Even without access to the source code, apps can be re-signed with an updated provisioning profile. The attached script (resign_appidv3.sh_.zip) can be used to re-sign the app on OSX 10.9.4+ with Xcode 6+. Ensure the .ipa file and provisioning profile are located in the same
1. Run the resign script by using the command listed below with the following syntax:
./resign_appidv3.sh --ipa yourIPA.ipa --profile yourProvisingProfile --identity "iPhone Distribution: Developer Name (xxxxxxxxxx)" --out yourNewResignedIPA.ipa
2. Once the new .ipa file has been created, upload it to Mobility Suite. The associated users will receive a push notification indicating an updated version of the app is available for download and installation.
The script's permissions may need to be modified before it can be run after it has been uncompressed. In order to uncompress, qualify the script for use, and execute it the following commands need to be run from the Terminal in the directory where the script is located:
yum -y install unzip unzip resign_appidv3.sh_.zip -d ~ cd ~ chmod +x resign_appidv3.sh ./resign_appidv3.sh
For reference, the contents of the attached 'resign_appidv3.sh' script has been included below:
#!/bin/sh log_info=0 log_info() { if [ $log_info -gt 0 ] then echo "$*" fi } log_err() { echo "$*" } usage () { log_err "resign.sh --ipa path [--entitlements path] [--profile path] [--identity \"iPhone Distribution: Symantec Corporation\"] [--out path]" rm -rf Payload rm -rf ProvisionProfile.plist rm -rf Entitlements.plist } numargs=$# for ((i=1 ; i <= numargs ; i++)) do if [ "$1" == "--ipa" ]; then ipa="$2" shift; fi if [ "$1" == "--entitlements" ]; then entitlements="$2" shift; fi if [ "$1" == "--profile" ]; then profile="$2" shift; fi if [ "$1" == "--dentity" ]; then identity="$2" shift; fi if [ "$1" == "--out" ]; then output="$2" shift; fi shift done # check if ipa file exist if [ -z "$ipa" ] || [ ! -e "$ipa" ] then if [ -z "$ipa" ] then log_err "does not specify ipa file" else log_err "ipa file ($ipa) does not exist" fi usage exit -1 fi log_info "input parameters:" log_info "ipa: \"$ipa\"" log_info "entitlements: \"$entitlements\"" log_info "profile: \"$profile\"" log_info "identity: \"$identity\"\n" # unzip ipa package rm -rf Payload unzip -qq "$ipa" if [ $? != 0 ] then log_err "fail to unzip ipa file \"$ipa\"" usage exit -2 fi # use same appid /usr/libexec/PlistBuddy -c "Print CFBundleIdentifier" Payload/*/Info.plist > AppID # detect if provision profile exist in ipa package dstprofile=`find Payload -d 2 -name embedded.mobileprovision` if [ -z "dstprofile" ] then log_err "provision profile does not exist in ipa package" exit -3 fi log_info "provision profile path in package: \"$dstprofile\"" # in case user specify new provision profile if [ -z "$profile" ] || [ ! -e "$profile" ] then profile="$dstprofile" log_info "use existing embedded.mobileprovision" else cp -f "$profile" "$dstprofile" log_info "copy \"$profile\" to \"$dstprofile\"" fi log_info "profile: \"$profile\"" # parse provision profile rm -rf ProvisionProfile.plist security cms -D -i "$profile" > ProvisionProfile.plist 2>&1 if [ ! -e ProvisionProfile.plist ] then log_err "fail to parse provision profile" exit -4 fi filecontent=`cat ProvisionProfile.plist` log_info "\nprovision prifle content: $filecontent\n" # remove security warning in sierra if grep -q "security: SecPolicySetValue" "ProvisionProfile.plist"; then tail -n +2 "ProvisionProfile.plist" > "ProvisionProfile.tmp" && mv "ProvisionProfile.tmp" "ProvisionProfile.plist" fi # generate entitilements.plist if [ -z "$entitlements" ] || [ ! -e "$entitlements" ] then rm -f Entitlements.plist /usr/libexec/PlistBuddy -x -c "Print Entitlements" ProvisionProfile.plist > Entitlements.plist 2>&1 entitlements="Entitlements.plist" fi if [ ! -e "$entitlements" ] then log_err "No entitlement file" usage exit -5 fi filecontent=`cat "$entitlements"` log_info "\nentitlement content: $filecontent\n" # get app id appid=`cat AppID` log_info "application-identifier: $appid" # modify app id appinfoplist=`find Payload -d 2 -name Info.plist` if [ -z "$appinfoplist" ] then log_err "Info.plist file does not exist" exit -11 fi /usr/libexec/PlistBuddy -c "Print CFBundleIdentifier" "$appinfoplist" > /dev/null 2>&1 if [ $? != 0 ] then log_err "CFBundleIdentifier not exist in Info.plist" exit -12 fi /usr/libexec/PlistBuddy -c "Set CFBundleIdentifier $appid" "$appinfoplist" > /dev/null 2>&1 # check identity if [ -z "$identity" ] then /usr/libexec/PlistBuddy -c "Print TeamName" ProvisionProfile.plist >/dev/null 2>&1 if [ $? != 0 ] then log_err "No TeamName in provision profile" exit -13 fi teamname=`/usr/libexec/PlistBuddy -c "Print TeamName" ProvisionProfile.plist` identity="iPhone Distribution: $teamname" fi if [ -z "$identity" ] then log_err "Does not specify provision profile" usage exit -14 fi log_info "identity: \"$identity\"" # get ResourceRules.plist ResourceRuleFile=`find Payload -d 2 -name ResourceRules.plist` if [ ! -e "$ResourceRuleFile" ] then log_err "No ResourceRules.plist file. IGNORING!!!" else log_info "ResourceRules.plist path: \"$ResourceRuleFile\"" fi # codesign the app if [ ! -e "$ResourceRuleFile" ] then codesign --force --sign "$identity" --entitlements "$entitlements" Payload/*.app --identifier "$appid" else codesign --force --sign "$identity" --resource-rules="$ResourceRuleFile" --entitlements "$entitlements" Payload/*.app --identifier "$appid" fi if [ $? != 0 ] then log_err "fail to codesign the app" exit -16 fi #zip the package if [ -z "$output" ] then output="resigned.ipa" fi rm -f "$output" zip -qyr "$output" Payload if [ $? != 0 ] then log_err "fail to zip the app" exit -17 fi # clean up rm -rf AppID rm -rf Payload rm -rf ProvisionProfile.plist rm -rf Entitlements.plist echo "resign success"
Hi there, I would like to say thank you for this script. I had an issue with it: codesign wasn't work until I've added "--no-strict".
So in my case final varient is:
codesign --force --sign "$identity" --entitlements "$entitlements" --identifier "$appid" --no-strict
Thank you for this helpful script and OSX Serria/Xcode 8 - issue update.
I have resolved the OSX Serria/Xcode 8 security change issues within the script. The new version of it has been included in the article. It will also be backwards compatible with previous versions of OSX and Xcode.
The lines changed in the script were as follows:
# remove security warning in sierra if grep -q "security: SecPolicySetValue" "ProvisionProfile.plist"; then tail -n +2 "ProvisionProfile.plist" > "ProvisionProfile.tmp" && mv "ProvisionProfile.tmp" "ProvisionProfile.plist" fi
The following entry is added to the first line of the ProvisionProfile.plist file:
security: SecPolicySetValue: One or more parameters passed to a function were not valid.
Considering the above statement is not XML formatted and starts before the XML tags in the .plist file, it causes the Entitlements.plist file to not generate properly. It also results in the PlistBuddy command being unable to print the TeamName. The modifications to this script remove the added security line at the beginning of the file if it exists before the Entitlements.plist file is created, thus resolving the signing issue.
Please let me know if this resolved your issue on your end as well.
After further testing it looks like this is an error with OSX Sierra's security policy. I am still implementing a permanent fix for this. The previous version of OSX and Xcode will be able to run this script because the security policy was not over-restrictive and the keychain file management was more simplified.
Thank you for bringing this to my attention. It does look like the latest version of Xcode has changed the way the PlistBuddy -c "Print TeamName" works on the provisioning profile's .plist file.
I am testing this out in my environment now and see that Xcode 6.2's version of PlistBuddy still prints the TeamName key's string.
I will respond to this thread and update the script accordingly once I have a fix available.
I get error No TeamName in provisioning profile but I open the provisioning profile and there is a team name listed.