dgdgeq
Last Updated: September 11, 2018
·
7.44K
· tobycox

How to re-sign iOS builds

Part of being an iOS developer is going through the hell of signing builds. It's even more fun when you have to re-sign a build that isn't yours.

Here's a bit of a process for doing it, while avoiding XCode and the misery that it introduces.

Converting an xcarchive

If you're given an .xcarchive file, you should turn this in to a .ipa (skip ahead if you already have a .ipa).
To do this:

  1. Right click on your .xcarchive file and select "Show package contents".

  2. Go to Products/Applications and drag the app you find there in to iTunes.

  3. Once the app imports in to iTunes, right click it and select "Show in Finder".

You now have your .ipa

Re-signing an .ipa

An .ipa is just a zip file. To modify it, you need to extract it, have your way with it, sign it again, and recompress it.

  1. Unzip your app with:

    unzip MyApp.ipa
  2. Remove the old codesignature:

    rm -r Payload/MyApp.app/_CodeSignature
  3. If you want to (it's optional), change the bundle ID. It's in the file:

    Payload/MyApp.app/Info.plist
  4. Copy in the new Provisioning profile:

    cp NewProfile.mobileprovision Payload/MyApp.app/embedded.mobileprovision
  5. Sign the package again (running security find-identity will give you a list of identities, from which you can pick the one you want):

    codesign -f -s "iPhone Distribution: A Developer (YLDDA23U7G)" Payload/MyApp.app
  6. Zip the app up again:

    zip -qr MyApp-re-signed.ipa Payload/

This ipa should be signed with your new profile.

Sometimes when uploading to the app store, iTunes connect will complain about having incorrect entitlements. To add/change the entitlements file for an ipa, run step 5 with the ---entitlements flag:

codesign -f -s "iPhone Distribution: A Developer (YLDDA23U7G)" --entitlements entitlements.plist Payload/MyApp.app

An example entitlements file might look like:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>application-identifier</key>               <string>YLDDA23U7G.com.mycompany.myapp</string>
    <key>aps-environment</key>
    <string>production</string>
    <key>get-task-allow</key>
    <false/>
</dict>
</plist>

More information on entitlements files and a more thorough overview of the whole process can be found here:
http://www.objc.io/issue-17/inside-code-signing.html

1 Response
Add your response

30670

So in this current project that we are finishing, the client provided us with Enterprise distribution certificates so we can send them ipa builds that they can test. Now that we've finished all our tasks, https://www.7zip.vip/ they want us to send them 'production builds' that they can upload in the app store by themselves. Problem is, https://www.applock.ooo/ we only have Enterprise provisioning profiles and we can't send App store releases. Any suggestion how we can send an ipa file using the Enterprise cert which they can upload using Application Loader? Or should I just ask for a developer cert? The client is very strict in security. I asked that they could give me developer access to their apple account and credentials to the itunes connect of their app but they were adamant that I should I just send them the ipa so they can upload the app by themselves. Any advice on how to handle this? https://www.minimilitia.mobi/

about 1 month ago ·