20

My client has an iOS app with In-app purchase, Game-kit and Push notifications enabled, it is currently on the app store. I would like to resign the application using an in-house enterprise distribution certificate, to test internally, but still be able to test services tied to the original provisioning profile. Is this possible?

Koko Carl
  • 657
  • 1
  • 5
  • 9

4 Answers4

33

I ended up doing this, which is a combination of :-

and

1) Create Entitlements plist, prevent issues with the Keychain etc

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>application-identifier</key>
    <string>GBA9L2EABG.com.your.bundle.id.MyApp</string>
    <key>get-task-allow</key>
    <false/>
</dict>

2) Unzip the IPA

unzip Application.ipa

3) Remove the old code signature

rm -r "Payload/Application.app/_CodeSignature" "Payload/Application.app/CodeResources" 2> /dev/null | true

4) Replace embedded mobile provisioning profile

cp "MyEnterprise.mobileprovision" "Payload/Application.app/embedded.mobileprovision"

5) Resign

/usr/bin/codesign -f -s "iPhone Distribution: Certificate Name" --resource-rules "Payload/Application.app/ResourceRules.plist" --entitlements Entitlements.plist "Payload/Application.app"

6) Re-package

zip -qr "Application.resigned.ipa" Payload
Community
  • 1
  • 1
Koko Carl
  • 657
  • 1
  • 5
  • 9
  • one command could do this if you resign the .app file: `xcrun -sdk iphoneos PackageApplication -v "build/YourProject-iphoneos/youAppName.app" -o "output_folder/yourAppName.ipa" --sign "yourCertificateName" --embed "your.mobileprovision"` – Xiao Feb 27 '14 at 03:00
  • "GBA9L2EABG.com.your.bundle.id.MyApp" - is this just a bundle ID that you have created, or is it the one from the original IPA? Do also push notifications work if you change bundle id of the original app? – Leonti Nov 14 '14 at 14:34
  • When I try to install the app getting error as CFBundleExecutable of appName, which is not executable. I tried the chmod +x command to the appName.app still same error. – Raghav May 29 '15 at 07:04
  • Warning: --resource-rules has been deprecated in Mac OS X >= 10.10! Payload/Application.app/ResourceRules.plist: cannot read resources – Madusanka Jul 28 '16 at 12:49
4

To resign an app a bit easier than what @Koko Carl has said, we have adapted the floatsign script, which can be found at https://gist.github.com/Weptun/5406993. Makes the process really easy:

sh floatsign.sh  ~/Downloads/File.ipa "iPhone Distribution: CertificateName" -b new.bundle.id -p /Path/To/Profile/Appstore.mobileprovision   App-resigned.ipa
Blitz
  • 5,521
  • 3
  • 35
  • 53
  • Warning: --resource-rules has been deprecated in Mac OS X >= 10.10! temp/Payload/Application.app/ResourceRules.plist: cannot read resources Had an Error, aborting! – Madusanka Jul 28 '16 at 12:55
1

Just to add a little bit to Koko Carl's response, if you run into problems with codesign_allocate when you get to step 5 (Resign), try exporting a shell variable CODESIGN_ALLOCATE and give it a path to the codesign allocate within the iPhone SDK. To do this, make sure you have the xcode command line tools installed (Preferences/Updates in Xcode)

For example, I was getting the error: 

me$ /usr/bin/codesign -f -v -s "iPhone Distribution: Some Company, Inc" --resource-rules "Payload/MyApp.app/ResourceRules.plist" --entitlements Entitlements.plist "Payload/MyApp.app"

Output:

Payload/MyApp.app: replacing existing signature
codesign_allocate: object: /Users/mimio/Downloads/Payload/MyApp.app/MyApp malformed object (unknown load command 33)
Payload/MyApp.app: object file format unrecognized, invalid, or unsuitable

To solve this, I set the variable thusly:

me$ export CODESIGN_ALLOCATE=/Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/usr/bin/codesign_allocate

And then ran my command again:

me$ /usr/bin/codesign -f -v -s "iPhone Distribution: Some Company, Inc" --resource-rules "Payload/MyApp.app/ResourceRules.plist" --entitlements Entitlements.plist "Payload/MyApp.app"

And voila! Everything worked properly with the new codesign_allocate

tonyg
  • 197
  • 2
  • 13
1

When searched this is the first question shownup in stackover flow. So wanted to updated with the latest iResign mac app, which makes the job super easy with GUI instead of commands in terminal.

iReSign

iReSign allows iDevice app bundles (.ipa) files to be signed or resigned with a digital certificate from Apple for distribution. It can also create signed iDevice app bundles (.ipa) files from .xcarchive files. This tool is aimed at enterprises users, for enterprise deployment, when the person signing the app is different than the person(s) developing it.

How to use

iReSign allows you to re-sign any unencrypted ipa-file with any certificate for which you hold the corresponding private key. iResign can also created a signed ipa-file from an xcarchive file.

Drag your unsigned .ipa or .xcarchive file to the top box, or use the browse button.

Enter your full certificate name from Keychain Access, for example "iPhone Developer: Firstname Lastname (XXXXXXXXXX)" in the bottom box.

Click ReSign! and wait. The resigned file will be saved in the same folder as the original file.

Source: https://github.com/maciekish/iReSign

coder284
  • 831
  • 1
  • 13
  • 34
  • 4
    You have the same answer on 4 different questions. If the question can be answered with the same answer then you should flag it is a duplicate and not post duplicate answers. – NathanOliver Jan 08 '16 at 13:37
  • Perfect to re-sign an ipa sent to AppStore. Just need to find the right profiles and certificate (if you have more than one). I left the entitlement.plist empty, it seems to create a tempo one if none found. Then I installed my resigned ipa using iMazing. Now I can double-check that my submitted app will work as expected before reaching the store and/or waiting for approval. – Big Papoo Apr 11 '16 at 15:06