How to re-sign the ipa file?

ios ios-provisioning ipa

155,468

Solution 1

It's really easy to do from the command line. I had a gist of a script for doing this. It has now been incorporated into the ipa_sign script in https://github.com/RichardBronosky/ota-tools which I use daily. If you have any questions about using these tools, don't hesitate to ask.

The heart of it is this:

CODESIGN_ALLOCATE=`xcrun --find codesign_allocate`; export CODESIGN_ALLOCATE
IPA="/path/to/file.ipa"
PROVISION="/path/to/file.mobileprovision"
CERTIFICATE="Name of certificate: To sign with" # must be in keychain
# unzip the ipa
unzip -q "$IPA"
# remove the signature
rm -rf Payload/*.app/_CodeSignature
# replace the provision
cp "$PROVISION" Payload/*.app/embedded.mobileprovision
# sign with the new certificate (--resource-rules has been deprecated OS X Yosemite (10.10), it can safely be removed)
/usr/bin/codesign -f -s "$CERTIFICATE" Payload/*.app
# zip it back up
zip -qr resigned.ipa Payload

Your new signed app is called resigned.ipa

Solution 2

Check iResign for an easy tool on how to do this!

[edit] after some fudling around, I found a solution to keychain-aware resigning. You can check it out at https://gist.github.com/Weptun/5406993

Solution 3

Kind of old question, but with the latest XCode, codesign is easy:

$ codesign -s my_certificate example.ipa 

$ codesign -vv example.ipa
example.ipa: valid on disk
example.ipa: satisfies its Designated Requirement

Solution 4

The answers posted here all didn't quite work for me. They mainly skipped signing embedded frameworks (or including the entitlements).

Here's what's worked for me (it assumes that one ipa file exists is in the current directory):

PROVISION="/path/to/file.mobileprovision"
CERTIFICATE="Name of certificate: To sign with" # must be in the keychain

unzip -q *.ipa
rm -rf Payload/*.app/_CodeSignature/

# Replace embedded provisioning profile
cp "$PROVISION" Payload/*.app/embedded.mobileprovision

# Extract entitlements from app
codesign -d --entitlements :entitlements.plist Payload/*.app/

# Re-sign embedded frameworks
codesign -f -s "$CERTIFICATE" --entitlements entitlements.plist Payload/*.app/Frameworks/*

# Re-sign the app (with entitlements)
codesign -f -s "$CERTIFICATE" --entitlements entitlements.plist Payload/*.app/

zip -qr resigned.ipa Payload

# Cleanup
rm entitlements.plist
rm -r Payload/

Solution 5

Fastlane's sigh provides a fairly robust solution for resigning IPAs.

From their README:

Resign

If you generated your ipa file but want to apply a different code signing onto the ipa file, you can use sigh resign:

fastlane sigh resign

sigh will find the ipa file and the provisioning profile for you if they are located in the current folder.

You can pass more information using the command line:

fastlane sigh resign ./path/app.ipa --signing_identity "iPhone Distribution: Felix Krause" -p "my.mobileprovision"

It will even handle provisioning profiles for nested applications (eg. if you have watchkit apps)

View more solutions

155,468

Johnny

Updated on July 08, 2022

Comments

Johnny almost 2 years
How do I sign the .ipa file with a provisioning profile after I generate an IPA like the following with a different provision profile? I would like to sign the IPA with an ad-hoc provisioning profile for beta testing, and then re-sign the exact IPA with an app submission provisioning profile for the app store.
```
/usr/bin/xcrun -sdk iphoneos PackageApplication -v "${RELEASE_BUILDDIR}/${APPLICATION_NAME}.app" -o "${BUILD_HISTORY_DIR}/${APPLICATION_NAME}.ipa" --sign "${DEVELOPER_NAME}" --embed "${PROVISONING_PROFILE}"
```
- InnisBrendan about 8 years
  
  Possible duplicate of Re-sign IPA (iPhone)
Bruno Bronosky over 11 years

7 up votes and not a single question. I guess my bash is just that clear.
Rahmathullah M about 11 years

im getting an error message saying "security: unable to open "/var/folders/74/kpcwmb6j1pn92kr8mtvm2mwh0000gn/T/./resign.I‌9DrKi7B/Payload/Atla‌ntaJournal.app/embed‌ded.mobileprovision" for reading: No such file or directory".
Bruno Bronosky about 11 years

@RahmathullahMPulikkal I see I had errantly hardcoded a path in the gist. You really should be using github.com/RichardBronosky/ota-tools/blob/master/ipa_sign instead of the gist. It's the maintained code.
Nishanth Nair about 11 years

is there any tool which can change the Display name along with Bundle id while resigning? This will help to have different display names for different environements. like App-Dev, App-QA, App-Stage etc.
Blitz about 11 years

Yes, the floatsign.sh does exactly that.
Alberto M almost 11 years

I got this error security: unable to open "/tmp/resign.MyApp.WObe2/my.mobileprovision" for reading: No such file or directory easily fixed by moving the cp up in the code. Thank you!
iMx over 10 years

@AlbertoM by moving what? I don't understand what it means.
Bruno Bronosky over 10 years

@iMx, I just pushed an update that ought to fix this for you.
iMx over 10 years

@RichardBronosky thanks, but I still get this error. But it works in terminal, if I enter the commands manually.
Bruno Bronosky over 10 years

@iMx can you please send me a transcript of what does and doesn't work. Please include a git log -1 | cat; git status from within the ota-tools directory.
yeesterbunny over 10 years

this saved me! Thanks!
Bruno Bronosky over 10 years

Thank you for commenting, @yeesterbunny. It encourages me to spend more time on stackoverflow... which is especially important when people choose not to accept the highest rated answers as "The correct answer."
Mutawe almost 10 years

after i run the script on the terminal, nothing happened, please advice
ıɾuǝʞ over 9 years

You may got an warning / error on --resource-rules parameters, which have been deprecated in OS X Yosemite (10.10), simply delete this parameter solve this issue.
simmons over 9 years

RichardBronosky many many thanks for this - spent hours trying different solutions before finding yours. Just to help future people - I needed the excellent pointer from @kenji which I almost didn't see as it was at the very end of the comments. I suggest adding this pointer into your answer or your script.
dadude999 over 9 years

One little note: it looks like CodeResources is now located inside of the _CodeSignature folder, so you just need to remove that folder.
ıɾuǝʞ over 9 years

@simmons comment added to the script
BryanH almost 9 years

@Pavel This question was answered back when iOS 6.x was the latest version. Since then, we've had two major releases, which obviously changed many things. You might wish to limit your searches to answers that target current technology.
Franziskus Karsunke over 8 years

It worked for me. you have to replace "my_certificate" with the name of the key in your key chain.
Mariano Paniga over 8 years

codesign command is also used in @BrunoBronosky response. I'm not able to use it directly on "*.ipa" file, and the "-vv" options always returns code object is not signed at all on files that I know they are signed...
KarenAnne about 8 years

After doing this, Application Loader still can't accept because the version is the same as the previous one
Bruno Bronosky about 8 years

@KarenAnne, changing the version number would be a different task than what was asked for by the OP. I would suggest looking for an answer to your task and asking a new question if you can't find it.
KarenAnne about 8 years

@BrunoBronosky I see. Because we cannot just re-submit new app to TestFlight by changing provisioning profile. It is not accepted by application if it has the same build and version number as the previous one. Thanks.
Bruno Bronosky about 8 years

@KarenAnne I think thin may be what you need. stackoverflow.com/questions/16975049/… I haven't tried it yet but I'm going to work on it today. We can both report back and I'll add it to my answer if it works. Thanks for the idea. I'm always looking to improve my answers.
Bruno Bronosky about 8 years

BTW, I was able to use the info in that answer to change the CFBundleVersion and CFBundleShortVersionString of an IPA for which I did NOT have the source code and submit it to TestFlight. My team was able to install and test the app. We shipped it to Apple and it is now in the store. I've modified ipa_sign to incorporate this feature and after more personal testing I'll release an update.
Rich almost 8 years

While this bash script works perfectly, if your app has entitlements it will not. You just need to add security cms -D -i "$PROVISION" > provision.plist /usr/libexec/PlistBuddy -x -c 'Print :Entitlements' provision.plist > entitlements.plist before copying the provisioning profile and then do /usr/bin/codesign -f -s "$CERTIFICATE" --entitlements entitlements.plist Payload/*.app instead of the current code signing. I only realised that the gist is the up to date version (handling entitlements) after reading the comments!
evilmandarine over 7 years

Hello, sorry I am totally new to bash and code signing :/ here is the error I get when executing the bash from a terminal window: Using temp dir: /tmp/resign. ... App has BundleDisplayName '...' and BundleShortVersionString '...' App has BundleIdentifier '...' and BundleVersion ... security: SecPolicySetValue: One or more parameters passed to a function were not valid. App has provision '...', which supports '...' security: unable to open "/tmp/resign..../....mobileprovision" for reading: No such file or directory ----> any thing I am doing wrong?
Diana Farin about 7 years

/usr/bin/codesign -f -s "$CERTIFICATE" is not working anymore. It needs to be /usr/bin/codesign --force -s "$CERTIFICATE" -v Payload/*.app
Gene over 6 years

What worked for me today: Execute security find-identity -v to determine the ID of your signing identity. Invoke /usr/bin/codesign --force -s YOUR_IDENTITY -v Payload/*.app to actually sign the app.
Amr Angry over 6 years

i git the following error entitlements.plist: unrecognized blob type (accepting blindly) entitlements.plist: invalid length in entitlement blob
Pierre Priot over 6 years

can you share you entitlement file contents?
Luis E. Prado over 6 years

Worked like a charm!
Arjun Kalidas about 6 years

Works. Simple and beautiful.
Serzas about 5 years

Useful comment from the post above (Rich): stackoverflow.com/questions/5160863/…
MuthuKumar Haridoss over 4 years

You may need to add a step for extracting the current entitlements use it as part of codesign
RushDroid almost 4 years

It's shows me unable to install the app after performing the steps. @BrunoBronosky any idea about this?
Pat over 3 years

This is a great next step, but it is missing signing of extensions. I added one more line, before the app signing: codesign -f -s "$CERTIFICATE" --entitlements entitlements.plist Payload/*.app/Plugins/*
Sanket_B over 3 years

I'm facing the same issue as @RushDroid. Did you find any solution?
Satheesh about 3 years

zip -qr is what I was missing. I was using the compress option in Finder and was not working.
Eugene Biryukov over 2 years

@Pat, what if appexes have different provisions?
Pat over 2 years

I suppose you'd have to have a mapping or association of entitlements for each extension. Perhaps a folder that has the extension name and an entitlement for it, stored externally so you can do a for loop over the extensions and reference the appropriate entitlement by the extension name.