Re-sign IPA (iPhone)

Asked 1/8, 2011 at 8:44 Answered 24/3, 2021 at 7:53

154

I currently build all my applications with hudson using xcodebuild followed by a xcrun without any problems

I've received a couple of IPA files from different people that I would like to re-sign with a enterprise account instead of the corporate account (for the app store, or sometimes ad-hoc distributed).

My problem is that when I try to resign the app, it won't install on my device (and it should since it's a Enterprise build). The error message is on the device (not in iTunes) and it tells me simply that it couldn't install the app. No more information is given.

I've found some information, ( http://www.ketzler.de/2011/01/resign-an-iphone-app-insert-new-bundle-id-and-send-to-xcode-organizer-for-upload/ )

And this might be possible. The problem I'm facing is that it doesn't seem to embed the mobile provisioning profile as I do with my normal builds (using xcrun) is this possible to control with the codesign tool, or is it possible to re-sign with xcrun?

With my resign script i currently do

unzip app.ipa
appname=$(ls Payload)
xcrun -sdk iphoneos PackageApplication -s "$provisioning_profile" "$project_dir/Payload/$appname" -o "$project_dir/app-resigned.ipa" --sign "$provisioning_profile" --embed "$mobileprovision"

I've looked in the resulting ipa file and it seems to be very similar to the original app. What files should really change here? I initially thought the the _CodeSignature/CodeResources would change, but the content looks pretty much exactly the same.

Pointers are much appreciated.

Samuelsamuela answered 1/8, 2011 at 8:44 Comment(0)

223

Finally got this working!

Tested with a IPA signed with cert1 for app store submission with no devices added in the provisioning profile. Results in a new IPA signed with a enterprise account and a mobile provisioning profile for in house deployment (the mobile provisioning profile gets embedded to the IPA).

Solution:

Unzip the IPA

unzip Application.ipa

Remove old CodeSignature

rm -r "Payload/Application.app/_CodeSignature" "Payload/Application.app/CodeResources" 2> /dev/null || true

Replace embedded mobile provisioning profile

cp "MyEnterprise.mobileprovision" "Payload/Application.app/embedded.mobileprovision"

Re-sign

/usr/bin/codesign -f -s "iPhone Distribution: Certificate Name" --resource-rules "Payload/Application.app/ResourceRules.plist" "Payload/Application.app"

Re-package

zip -qr "Application.resigned.ipa" Payload

Edit: Removed the Entitlement part (see alleys comment, thanks)

Samuelsamuela answered 3/8, 2011 at 4:36 Comment(28)

I could not get this to work if the original bundle id was different than the new one. I tried the -i on the code-sign but it lead to keychain errors when the app ran. I also tried to modify Info.plist and then sign it with no luck. It almost appears the binary contains the bundle id. – Monostich 24/8, 2011 at 8:6

One thing that caused us issues was the Entitlements file, if you have one, must match the app id provided by Apple. Since we were changing the bundle id, the entitlements did not match. The app would run, but the keychain would clear after each run. – Monostich 24/8, 2011 at 17:39

Can you describe a little bit better the way to get it work changing the bundle id? I'm trying to change the bundle id since for our in-house we need to use a different one. Many thx. – Weakwilled 25/8, 2011 at 14:23

You can modify the Info.plist manually. This would inclue the bundle id. So, modify it before signing. One issue we ran into was that the entitlements.plist file contained $(AppIdentifierPrefix)$(CFBundleIdentifier) which did not resolve to the new app id after we signed. Let me know if that helps. – Monostich 26/8, 2011 at 2:9

According to oleb.net/blog/2011/06/code-signing-changes-in-xcode-4 the app ID is built into the binary, so you can only resign using the same app ID. I know I was not able to resign with a different app ID. – Cosmogony 5/12, 2011 at 21:12

FYI, you can use the Apple's (built-in) /usr/libexec/PlistBuddy command to change values in a plist. – Redouble 23/1, 2012 at 17:33

This made my day. I had to create an Entitlements.plist first. Xcode > New file > Entitlement.plist > Can be debugged = 'NO' – Neb 24/1, 2012 at 10:45

I was able to submit a distribution ipa following the steps above. Just had to remove the Entitlements part, as our application had none. Thanks for the help ! – Aigrette 1/3, 2012 at 20:16

Can i follow the same procedure for the individual developer account. Because now client is looking to submit app on his account can i just reassign the app to his account? – Malo 19/9, 2012 at 11:23

Thanks a lot for this procedure. Just one thing: I had to specify the correct platform for codesign_allocate before running codesign: "$ export CODESIGN_ALLOCATE=/Developer/Platforms/iPhoneOS.platform/Developer/usr/bin/codesign_allocate" otherwise codesign stops with an "codesign_allocate: object: /Users/.../MyApp.app/MyApp malformed object (unknown load command 9)" error – Nadaha 25/9, 2012 at 8:27

Hi @Erik, I created a gem pretty much based on this solution to facilitate the process of .ipa files re-sign... may be you can check it out, cheers github.com/felipesabino/provise – Godfearing 8/12, 2012 at 5:29

The payload contains symbolic links so you need to include the -y flag when you zip it up: zip -yqr resigned.ipa Payload – Hansel 23/1, 2013 at 16:0

I wonder if this way to resign an app works for distribution on the App Store. I tried following along but when uploading the resigned IPA through the Application Loader, the following error is reported: Application failed codesign verification. The signature was invalid, contains disallowed entitlements, or it was not signed with an iPhone Distribution Certificate. Of course there are no entitlements and the certificate is a distribution one. – Kalpak 8/2, 2013 at 17:34

@ValerioSantinelli You'll need to carry over entitlements from the previous code signing. FWIW push notifications will not work without entitlements. After unzipping: /usr/bin/codesign -d --entitlements :entitlements.plist /Payload/appname.app Then during the resigning add --entitlements entitlements.plist – Intimacy 24/5, 2013 at 3:43

If you're resigning in order to submit to the App Store you'll need to create and include an Entitlements file. Just a heads up. This answer solved a lot of problems for us and will enable us to submit on schedule. Thanks! – Hygroscope 6/9, 2013 at 19:41

Felipe Sabino, great tool, just tried it for the first time. And thanks for the recognition. – Samuelsamuela 31/1, 2014 at 4:29

ive got the following error on this line " No such file or directory " : cp "MyEnterprise.mobileprovision" "Payload/Application.app/embedded.mobileprovision" – Cowhide 9/6, 2014 at 6:39

So what exactly is happening during the resigning step? – Stevestevedore 3/10, 2014 at 17:55

codesign fails on Yosemite -- Warning: --resource-rules has been deprecated in Mac OS X >= 10.10! Payload/Aaa.app/ResourceRules.plist: cannot read resources – Ammeter 28/10, 2014 at 22:25

Using this I get "no valid 'aps-environment' entitlement string found for application" when I try to register for receiving push notifications. I tried the @Intimacy tips but the app didnt install. Any idea? – Inelegancy 10/11, 2014 at 14:34

Thank you for posting this. This worked for me. I'd like to add a note about an extra step I needed. Within "Payload/Application.app/" there was a directory named "CACertChains" that contained a file named "cacert.pem". I had to remove the directory and the .pem to complete these steps. Thanks again! – Mcginty 26/11, 2014 at 18:18

I'd recommend adding --symlinks to the zip command, to fix the "...CodeResources file must be a symbolic link..." issue. See https://mcmap.net/q/159763/-use-something-other-than-os-x-finder-to-zip-iphone-app-for-submission for details. – Thumbscrew 19/1, 2015 at 14:46

Thanks, this works! And Entitlements should be included since iOS 8.1.3., so add --entitlements entitlements.plist back to resign command. I created entitlements.plist using Apple's How do I check the entitlements associated to my Provisioning Profile? – Illeetvilaine 10/7, 2015 at 15:13

It seems that it's important to add the --entitlements entitlements.plist part in the correct place, for me it was not working (No such file or directory), when placed in the end of the command.. Putting it before the -s ... switch, did the trick. – Preciado 26/8, 2015 at 9:44

Make also sure, you profile is not expired. Took me quite a while to figure that out.. -.- – Preciado 8/9, 2015 at 14:4

Warning: --resource-rules has been deprecated in Mac OS X >= 10.10! Payload/Application.app/ResourceRules.plist: cannot read resources. Getting this error? – Bookman 22/9, 2015 at 8:33

Is there anyone who try that on ios 9 ? I can install on ios 8 but on ios 9, i get this error. "The application could not be verified." – Fertilization 25/9, 2015 at 9:5

Per @KhantThuLinn's comment, I also get "application could not be verified". Is there a way around this? – Remunerative 15/11, 2017 at 21:5

The answers to this question are a little out of date and missing potentially key steps, so this is an updated guide for installing an app from an external developer.

----- How to Resign an iOS App -----

Let's say you receive an app (e.g. MyApp.ipa) from another developer, and you want to be able to install and run it on your devices (by using ideviceinstaller, for example).

Prepare New Signing Assets

The first step is to attain a Provisioning Profile which includes all of the devices you wish to install and run on. Ensure that the profile contains a certificate that you have installed in your Keychain Access (e.g. iPhone Developer: Some Body (XXXXXXXXXX) ). Download the profile (MyProfile.mobileprovision) so you can replace the profile embedded in the app.

Next, we are going to prepare an entitlements file to include in the signing. Open up your terminal and run the following.

$ security cms -D -i path/to/MyProfile.mobileprovision > provision.plist

This will create an xml file describing your Provisioning Profile. Next, we want to extract the entitlements into a file.

$ /usr/libexec/PlistBuddy -x -c 'Print :Entitlements' provision.plist > entitlements.plist

Replace The Provisioning Profile and Resign App

If you are working with a .ipa file, first, unzip the app (if you have a .app instead, you can skip this step).

$ unzip MyApp.ipa

Your working directory will now contain Payload/ and Payload/MyApp.app/. Next, remove the old code signature files.

$ rm -rf Payload/MyApp.app/_CodeSignature

Replace the existing provisioning profile (i.e. embedded.mobileprovision) with your own.

$ cp path/to/MyProfile.mobileprovision Payload/MyApp.app/embedded.mobileprovision

IMPORTANT: You must also resign all frameworks included in the app. You will find these in Payload/MyApp.app/Frameworks. If the app is written in Swift or if it includes any additional frameworks these must be resigned or the app will install but not run.

$ /usr/bin/codesign -f -s "iPhone Developer: Some Body (XXXXXXXXXX)" --entitlements entitlements.plist Payload/MyApp.app/Frameworks/*

Now sign the app with the certificate included in your provisioning profile and the entitlements.plist that you created earlier.

$ /usr/bin/codesign -f -s "iPhone Developer: Some Body (XXXXXXXXXX)" --entitlements entitlements.plist Payload/MyApp.app

You can now rezip the app.

$ zip -qr MyApp-resigned.ipa Payload

Done

You may now remove the Payload directory since you have your original app (MyApp.ipa) and your resigned version (MyApp-resigned.ipa). You can now install MyApp-resigned.ipa on any device included in your provisioning profile.

Planometer answered 11/5, 2016 at 20:37 Comment(10)

Will this same approach apply to distribution profiles? IE: can I extract the entitlements and re-sign from my distro.mobileprovision? – Postulant 23/6, 2016 at 18:13

@grez Will this work for distribution of IPAs as well ? – Darken 21/7, 2016 at 6:45

I mean distribution of 'enterprise' app IPAs as well @grez – Darken 21/7, 2016 at 6:53

@Darken This did not work for me for Enterprise IPA Distribution. I'm using Sierra, Xcode 8, iOS 10. The app installs via iTunes but then gets deleted immediately after installation. – Thibault 7/12, 2016 at 23:22

@PhoenixFF I am not sure about installing with iTunes, but can you try to install from the command line like this: $ ideviceinstaller -i myapp.ipa – Planometer 8/12, 2016 at 0:32

As of now, March 9th 2017, iOS 10.2 and Xcode 8, this is the only working solution I've found. Thank you so much! – Ruscio 9/3, 2017 at 13:19

this answer helps me a lot！I forget to resign the frameworks and the app crashed during launching. – Niemeyer 24/4, 2017 at 6:20

I am unable to resign the frameworks as I do not have Frameworks folder in Payload/MyApp.app. Can anyone help me out with this. Thanks in advance. – Disputant 30/6, 2017 at 6:41

@i4322946 If you do not have Frameworks folder, ignore that step. FYI, I just used the instruction provided by grez to re-sign an enterprise ios app via commandline and deployed it successfully. – Markel 10/7, 2017 at 18:7

Has anything changed in 2023? I am trying the exact same steps but after the installation, iphone says "This app cannot be installed because its integrity could not be verified". Am I doing anything wrong? @Planometer any input would be great please. – Manicotti 8/3, 2023 at 12:22

I think the easiest is to use Fastlane:

sudo gem install fastlane -NV
hash -r # for bash
rehash # for zsh
fastlane sigh resign ./path/app.ipa --signing_identity "Apple Distribution: Company Name" -p "my.mobileprovision"

Scrawl answered 3/6, 2019 at 11:56 Comment(1)

I tried many ways but no luck. This solution worked for me thanks. – Corselet 8/2, 2020 at 8:28

I successfully followed this answer, but since entitlements have changed, I simply removed the --entitlements "Payload/Application.app/Entitlements.plist" part of the second to last statement, and it worked like a charm.

Marilumarilyn answered 2/4, 2012 at 14:26 Comment(2)

I'll 2nd the previous comment. Remove the entitlements to make this work with the modern toolkit. – Eventually 5/6, 2012 at 17:34

Without entitlements my app actually started working weird, giving this in log: SecItemCopyMatching: missing entitlement. I don't have separate Entitlements.plist file, so to preserve entitlements I used @LordT's comment: first create an entitlements file:

echo "<?xml version=\"1.0\" encoding=\"UTF-8\"?>/usr/bin/codesign -d --entitlements - temp/Payload/$APP_NAME | sed -E -e '1d'" > temp/newEntitlements

, then use it when signing: --entitlements temp/newEntitlements. – Ralston 30/4, 2013 at 11:17

In 2020, I did it with Fastlane -

Here is the command I used

$ fastlane run resign ipa:"/Users/my_user/path/to/app.ipa" signing_identity:"iPhone Distribution: MY Company (XXXXXXXX)" provisioning_profile:"/Users/my_user/path/to/profile.mobileprovision" bundle_id:com.company.new.bundle.name

Full docs here - https://docs.fastlane.tools/actions/resign/

Swick answered 25/9, 2020 at 16:35 Comment(0)

Checked with Mac OS High Sierra and Xcode 10

You can simply implement the same using the application iResign.

Give path of 1).ipa

2) New provision profile

3) Entitlement file (Optional, add only if you have entitlement)

4) Bundle id

5) Distribution Certificate

You can see output .ipa file saved after re-sign

Simple and powerful tool

Cacodyl answered 17/7, 2018 at 10:32 Comment(0)

None of these resigning approaches were working for me, so I had to work out something else.

In my case, I had an IPA with an expired certificate. I could have rebuilt the app, but because we wanted to ensure we were distributing exactly the same version (just with a new certificate), we did not want to rebuild it.

Instead of the ways of resigning mentioned in the other answers, I turned to Xcode’s method of creating an IPA, which starts with an .xcarchive from a build.

I duplicated an existing .xcarchive and started replacing the contents. (I ignored the .dSYM file.)
I extracted the old app from the old IPA file (via unzipping; the app is the only thing in the Payload folder)
I moved this app into the new .xcarchive, under Products/Applications replacing the app that was there.
I edited Info.plist, editing
- ApplicationProperties/ApplicationPath
- ApplicationProperties/CFBundleIdentifier
- ApplicationProperties/CFBundleShortVersionString
- ApplicationProperties/CFBundleVersion
- Name
I moved the .xcarchive into Xcode’s archive folder, usually /Users/xxxx/Library/Developer/Xcode/Archives.
In Xcode, I opened the Organiser window, picked this new archive and did a regular (in this case Enterprise) export.

The result was a good IPA that works.

Hendiadys answered 5/10, 2017 at 3:0 Comment(1)

This is a genius solution that still works as of Xcode 9.2. In my case I just copied over the old .app file under the existing .xcarchive. I didn't change Info.plist and so the app version remained as the old version but was signed with the new enterprise certificate. – Silas 12/3, 2018 at 7:1

With Fastlane sigh's resign option you can do this very easily.

sigh resign -p <path-to-profile-with-mobileprovision-ext> -i <code-sighning-identity-of-your-app>

You can download the profile using sigh also, just before the command.

Handclasp answered 14/9, 2017 at 7:25 Comment(0)

I tried all the Solution but finally I am able to create resign ipa with these commands

Resign Certificates

*is the ipa name and also app name $PROVISION is the path of the provision profile $CERTIFICATE is the name of the certificate in key chain full name (Common name when double click on the certificate)

Go the Directory where want to create the new ipa with resign certificates . Pase all the files there ipa, certificate and mobileprovision and also install the certificate

security cms -D -i path/to/MyProfile.mobileprovision > provision.plist (Call this command and replace mobile provision with path of the file)

/usr/libexec/PlistBuddy -x -c 'Print :Entitlements' provision.plist > entitlements.plist (Hit this command)

unzip -q *.ipa

rm -rf Payload/*.app/_CodeSignature/

/usr/libexec/PlistBuddy Payload/*.app/Info.plist (After this command we have to add new bundle ID if we don’t need to change bundle id Then we can ignore these 3 steps)

7.  Set :CFBundleIdentifier “com.mycompany.newbundleidentifier” (This should be new bundle ID)
8.  save
9.  quit

cp $PROVISION Payload/*.app/embedded.mobileprovision

codesign -d --entitlements :entitlements.plist Payload/*.app/ (Try to ignore this command if app doesn’t work then next time use this command)

codesign -f -s "$CERTIFICATE" --entitlements entitlements.plist Payload/.app/Frameworks/

codesign -f -s "$CERTIFICATE" --entitlements entitlements.plist Payload/*.app/

zip -qr resigned.ipa Payload

https://stackoverflow.com/a/37172815 https://stackoverflow.com/a/50392448 https://coderwall.com/p/qwqpnw/resign-ipa-with-new-cfbundleidentifier-and-certificate

Osteogenesis answered 31/8, 2020 at 17:11 Comment(1)

This solution worked for me. @Planometer answer also works but we have sign frameworks first then app other wise it will not install in device – Pressure 2/6, 2021 at 14:35

If your APP is built using Flutter tools, please examine the codesign info for all pod extensions:

codesign -d --verbose=4 Runner.app/Frameworks/xxx.framework |& grep 'Authority='

The result should be the name of your team.

Run the shell script below to codesign all extensions:

IDENTITY=<prefix of Team ID number>
ENTITLEMENTS=<entitlements.plist>
find Payload/Runner.app -type d -name '*framework' | xargs -I '{}' codesign -s $IDENTITY -f --entitlements $ENTITLEMENTS {}

And finally don't forget to codesign the Runner.app itself

Klump answered 24/2, 2021 at 14:5 Comment(0)

You can use XReSign app (a simple GUI tool) for re-signing your ipa, i used it for re-signing my enterprise distribution app and it worked fine

https://github.com/xndrs/XReSign

All you need is

ipa to resign
mobileprovision
entitlements (to generate entitlements please check the below steps)
enterprise distribution certificate

To generate entitlements:

Open up terminal

$ security cms -D -i "your_path/Enterprise_Distribution.mobileprovision" > provision.plist

then

$ /usr/libexec/PlistBuddy -x -c 'Print :Entitlements' provision.plist > entitlements.plist

Thanks

Betsey answered 24/3, 2021 at 7:53 Comment(0)

-1

If you have an app with extensions and/or a watch app and you have multiple provisioning profiles for each extension/watch app then you should use this script to re-sign the ipa file.

Re-signing script at Github

Here is an example of how to use this script:

./resign.sh YourApp.ipa "iPhone Distribution: YourCompanyOrDeveloperName" -p <path_to_provisioning_profile_for_app>.mobileprovision -p <path_to_provisioning_profile_for_watchkitextension>.mobileprovision -p <path_to_provisioning_profile_for_watchkitapp>.mobileprovision -p <path_to_provisioning_profile_for_todayextension>.mobileprovision  resignedYourApp.ipa

You can include other extension provisioning profiles too by adding it with yet another -p option.

For me - all the provisioning profiles were signed by the same certificate/signing identity.

Poetry answered 16/2, 2016 at 23:50 Comment(5)

Your link is broken... found this alternative by looking at the github of the author. github.com/fastlane/fastlane/blob/… – Underact 18/1, 2017 at 20:44

this is an old answer and probably should be deleted since it no longer works but there is no way to delete it in StackOverflow – Poetry 23/1, 2017 at 21:0

This worked for us, just need to update the link to this: github.com/fastlane/fastlane/blob/… – Underact 24/1, 2017 at 22:1

ok good to know that it still works. Cant edit the original answer anymore so people will have to read the comments :) – Poetry 25/1, 2017 at 19:4

Use

fastlane sigh resign YourApp.ipa --signing_identity "iPhone Distribution: YourCompanyOrDeveloperName" -p <path_to_provisioning_profile_for_app>.mobileprovision -p <path_to_provisioning_profile_for_watchkitextension>.mobileprovision

instead. – Ph 3/2, 2017 at 23:32

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Checked with Mac OS High Sierra and Xcode 10

Recommended topics

Hot tags