I currently build all my applications with hudson using xcodebuild followed by a xcrun without any problems
I've received a couple of IPA files from different people that I would like to re-sign with a enterprise account instead of the corporate account (for the app store, or sometimes ad-hoc distributed).
My problem is that when I try to resign the app, it won't install on my device (and it should since it's a Enterprise build). The error message is on the device (not in iTunes) and it tells me simply that it couldn't install the app. No more information is given.
I've found some information, ( http://www.ketzler.de/2011/01/resign-an-iphone-app-insert-new-bundle-id-and-send-to-xcode-organizer-for-upload/ )
And this might be possible. The problem I'm facing is that it doesn't seem to embed the mobile provisioning profile as I do with my normal builds (using xcrun) is this possible to control with the codesign tool, or is it possible to re-sign with xcrun?
With my resign script i currently do
I've looked in the resulting ipa file and it seems to be very similar to the original app. What files should really change here? I initially thought the the _CodeSignature/CodeResources would change, but the content looks pretty much exactly the same.
Pointers are much appreciated.
I tried all the Solution but finally I am able to create resign ipa with these commands
Resign Certificates
Go the Directory where want to create the new ipa with resign certificates . Pase all the files there ipa, certificate and mobileprovision and also install the certificate
security cms -D -i path/to/MyProfile.mobileprovision > provision.plist (Call this command and replace mobile provision with path of the file)
/usr/libexec/PlistBuddy -x -c 'Print :Entitlements' provision.plist > entitlements.plist (Hit this command)
unzip -q *.ipa
rm -rf Payload/*.app/_CodeSignature/
/usr/libexec/PlistBuddy Payload/*.app/Info.plist (After this command we have to add new bundle ID if we don’t need to change bundle id Then we can ignore these 3 steps)
7. Set :CFBundleIdentifier “com.mycompany.newbundleidentifier” (This should be new bundle ID)
8. save
9. quit
cp $PROVISION Payload/*.app/embedded.mobileprovision
codesign -d --entitlements :entitlements.plist Payload/*.app/ (Try to ignore this command if app doesn’t work then next time use this command)
codesign -f -s "$CERTIFICATE" --entitlements entitlements.plist Payload/.app/Frameworks/
codesign -f -s "$CERTIFICATE" --entitlements entitlements.plist Payload/*.app/
zip -qr resigned.ipa Payload
https://stackoverflow.com/a/37172815 https://stackoverflow.com/a/50392448 https://coderwall.com/p/qwqpnw/resign-ipa-with-new-cfbundleidentifier-and-certificate
I think the easiest is to use Fastlane:
sudo gem install fastlane -NV
hash -r # for bash
rehash # for zsh
fastlane sigh resign ./path/app.ipa --signing_identity "Apple Distribution: Company Name" -p "my.mobileprovision"
You can simply implement the same using the application iResign.
Give path of 1).ipa
2) New provision profile
3) Entitlement file (Optional, add only if you have entitlement)
4) Bundle id
5) Distribution Certificate
You can see output .ipa file saved after re-sign
Simple and powerful tool
I successfully followed this answer, but since entitlements have changed, I simply removed the --entitlements "Payload/Application.app/Entitlements.plist" part of the second to last statement, and it worked like a charm.
Thank you, Erik, for posting this. This worked for me. I'd like to add a note about an extra step I needed. Within "Payload/Application.app/" there was a directory named "CACertChains" that contained a file named "cacert.pem". I had to remove the directory and the .pem to complete these steps. Thanks again! –
With Fastlane sigh's resign option you can do this very easily.
sigh resign -p <path-to-profile-with-mobileprovision-ext> -i <code-sighning-identity-of-your-app>
You can download the profile using sigh also, just before the command.
None of these resigning approaches were working for me, so I had to work out something else.
In my case, I had an IPA with an expired certificate. I could have rebuilt the app, but because we wanted to ensure we were distributing exactly the same version (just with a new certificate), we did not want to rebuild it.
Instead of the ways of resigning mentioned in the other answers, I turned to Xcode’s method of creating an IPA, which starts with an .xcarchive from a build.
I duplicated an existing .xcarchive and started replacing the contents. (I ignored the .dSYM file.)
I extracted the old app from the old IPA file (via unzipping; the app is the only thing in the Payload folder)
I moved this app into the new .xcarchive, under Products/Applications replacing the app that was there.
I edited Info.plist, editing
ApplicationProperties/ApplicationPathApplicationProperties/CFBundleIdentifierApplicationProperties/CFBundleShortVersionStringApplicationProperties/CFBundleVersionNameI moved the .xcarchive into Xcode’s archive folder, usually /Users/xxxx/Library/Developer/Xcode/Archives.
In Xcode, I opened the Organiser window, picked this new archive and did a regular (in this case Enterprise) export.
The result was a good IPA that works.
If your APP is built using Flutter tools, please examine the codesign info for all pod extensions:
codesign -d --verbose=4 Runner.app/Frameworks/xxx.framework |& grep 'Authority='
The result should be the name of your team.
Run the shell script below to codesign all extensions:
IDENTITY=<prefix of Team ID number>
ENTITLEMENTS=<entitlements.plist>
find Payload/Runner.app -type d -name '*framework' | xargs -I '{}' codesign -s $IDENTITY -f --entitlements $ENTITLEMENTS {}
And finally don't forget to codesign the Runner.app itself
In 2020, I did it with Fastlane -
Here is the command I used
$ fastlane run resign ipa:"/Users/my_user/path/to/app.ipa" signing_identity:"iPhone Distribution: MY Company (XXXXXXXX)" provisioning_profile:"/Users/my_user/path/to/profile.mobileprovision" bundle_id:com.company.new.bundle.name
Full docs here - https://docs.fastlane.tools/actions/resign/
The answers to this question are a little out of date and missing potentially key steps, so this is an updated guide for installing an app from an external developer.
----- How to Resign an iOS App -----
Let's say you receive an app (e.g. MyApp.ipa) from another developer, and you want to be able to install and run it on your devices (by using ideviceinstaller, for example).
Prepare New Signing Assets
The first step is to attain a Provisioning Profile which includes all of the devices you wish to install and run on. Ensure that the profile contains a certificate that you have installed in your Keychain Access (e.g. iPhone Developer: Some Body (XXXXXXXXXX) ). Download the profile (MyProfile.mobileprovision) so you can replace the profile embedded in the app.
Next, we are going to prepare an entitlements file to include in the signing. Open up your terminal and run the following.
$ security cms -D -i path/to/MyProfile.mobileprovision > provision.plist
This will create an xml file describing your Provisioning Profile. Next, we want to extract the entitlements into a file.
$ /usr/libexec/PlistBuddy -x -c 'Print :Entitlements' provision.plist > entitlements.plist
Replace The Provisioning Profile and Resign App
If you are working with a .ipa file, first, unzip the app (if you have a .app instead, you can skip this step).
$ unzip MyApp.ipa
Your working directory will now contain Payload/ and Payload/MyApp.app/. Next, remove the old code signature files.
$ rm -rf Payload/MyApp.app/_CodeSignature
Replace the existing provisioning profile (i.e. embedded.mobileprovision) with your own.
$ cp path/to/MyProfile.mobileprovision Payload/MyApp.app/embedded.mobileprovision
Now sign the app with the certificate included in your provisioning profile and the entitlements.plist that you created earlier.
$ /usr/bin/codesign -f -s "iPhone Developer: Some Body (XXXXXXXXXX)" --entitlements entitlements.plist Payload/MyApp.app
IMPORTANT: You must also resign all frameworks included in the app. You will find these in Payload/MyApp.app/Frameworks. If the app is written in Swift or if it includes any additional frameworks these must be resigned or the app will install but not run.
$ /usr/bin/codesign -f -s "iPhone Developer: Some Body (XXXXXXXXXX)" --entitlements entitlements.plist Payload/MyApp.app/Frameworks/*
You can now rezip the app.
$ zip -qr MyApp-resigned.ipa Payload
Done
You may now remove the Payload directory since you have your original app (MyApp.ipa) and your resigned version (MyApp-resigned.ipa). You can now install MyApp-resigned.ipa on any device included in your provisioning profile.
If you have an app with extensions and/or a watch app and you have multiple provisioning profiles for each extension/watch app then you should use this script to re-sign the ipa file.
Here is an example of how to use this script:
./resign.sh YourApp.ipa "iPhone Distribution: YourCompanyOrDeveloperName" -p <path_to_provisioning_profile_for_app>.mobileprovision -p <path_to_provisioning_profile_for_watchkitextension>.mobileprovision -p <path_to_provisioning_profile_for_watchkitapp>.mobileprovision -p <path_to_provisioning_profile_for_todayextension>.mobileprovision resignedYourApp.ipa
You can include other extension provisioning profiles too by adding it with yet another -p option.
For me - all the provisioning profiles were signed by the same certificate/signing identity.
Source: Stackoverflow.com