iOS Enterprise: Re-certify existing IPA with new certificate - ios

We are enrolled in the iOS Enterprise Program. The provisioning profile used for our released apps is about to expire, so I got a new certificate and provisioning profile.
I need to re-distribute some of our apps with the new provisioning profile, without building them anew. How?
(I vaguely remember seeing a utility program that did exactly this: You choose an IPA and a provisioning profile, and it would create a new IPA using the new profile and certificate. What was the tool’s name, and where can I get it?)

In theory whoever built the last IPA in XCode should have used Archive - this creates a build you can sign to create an IPA (using XCode).
You could also try using the command line signing tool XCRun to re-sign the App bundled in your existing IPA:
http://skabber.com/package-your-ios-application-with-xcrun

OK, turns out when you know what term to google, there‘s lots of excellent resources…
They all point to xcrun. I made it work with this shell snippet, adapted from this promising build script:
APP_FILENAME=MyApp.app
BUILD_DIRECTORY=/Path/To/Target/Dir
IPA_FILENAME=MyApp.ipa
DISTRIBUTION_CERTIFICATE='iPhone Distribution'
PROVISIONING_PROFILE_PATH='/Path/To/Profile.mobileprovision'
/usr/bin/xcrun -sdk iphoneos PackageApplication -v "$APP_FILENAME" -o "$BUILD_DIRECTORY/$IPA_FILENAME" --sign "$DISTRIBUTION_CERTIFICATE" --embed "$PROVISIONING_PROFILE_PATH"

The codesign command-line utility, included with the iOS SDK tools, will allow adding/changing the certificate and provision with which a developer built app is signed.

As hotpaw2's anwaswer states. You can also resign using the codesign tool.
The way I do it (this may not be the most efficient, but it works)
Rename the .ipa to a .zip and extract
Run The following:
/usr/bin/codesign -f -s "iPhone Distribution: Company Name" "Payload/MyApp.app"
Re-zip the Payload folder and rename to .ipa
Note: You can also use this method to edit the embedded.mobileprovisioning file! Just remember to remove the .DS_Store (rm Payload/.DS_Store) if you are using finder.

You can do manual way if you just resigning app from same account with following steps.
All this is using shell script and super easy provided you know how to use shell commands.
Rename IPA to zip
unzip this file to temp folder
Remove the old _CodeSignature folder from all targets (if you have multiple targets like main,watch, watch extn, siri, widget, message, etc)
bring all the targets prov-profiles in one folder and replace all the embedded.provisioningprofile files for each target with the new ones
remove the archived....xccent file as this is old one (optional)
code sign with the entitlements.plist created for all the entitlements if any used by the app.
Zip the folder back after code sign all okay with no errors
Rename the zip to IPA
Note: To validate the IPA before upload to apple you can just use the altool from inbuild XCode App Loader to check the new IPA.
Reference: The steps for commands is also explained here:
http://www.enterpriseios.com/forum/topic/Resigning_3rd_party_apps
If you want to get rid of manual sign use the fastlane tool as its quite simple and easy to configure.https://fastlane.tools/

Related

Is entitlement.plist file required while re-signing a development IPA with distribution certificate and profile of same account?

In my organization, the distribution certificate and app store provisioning profile are located and installed on a Mac machine present inside a Lab environment to which only a lab manager has access to.
For me to upload an app's IPA to app store, I need to archive a development IPA (using dev cert and profile in Release configuration mode) on my local Mac and then send across this IPA to the lab manager.
The lab manager uses a python re-signing script to re-sign the IPA on the lab Mac.
Do I also need to explicitly send a entitlements.plist file along with the IPA. My app does not use any capabilities as of now, not even Push Notifications. All Capabilities in Xcode are Off and on developer portal also the app identifier has Game Center and In-House Purchase as checked by default under the Capabilities.
I am assuming since it is the same Apple account using which lab manager will be re-signing the IPA and the app store profile present on the lab Mac contains its own entitlements, I do not need to send an explicit entitlements.plist file. Also, I assume the app will not get rejected in review.
Are these assumptions correct? Thanks in advance.
You can not magically attach an entitlements file during export; it has to be there during archiving. But you do not find out whether you got it "right" (in Apple's eyes) until distribution time.
So a situation where archiving happens in one place and exporting happens in another is not going to be a happy one.
I would describe this entire situation as unacceptable. I have had many occasions, just working on my own machine, where I was able to archive but then unable to upload to the app store or TestFlight because of an entitlements issue. And often there was no "real" issue: I just needed to do a bunch of goat sacrifices and fooling around with the settings (e.g. turn entitlements on and off). The point is, you don't know there's an issue until you export — and then to find out whether you fixed it you have to build / archive again.
1) Entitlement plist can be given while resining an ipa like below but this is optional.
codesign --entitlements entitlements.xml -f -s "IDENTITY" Payload/<app_name>.app
Please refer How do I resign app with entitlements?
2) To resign an ipa, you can follow below procedure (without giving Entitlement).
Requisites:
Distribution profile
Distribution certificate
Assuming Distribution profile stored in Desktop ~/Desktop/AdHoc.mobileprovision
Procedure :
1) unzip ipa using following command,
unzip app.ipa
2) When you unzip it You will have as an output a directory called “Payload”.
3) remove _CodeSignature file from unzipped folder “Payload” as below
rm -rf Payload/MyApp.app/_CodeSignature/
4) Rename distribution profile which is stored in Desktop to embedded.mobileprovision
5) Copy distribution profile(embedded.mobileprovision from Desktop) to Payload/.app
cp ~/Desktop/AdHoc.mobileprovision Payload/MyApp.app/embedded.mobileprovision
6) Resign using below commands,
codesign -f -s “IDENTITY” --resource-rules Payload/MyApp.app/ResourceRules.plist Payload/MyApp.app
7) Zip payload to form an ipa as below
zip -qr <app_name>.ipa Payload/

assign new provision profile to ipa after the old one is expired

I got an Ipa and the provision profile of the app that is expired,
I've created a new provision profile on apple,
is there a way to assign the new one to the current Ipa?
without configuring it in xcode
You should be able to swap out the embedded.mobileprovision file in the ipa, then re-sign the app. You have a couple of options to do this:
The easiest solution is to use the fastlane's resign tool.
You can write a shell script to manually extract the contents of the IPA, replace the provisioning profile, then call codesign to re-sign the binary. More details can be found here.
You can use this shell script (Thank you Daniel Torrecillas).
prepare a directory,
add your old ipa file, a new provisioning profile (.mobileprovision) and a downloaded shell script to the directory,
open a terminal in the directory,
add permissions to the script in the terminal using the command
chmod 755 resign-ios-app
call the script with 3 or 4 parameters: 1- the path of the old ipa file, 2- the path of the new provisioning profile, 3- the name of the distribution certificate in the Keychain, 4 is optional - the new bundle identifier.
./resign-ios-app 'olderIpaFileName.ipa' 'newProvisioningProfileFileName.mobileprovision' 'Apple Distribution: TeamName (teamID)'
As a result, you get the resigned.ipa file into the directory where the shell script is (it is your working directory from step 1).
Now you can use the resigned ipa file and delete your work directory from step 1.
Note: The script creates several subdirectories and plists. They are important only for the script itself. You can delete them.

How to build and sign an iOS app on separate machines?

We have an iOS app which is built using a series of Bash scripts run by Jenkins. As things are today, we build an xcarchive using this command:
xcodebuild archive -workspace "..." -scheme "..." -configuration "Release" -archivePath "..."
This builds the app and signs it using the certs specified in the provisioning profile which is set using an xcconfig. Once it is complete, we then turn it into an IPA using:
xcodebuild -archivePath "..." -exportArchive -exportOptionsPlist "${export_options_plist}" -exportPath "..."
This IPA can then be uploaded to Hockey or to the App store depending on the xcconfig we use (we swap them out to create different builds).
We now want to make sure our certificates are kept safe as much as possible. This means we want to perform the build on one machine, but the signing on another. In order to do that, we need to do this:
Create an unsigned xcarchive
Transfer the xcarchive to the signing machine
Turn the xcarchive into a signed IPA
Step 2 can be ignored for now though, so lets just focus on steps #1 and #3.
Creating the unsigned xcarchive can be done by adding the arguments CODE_SIGN_IDENTITY="" CODE_SIGNING_REQUIRED=NO to the archive command.
Signing the IPA is much trickier though. We assumed we could just create the IPA again and use the codesign command to sign the binary in the IPA. This had a couple of problems though. The first is that the .entitlements file we had for the app wasn't respected. We had to pass this as a flag to the signing command. Then we realised that we had to correct all the variables in the .entitlements file since Xcode was no longer replacing them with the correct values. Then we realised that we had to do this for each extension we had.
We finally got this all working, with the correct entitlements, replacing the variables and everything was signed, but when I tried uploading the new signed IPA to Hockey it rejected it. The error message wasn't helpful either.
We diff'ed a build with the previous system with the new system and each binary was different. We're not sure if this is a codesigning issue, or just a timestamp change, but there are changes. Furthermore, we discovered that my extensions are all missing archived-expanded-entitlements.xcent files, plus possibly more issues.
It definitely seems like we are going about this the wrong way. We clearly shouldn't have to re-do everything just to sign on a different machine, so where are we going wrong? How are we supposed to build on one machine and sign on another?
P.S. Our current tools use xcodebuild directly, but we have support for fastlane for other parts of our build process, so we are happy to use it if needed.
Update: We have a "solution" to this which is to sign the Release builds with a dev cert, then resign them using the distribution one. This solves all the problems with entitlements being populated etc. but still requires each binary to be resigned and entitlements combined, etc. so I'm curious if there is a better solution.
Please follow the steps to create an unsigned xcarchive
Set ‘Code Signing Identity’ = ‘Don’t Code Sign’
• Select Targets (‘’) -> Build Settings and find the ‘Signing’ section.
• Set ‘Code Signing Identity’ = ‘Don’t Code Sign’
Set Bundle Identifier = ‘’
Set Version = 1.0 //That you need to send
Set Build = 5 //That you need to send
Remove ‘Automatically manage singing’ flag.
Open the terminal and go to the project root folder. Then run the following command.
xcodebuild -workspace <ProjectName>.xcworkspace -scheme <ProjectName> -configuration Release clean archive -archivePath buildArchive/<ProjectName>.xcarchive CODE_SIGN_IDENTITY="" CODE_SIGNING_REQUIRED=NO
After successfully completing, it will create a new ‘buildArchive’ folder and inside that a ‘.xcarchive’ file.
You can Zip that ‘.xcarchive’ file and transfer the xcarchive to the signing machine.
We worked on this for several weeks along with other teams in the company. All of us came to the same conclusion, there is no better option than signing with a dev cert and then re-signing each and every binary with the prod cert afterwards. It's not a straight forward process, but that's what we have been left with.
This might work for you I think
Create an unsigned IPA on your build machine.
Have a script in the build machine that transfers the IPA to your
signing machine.
Use the FloatSign script on the signing machine to resign the
IPA.

Failed to locate or generate matching singing assets:When i'm triyng to generate ad hoc ipa

Anyone can help me.Actually i'm 6 month kid for ios app development,this is my first app to submit in appstore.When i'm trying to generate the ad_hoc distribution IPA,it shows error(as like the below screenshot).But for appstore IPA generated successfully,i'm so confused.....what a magic this!
I have tried the follwing things To solve this problem:
1.Deleted all my mac keychain certificates.
2.Delete all xcode caches and and provisioning profiles and also deleted the developer account from xcode.
and restarted my mac...
then,
1.Reinstalled the certifcates in keychain from exported .P12 from another mac
2.login in xcode preferences accounts tab.... and refresh it. it downlods all provisioning profiles from my developer account.
Status: Not working,still the same issue....all of another projects of my mac and appstore ipa too.
Even i have generated new developer certificate and updated all my project provisioning profiles.still have the same issue...,then try with it new bundle id and new provisioning profiles..i can't got it!
Bcoz of this problem i can't generete ipa for allof another app from my mac..for this issue i wasted entirely 2 working days.totally disturbed.....
Once i solve this then only i can sleep well.pls help me ,thanks in advance to you....
I was having same trouble few weeks back. Though I haven't yet figured out the exact issue behind it but I found that exporting an .ipa file via commandline works.
Archive your project using your desired build settings.
Locate the .xarchive file in finder (DON'T follow the usual procedure from this point).
Copy it and paste it to your project directory (Where your .xcodeproj file is). (Though I usually rename it to remove all the spaces from the name as well)
cd to your project directory in terminal
Run following Command:
xcodebuild -exportArchive -archivePath YourArchiveName.xcarchive -exportPath YourIpaName.ipa -exportFormat ipa -exportProvisioningProfile YOUR_PROVISION_PROFILE_NAME
Your .ipa file will be generated in your project directory. Use it as you will.
For example if My archive name was mySillyApp and I wanted to create an ad hoc ipa from it named mySillyApp with provisioning profile named MySillyProfile, I'd run it like this
xcodebuild -exportArchive -archivePath mySillyApp.xcarchive -exportPath mySillyApp.ipa -exportFormat ipa -exportProvisioningProfile MySillyProfile
NOTE: Even though this doesn't fix the issue of xcode but it gets the ipa. Just thought it would help someone looking for a quick way to get the ad hoc build, who doesn't have the time to figure out what's wrong with Xcode.
If you are doing this for distribution environment, and previously if you
have already created the distribution certificate from different mac then
Either export that same certificate from that mac and import it here or
Revoke the same certificate from your mac, that will be then added to your key chain (https://help.como.com/hc/en-us/articles/201708891-Revoke-Your-iOS-Distribution-Certificate-P12-File-)
https://developer.apple.com/library/ios/documentation/IDEs/Conceptual/AppDistributionGuide/MaintainingCertificates/MaintainingCertificates.html
After doing this just restart your XCode and give try
Hope this will help you!

Make Ad-hoc builds in Xcode 6 without signing in to developer account

Before Xcode 6, it was sufficient to provide only a *.p12 certificate and *.mobileprovision file to Xcode in order to export an *.ipa file for Ad Hoc builds.
Xcode 6 opens the Organizer as usual when the archive is ready, but when I press the "Export" button, the Organizer asks to select a Development Team. It does not allow me to proceed without one even though I have *.p12 and *.mobileprovision installed.
To save for Ad Hoc Development, select a Development Team to use for provisioning:
I know that a developer account could be exported from Xcode accounts pane, but there is a problem with that. It exports all certificates and mobileprovision files associated with it. This includes other profiles that I don't want to include (because I want to share the resulting export with a project team and don't want to include non-relevant profiles).
Is there any way to avoid this "helpful" feature and just export the relevant *.p12 and *.mobileprovision?
If you are using Testflight to upload adhoc builds, it's easier. Install the Testflight app for Mac and run it. Whenever you do an archive in Xcode, it auto shows a popup whether to upload it. You need not export the build from Xcode and avoid signing in to developer account.
Alternatively, if you don't want to distribute on Testflight, you can right click (or option click) on the build in Xcode > Organizer and select "Show in Finder" and right click the archived file for "Show package contents" and get the .app. Put the .app inside a directory called Payload and zip up the the file to Payload.zip. Rename Payload.zip to myapp.ipa to distribute manually.
Edit: A long time has passed since this answer. As for now I suggest using Fastlane for building the app from command line - with proper configuration it won't require signing with dev account.
Original answer below:
I don't know how to do it in xcode, however - I've managed to do it using command line tools:
xcodebuild -configuration Release -scheme SCHEME_NAME -workspace Workspace.xcworkspace clean archive -archivePath build/App
xcodebuild -configuration Release -exportArchive -exportFormat ipa -archivePath "build/App.xcarchive" -exportPath "build/App.ipa" -exportProvisioningProfile "PROVISIONING_PROFILE_NAME"
Just select "Use local signing assets" in the accounts drop down.
We were having the same problem. I tried building the project and making the archive using Xcode 6 and after that I go to the Organizer window of XCode 5 and export the adhoc build from there. It works fine.
This solution worked for me.
https://stackoverflow.com/a/26497744/1500634
Xcode Version 6.1
TestFlight Version 1.0 (320)
Download a previous version of Xcode, I just got the version 4.6.3 and it worked fine so far.
https://developer.apple.com/downloads/index.action
In my case, i use Unity 5.0.1p1 with Vuforia 4.2.3.
So, it have a QCARWrapper.bundle on "Build Phases > Copy Bundle Resources"
I delete it, and export. Works!!!
I do this only for EXPORT FOR AD HOC.
Hope this help someone.
In fact, you need to create a new Distribution profile, specific for Ad Hoc Deployment.
This can be found in the classic member center, but it is a new type of certificate.
You can then select which devices can be used to test the app as ou would do with a developer profile.
Alternatively you can use the TestFlight solution provided by Apple with iOS 8 to enable your user to have access to prereleases.

Resources