sigining iphone app with customer certificate and provisioning profile - ios

I went through all related questions here on the site as well blogs but they leave it open that I can re-use the certificates and profiles of customers. There is no problem of course when the distribution and certificate has been generated with the CSR of my server.
I need to build iphone apps on a dedicated server, using the uploaded p12 certificates and mobile provision profiles of customers.
I am facing 2 scenarios :
Distribution for AppStore submissions
Ad-hoc
Regarding 1.) I could import and sign the app as follows :
security import CertificatesVOSX.p12 -k ~/Library/Keychains/login.keychain -P "asdasd" -T /usr/bin/codesign
xcrun -verbose -sdk iphoneos PackageApplication "build/Release-iphoneos/JIOSApp.app" -o /tmp/app.ipa -sign "iPhone Distribution: PUBLISHING LIMITED" -embed JIOSBase.mobileprovision
This went fine but of course iTunes fails to install it. Does this application works for Appstore submissions ?
Then regarding 2.)
As said, usually the customer has their own certs, bound to the original CSR. xcodebuild or xcrun doesn't work here, because of a private key mismatch.
Did anybody could build apps with customer's certs and mobile provision profiles yet ? Seems rather impossible to me.
Thanks,
Guenter
Reference Links :
http://www.iphonedevsdk.com/forum/iphone-sdk-tools-utilities/73719-hudson-continuous-integration-ios.html
Name of Provisioning Profile used to sign an iPhone app?
And the most related one but still not 100% answered : Command line installation of Code Signing certificates, .p12 files, and mobileprovisions

Related

Objection + Frida: The application could not be verified

I am using this tutorial to install my app with Frida on an Iphone 8: https://www.secjuice.com/objection-frida-guide/
To get the duplicates out of the way:
Building and deploying via Xcode works fine
The app is deleted several times before deploying again
I've focused on doing the magic of re-signing manually, so without Frida yet, it basically comes down to these few commands, I've first archived via xcode to get an ipa file, I know that it is signed with the distribution profile, so I have also tried to get the contents of the debug build (under Products in XCode), zip that as an ipa and go from there.
Get the certificates identities:
security find-identity -p codesigning -v
Use applesign to sign the ipa:
applesign -i E3990....1881149 -m iOS_Development.mobileprovision -o patched_codesign.ipa MyApp.ipa
iOS_Development.mobileprovision is the Development provisioning profile. I've tried to use the one that is available within the debug build (embedded.mobileprovision) and downloaded from the developer portal. I've also tried to use the iOS Distribution provisioning profile in combination with the correct certificate identifier.
Unzip the re-signed ipa: unzip patched_codesign.ipa
Deploy: ios-deploy --bundle Payload/*.app -W -d
Receive the error:
2020-10-27 08:41:40.304 ios-deploy[4282:27558] [ !! ] Error 0xe800003a: The application could not be verified. AMDeviceSecureInstallApplication(0, device, url, options, install_callback, 0)
Just to clarify that I have chosen the right certificate with the correct provisioning profile:
Also used security cms -D -i some.mobileprovision to verify that the provision profile is indeed a development profile as expected.
What am I doing wrong?

Sign application using .p12 and .mobileprovision from 3rd party

I need to sign app for Enterprise deployment. Customer's security department refused to add my apple ID to their team, thought they send me mobileprovision and p12 files. As far as I remember, in XCode 5 there was possibility to sign IPA without Apple ID using mobileprovision only, like that:
Xcode5 - Enterprise deploy screenshot
When I try to do it in XCode 7 or 8, I got error like XCode 8 - Enterprise export error because my Apple ID is not registered in customer's enterprise team.
I've already added .p12 to keychain, unchecked "Automatically manage signing", selected customer's provisioning profile.
I try to use xcodebuild like xcodebuild -exportArchive -exportFormat ipa -archivePath <FILE_NAME>.xcarchive -exportPath ~/Desktop/<FILE_NAME>.ipa -exportProvisioningProfile <PROVISIONING PROFILE NAME>, but still no success.
Also, I need to generate manifest file, that's why xcodebuild is rough solution even if it will work.
I know that its unusual when customer give cert and keypair, but dont want to add developer to team, but cannot change it.
How can I export build for Enterprise if I have provision and certificate, but my account is not in team?

Fastlane certificate error

I'm starting to have an issue with fastlane. When I run a custom lane that runs pilot the app starts to compile but eventually terminates with an error. In the fastlane log I have:
Provisioning profile "match AppStore com.mycompany.myapp-test" doesn't include signing certificate "iPhone Developer: Bob Trotter (XXXXXXXXX)".
Code signing is required for product type 'Application' in SDK 'iOS 10.0'.
I have logged into the apple developer website. Gone into the provisioning profile and added myself. I have tried doing a project clean and downloading the certificates in xocode. I have also run fastlane certs. Any idea what I am doing wrong here? Any pointers on this would be great!!
It seems that you are trying to use pilot with a developer certificate.
As pilot is used to submit your app to TestFlight and subsequently to ApStore, it seems consistent that the error message saying match AppStore ... for the provisioning profile and iPhone Developer: ... for the certificate would generate errors.
It looks like you are setting the correct provisioning profile but not the correct certificate to match. You can check that on XCode by going to you project target -> Build settings -> Code Signing Identity (Release) and selecting iPhone Distribution
If you are using cert you might as well create Distribution certificates, which your App Store provisioning should be matching.
Alternatively (and personally my option of choice today) you can use match to create you provisioning profiles for both development and distribution, which will also configure your sigh environment variables to be used by XCode.
Based on your example bundle identifier, you could do this by executing the following command(s)
$ sudo gem install match
$ match appstore -a com.mycompany.myapp-test

Publishing IOS app on client's Enterprise App Store without source coce

I am developing an IOS app for a client. My client would like to publish the app on their private Enterprise App Store which is provided by MobileIron. However, I will not disclose the source code to my client. Is anyone familiar to MobileIron? Can my client publish the app on their Enterprise App Store if only an api file is provided? How to achieve it? Thank you!
Path of least resistance:
ask them for an invitation as a member of their Enterprise portal
archive and sign the app with a development cert & provisioning profile out of that portal
send them the .xcarchive file out of Organizer
they can then pop open the .xcarchive file in XCode, won't see the code, and can re-sign with their Enterprise cert and profile
The other answer will work but it's a pain in the neck compared to the above.
To resign an existing IPA do following steps in the terminal:
rm -rf Payload/<yourapp>.app/_CodeSignature/
cp <a valid and made for your bundle>.mobileprovision Payload/<yourapp>.app/embedded.mobileprovision
codesign -f -s "iPhone Distribution: <company>" --resource-rules Payload/<yourapp>.app/ResourceRules.plist Payload/<yourapp>.app
zip -r render3d.ipa Payload
Then remove the app from the device with Xcode
and drag the new ipa into xcode onto the device
EDIT:
see also:
Re-sign IPA (iPhone) and
How to re-sign the ipa file?

Codesigning iOS applications (APNS Enabled) without using XCode

I want to build a single window Mac application, which can be used to codesign iOS applications without using XCode.
Many of our clients use "Enterprise License" to distribute their apps. Each year they need to be resigned and its a repetitive work. Their requirements are following
Apps make use of APNS
They don't want to share their Enterprise License
Bundle identifier should be replaceable while signing with their certificate
They have certificates with same name in Keychain
Userinterface has the following fields
Path to the *.ipa file
Path to the *.mobileprovision file
Keychain name (optional incase more than one certificate with same name exists)
Name of the certificate (iPhone Developer : .....)
I was able to codesign application, but APNS is not working after resigning. Or is it not possible to resign applications making use of bundleIdentifier?
And also I would like to add a feature of drop down list of certificates available in Keychain for improved useability. Any pointers would be great help
To enable push notifications, the app ID and provisioning profile will need to have that configured and allowed by Apple (through the portal). You can't enable it for arbitrary provisioning profiles/apps just by resigning.
During codesigning, the entitlements need to have the apns-environment key set to sandbox/production depending on what the app uses. This will then be verified at runtime by iOS. If you are using a third-party signing tool, it should take the apns-environment value from the provisioning profile.
For debugging, you can look at the entitlements for a .app with this command:
codesign -d --requirements - --entitlements - path/to/My.app
You should see an apns-environment value, but only if the provisioning profile had that enabled.
Just spent several hours researching this same issue and discovered the following process. Taking Mike's comments one step further, providing the following command line for others running into the same issue.
I am starting with an xcode release build using a bundle id that has been configured for production push notification.
From the terminal window run the following commands - replacing the "CAPITAL SECTIONS" with your info
codesign -d --entitlements -"NAME OF APP.app" > entitlements.plist
codesign -f -s "SIGNING CERTIFICATE NAME" --resource-rules "NAME OF APP.app/ResourceRules.plist" --entitlements entitlements.plist "NAME OF APP.app"
Hope this helps the next person struggling with this same issue

Resources