Resigning 3rd party apps.

TheUnix's picture

TheUnix

Joined: Apr 20, 2015
Your rating: None (1 vote)

Hi Guys,

I've been sent a app from one of our clients to upload to our enterprise app centre. It needs resigning with our enterprise certificates but when using iresign and apple codesign it returns the error Product identifiers don't match. has anybody run into this problem before or have a working way of resigning apps via apple codesign? We have all of the enterprise certs etc, and are resigning an app sent by developers who signed it with their development certs first.

Any advice or links to tutorials would be much appreciated.

Thanks.

Top
Jakey's picture

Jakey

Joined: Sep 21, 2014

I don't believe you can do

Your rating: None

I don't believe you can do this. You can't resign a signed file as you don't have the private key to unsign it.

You would need an unencrypted/unsigned IPA or the original source code I think?

Otherwise anyone could download and Apple IPA file and resign it as their own.

Top
ingybing's picture

ingybing

Joined: Apr 17, 2015

Yes it is possible.

Your rating: None

Yes it is possible.

The IPA file is simply a ZIP file... run a terminal prompt and type:
unzip <APPLICATION_NAME>.ipa

Remove the existing signature by going into the application folder
rm -rf ./Payload/<APPLICATION_NAME>.app/_CodeSignature

Remove the existing provisioning profile and replace it with the one tied to the cert you are signing with.
rm -rf ./Payload/<APPLICATION_NAME>.app/embedded.mobileprovision
cp ./Payload/<APPLICATION_NAME>.app/embedded.mobileprovision

Change the bundle identifier (in the example below to com.mynew.bundle.identifier)
/usr/libexec/PlistBuddy -c "Set :CFBundleIdentifier com.mynew.bundle.identifier" ./Payload/<APPLICATION_NAME>.app/Info.plist

From iOS 8.2 you need use an entitlements file when code signing even if the app requests no additional entitlements. Grab the appname.xcent from a build. Copy it somewhere and then modify it to contain the bundle id you are resigning to and the team identifier. The file is just an XML PList that looks like:


<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>application-identifier</key>
<string>BUNDLEID WITH PREFX (TEAMID.BUNDLEID)</string>
<key>com.apple.developer.team-identifier</key>
<string>YOURTEAMIDHERE</string>
<key>get-task-allow</key>
<false/>
</dict>
</plist>

Now you are ready to resign the app...
/usr/bin/codesign -v -f -s "" --resource-rules ./Payload/<APPLICATION_NAME>.app/ResourceRules.plist --entitlements ./Payload/<APPLICATION_NAME>.app

Now you just need to zip it up again and call it an IPA file:
zip -rq <APPLICATION_NAME>.ipa ./Payload

Top
normangl's picture

normangl

Joined: Sep 20, 2016

Problems resigning complex iOS Apps for Enterprise Distribution

Your rating: None

All
 
I'm working for a worldwide company that requires the apps we produce to be initially resigned for enterprise distribution for testing purposes before submitting to the App Store. This is so that testers who are based in branches all over the world can rigorously test and scrutinise the apps we produce before they are submitted onto the Apple App store.
 
I notice how the simpler apps we produce can be so easily resigned using iResign, where I just need to point to the enterprise distribution provisioning profile and the In-House distribution certificate and the apps then resign, install and work fine. Smile
However, some more complex apps we produce only install & work when I resign using Ad hoc distribution or developer cert & provisioning profile, but fail when I resign them for In-house enterprise distribution.
I find these more complex apps that deploy watch kit and have many entitlements in the AppID are the apps I cannot resign for enterprise distribution using simple iResign, because they just fail to install or crash upon launch. Sad
 
Are there any restrictions on what the apps signed for In-house enterprise distribution can contain? Compared to what apps signed for Ad hoc distribution can contain?
 
Also, all the Apple account certificates in my keychain have a certificate id in brackets after the certificate name other than the certificate for In-house enterprise distribution. See item 2 in the list below after the following terminal command, which may be the source of the problem:

$ security find-identity -v
  1) DF3E9EB66DDFD9464C9E9C8B7978C031DB5E7478 "iPhone Distribution: Smart Phone App Design Ltd (5T87Z3V53D)"
  2) 65AB5C69BF03D8DCB98B468BDB075A69CA06C6FA "iPhone Distribution: Smart Phone App Design Limited"
  3) E8768633790130B0262C7F1E6AE3BB67BAEE1A93 "iPhone Developer: Gavin Norman (XKD25VK538)"
  4) 24AD3C52FBA815EB890C0DC9423A8724780727D1 "iPhone Developer: Smart Phone App Design Limited (D4ECBYFEZX)"
  5) 64A424D387BEFCF8C10C08D8358994A21517564E "iPhone Distribution: Smart Phone App Design (H6**934YRM)"
  6) C9C0B4B054B23DC0EA52C37ABC9517C50CFEA3C2 "iPhone Developer: Smart Phone App Design (ZP36FJ4Y5Z)"
  7) 4F652CB23B920C831643D64B75A7184626F3F361 "iPhone Distribution: Gavin Norman (AJT88LS67C)"
 
 
I have even tried resigning from scratch using the following process:
$ unzip GN-GoPro.ipa
 
Remove the existing signature by going into the application folder
$ rm -rf ./Payload/GN-GoPro.app/_CodeSignature
 
Remove the existing provisioning profile and replace it with the one tied to the cert I'm signing with.
$ rm -rf ./Payload/GN-GoPro.app/embedded.mobileprovision
$ cp GoProAppDistnProvProfile.mobileprovision ./Payload/GN-GoPro.app/embedded.mobileprovision

Change the bundle identifier (in the example below to com.smartdesign.app7.resigned.gntest)
$ /usr/libexec/PlistBuddy -c "Set :CFBundleIdentifier com.smartdesign.app7.resigned.gntest" ./Payload/GN-GoPro.app/Info.plist
 
I use an entitlements.plist file when code signing even if the app requests no additional entitlements.
I grab the appname.xcent from a build, copy it somewhere and then modify it to contain the bundle id I'm resigning to and my in-house enterprise distribution team identifier.
Now resign the app...
$ /usr/bin/codesign -f -s 65AB5C69BF03D8DCB98B468BDB075A69CA06C6FA --entitlements entitlements.plist Payload/GN-GoPro.app

Payload/GN-GoPro.app: replacing existing signature
$ zip -qr GN-GoPro_resigned.ipa ./Payload
 
Using the above approach, the in-house enterprise apps resign, but fail to install unfortunately.
Anyone experienced with In-house enterprise distribution resigning, I would really appreciate your help?
 
Thanks
 
Gav

Top
ingybing's picture

ingybing

Joined: Apr 17, 2015

couple of things i'd come

Your rating: None

couple of things i'd come across.

1) Check if the entitlements is configured for the type your signing for...
2) You can verify the package is valid with the following command

/usr/bin/codesign --no-strict --verify -vvvv -R='anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.1] exists and (certificate leaf[field.1.2.840.113635.100.6.1.2] exists or certificate leaf[field.1.2.840.113635.100.6.1.4] exists)' /PATH_TO_YOUR/Payload/Application.app

3) When zipping back up i found some things were symbolic folders and so i had to start zipping up with

zip -rqy app.ipa ./Payload

Top

Who is online?

There are currently 0 admins, 0 users and 22 guests online. Connected users: .

Recent Activity