application.app"
zip -qr "Application.test.ipa" Payload
=========================
And it changes the sign and I can install the Build at my device. But the problem is whenever I tried to start my application it shows the splash screen and crash!!! I checked the IPA with default Profile (I wanted to change...) and it works ok. That means the problem is in the resign process!!!
I tried check the Xcode/Organizer/Console and saw it shows entitlement issue!!. I followed the same script and process with other IPA (Build under Obj C) it works fine. I don't understand what is the issue? Do I need to change the info.plist, Bundle identifier? I tried that but after that it don't even install!!. Any body has any idea?
I don't know how that's supposed to work. You can't run a build that's signed for the App Store distribution on a device. I always take my App Store builds and re-sign them with a development provisioning profile to test them on a device.
I want to build a single window Mac application, which can be used to codesign iOS applications without using XCode.
Many of our clients use "Enterprise License" to distribute their apps. Each year they need to be resigned and its a repetitive work. Their requirements are following
Apps make use of APNS
They don't want to share their Enterprise License
Bundle identifier should be replaceable while signing with their certificate
They have certificates with same name in Keychain
Userinterface has the following fields
Path to the *.ipa file
Path to the *.mobileprovision file
Keychain name (optional incase more than one certificate with same name exists)
Name of the certificate (iPhone Developer : .....)
I was able to codesign application, but APNS is not working after resigning. Or is it not possible to resign applications making use of bundleIdentifier?
And also I would like to add a feature of drop down list of certificates available in Keychain for improved useability. Any pointers would be great help
To enable push notifications, the app ID and provisioning profile will need to have that configured and allowed by Apple (through the portal). You can't enable it for arbitrary provisioning profiles/apps just by resigning.
During codesigning, the entitlements need to have the apns-environment key set to sandbox/production depending on what the app uses. This will then be verified at runtime by iOS. If you are using a third-party signing tool, it should take the apns-environment value from the provisioning profile.
For debugging, you can look at the entitlements for a .app with this command:
codesign -d --requirements - --entitlements - path/to/My.app
You should see an apns-environment value, but only if the provisioning profile had that enabled.
Just spent several hours researching this same issue and discovered the following process. Taking Mike's comments one step further, providing the following command line for others running into the same issue.
I am starting with an xcode release build using a bundle id that has been configured for production push notification.
From the terminal window run the following commands - replacing the "CAPITAL SECTIONS" with your info
codesign -d --entitlements -"NAME OF APP.app" > entitlements.plist
codesign -f -s "SIGNING CERTIFICATE NAME" --resource-rules "NAME OF APP.app/ResourceRules.plist" --entitlements entitlements.plist "NAME OF APP.app"
Hope this helps the next person struggling with this same issue
I have a problem with creating IPA files and TestFlight is showing me this reason.
http://help.testflightapp.com/customer/portal/articles/402843-mismatched-keychain-access-groups
I get a mismatch with keychain access groups but it takes a while to upload the IPA file to TestFlight before it can tell me the file is not valid. I'd like to test the file before I even upload it. I would also like to know how to get information abou the IPA file so that I can diagnose and fix the problem. I have no idea how it is failing since I am using the same Code Signing Identity in the Debug/Release builds as well as signing the IPA from the Archive. I have no idea what is wrong or how to fix it.
Any help is appreciated.
If your Distribution Provisioning profile bundle identifier matches your App's bundle identifier (eg your bundle id is com.mycompany.appname and your App's bundle id has at least com.mycompany.* then you shouldn't run into this error.
Another way to check validity feedback in Xcode 4.3 is to archive the app, and hit the Validate button in the Archives section of your Organizer. (Note that it won't allow you to to validate and gives a 'No application records found' error until you've created an App ID in your iTunes Connect account, and followed the steps until you've set it to "Waiting for Upload ". Don't worry if you're not ready to upload to the store yet, you can still validate without uploading anything.)
Go to terminal and use it like below
/Applications/Xcode.app/Contents/Applications/Application\ Loader.app/Contents/Frameworks/ITunesSoftwareService.framework/Support/altool -v -f APP.ipa -u itunesconnect#user.com -p password
You can use the altool that comes with Xcode
cd /Applications/Xcode.app/Contents/Applications/Application\ Loader.app/Contents/Frameworks/ITunesSoftwareService.framework/Versions/A/Support/
./altool --validate-app -f <'ipaFile'>
You can use the command to extract entitlements info from the signed application:
codesign -d --entitlements
Then try to compare it with the Entitlements part of provision profile. If they dont match there must be some problem with your signing process.
We are enrolled in the iOS Enterprise Program. The provisioning profile used for our released apps is about to expire, so I got a new certificate and provisioning profile.
I need to re-distribute some of our apps with the new provisioning profile, without building them anew. How?
(I vaguely remember seeing a utility program that did exactly this: You choose an IPA and a provisioning profile, and it would create a new IPA using the new profile and certificate. What was the tool’s name, and where can I get it?)
In theory whoever built the last IPA in XCode should have used Archive - this creates a build you can sign to create an IPA (using XCode).
You could also try using the command line signing tool XCRun to re-sign the App bundled in your existing IPA:
http://skabber.com/package-your-ios-application-with-xcrun
OK, turns out when you know what term to google, there‘s lots of excellent resources…
They all point to xcrun. I made it work with this shell snippet, adapted from this promising build script:
APP_FILENAME=MyApp.app
BUILD_DIRECTORY=/Path/To/Target/Dir
IPA_FILENAME=MyApp.ipa
DISTRIBUTION_CERTIFICATE='iPhone Distribution'
PROVISIONING_PROFILE_PATH='/Path/To/Profile.mobileprovision'
/usr/bin/xcrun -sdk iphoneos PackageApplication -v "$APP_FILENAME" -o "$BUILD_DIRECTORY/$IPA_FILENAME" --sign "$DISTRIBUTION_CERTIFICATE" --embed "$PROVISIONING_PROFILE_PATH"
The codesign command-line utility, included with the iOS SDK tools, will allow adding/changing the certificate and provision with which a developer built app is signed.
As hotpaw2's anwaswer states. You can also resign using the codesign tool.
The way I do it (this may not be the most efficient, but it works)
Rename the .ipa to a .zip and extract
Run The following:
/usr/bin/codesign -f -s "iPhone Distribution: Company Name" "Payload/MyApp.app"
Re-zip the Payload folder and rename to .ipa
Note: You can also use this method to edit the embedded.mobileprovisioning file! Just remember to remove the .DS_Store (rm Payload/.DS_Store) if you are using finder.
You can do manual way if you just resigning app from same account with following steps.
All this is using shell script and super easy provided you know how to use shell commands.
Rename IPA to zip
unzip this file to temp folder
Remove the old _CodeSignature folder from all targets (if you have multiple targets like main,watch, watch extn, siri, widget, message, etc)
bring all the targets prov-profiles in one folder and replace all the embedded.provisioningprofile files for each target with the new ones
remove the archived....xccent file as this is old one (optional)
code sign with the entitlements.plist created for all the entitlements if any used by the app.
Zip the folder back after code sign all okay with no errors
Rename the zip to IPA
Note: To validate the IPA before upload to apple you can just use the altool from inbuild XCode App Loader to check the new IPA.
Reference: The steps for commands is also explained here:
http://www.enterpriseios.com/forum/topic/Resigning_3rd_party_apps
If you want to get rid of manual sign use the fastlane tool as its quite simple and easy to configure.https://fastlane.tools/