How to re-sign the ipa file?
Solution 1
It's really easy to do from the command line. I had a gist of a script for doing this. It has now been incorporated into the ipa_sign script in https://github.com/RichardBronosky/ota-tools which I use daily. If you have any questions about using these tools, don't hesitate to ask.
The heart of it is this:
CODESIGN_ALLOCATE=`xcrun --find codesign_allocate`; export CODESIGN_ALLOCATE
IPA="/path/to/file.ipa"
PROVISION="/path/to/file.mobileprovision"
CERTIFICATE="Name of certificate: To sign with" # must be in keychain
# unzip the ipa
unzip -q "$IPA"
# remove the signature
rm -rf Payload/*.app/_CodeSignature
# replace the provision
cp "$PROVISION" Payload/*.app/embedded.mobileprovision
# sign with the new certificate (--resource-rules has been deprecated OS X Yosemite (10.10), it can safely be removed)
/usr/bin/codesign -f -s "$CERTIFICATE" Payload/*.app
# zip it back up
zip -qr resigned.ipa Payload
Your new signed app is called resigned.ipa
Solution 2
Check iResign for an easy tool on how to do this!
[edit] after some fudling around, I found a solution to keychain-aware resigning. You can check it out at https://gist.github.com/Weptun/5406993
Solution 3
Kind of old question, but with the latest XCode, codesign
is easy:
$ codesign -s my_certificate example.ipa
$ codesign -vv example.ipa
example.ipa: valid on disk
example.ipa: satisfies its Designated Requirement
Solution 4
The answers posted here all didn't quite work for me. They mainly skipped signing embedded frameworks (or including the entitlements).
Here's what's worked for me (it assumes that one ipa file exists is in the current directory):
PROVISION="/path/to/file.mobileprovision"
CERTIFICATE="Name of certificate: To sign with" # must be in the keychain
unzip -q *.ipa
rm -rf Payload/*.app/_CodeSignature/
# Replace embedded provisioning profile
cp "$PROVISION" Payload/*.app/embedded.mobileprovision
# Extract entitlements from app
codesign -d --entitlements :entitlements.plist Payload/*.app/
# Re-sign embedded frameworks
codesign -f -s "$CERTIFICATE" --entitlements entitlements.plist Payload/*.app/Frameworks/*
# Re-sign the app (with entitlements)
codesign -f -s "$CERTIFICATE" --entitlements entitlements.plist Payload/*.app/
zip -qr resigned.ipa Payload
# Cleanup
rm entitlements.plist
rm -r Payload/
Solution 5
Fastlane's sigh provides a fairly robust solution for resigning IPAs.
From their README:
Resign
If you generated your
ipa
file but want to apply a different code signing onto the ipa file, you can usesigh resign
:
fastlane sigh resign
sigh
will find the ipa file and the provisioning profile for you if they are located in the current folder.You can pass more information using the command line:
fastlane sigh resign ./path/app.ipa --signing_identity "iPhone Distribution: Felix Krause" -p "my.mobileprovision"
It will even handle provisioning profiles for nested applications (eg. if you have watchkit apps)
Related videos on Youtube
Johnny
Updated on July 08, 2022Comments
-
Johnny almost 2 years
How do I sign the .ipa file with a provisioning profile after I generate an IPA like the following with a different provision profile? I would like to sign the IPA with an ad-hoc provisioning profile for beta testing, and then re-sign the exact IPA with an app submission provisioning profile for the app store.
/usr/bin/xcrun -sdk iphoneos PackageApplication -v "${RELEASE_BUILDDIR}/${APPLICATION_NAME}.app" -o "${BUILD_HISTORY_DIR}/${APPLICATION_NAME}.ipa" --sign "${DEVELOPER_NAME}" --embed "${PROVISONING_PROFILE}"
-
InnisBrendan about 8 yearsPossible duplicate of Re-sign IPA (iPhone)
-
-
Bruno Bronosky over 11 years7 up votes and not a single question. I guess my bash is just that clear.
-
Rahmathullah M about 11 yearsim getting an error message saying "security: unable to open "/var/folders/74/kpcwmb6j1pn92kr8mtvm2mwh0000gn/T/./resign.I9DrKi7B/Payload/AtlantaJournal.app/embedded.mobileprovision" for reading: No such file or directory".
-
Bruno Bronosky about 11 years@RahmathullahMPulikkal I see I had errantly hardcoded a path in the gist. You really should be using github.com/RichardBronosky/ota-tools/blob/master/ipa_sign instead of the gist. It's the maintained code.
-
Nishanth Nair about 11 yearsis there any tool which can change the Display name along with Bundle id while resigning? This will help to have different display names for different environements. like App-Dev, App-QA, App-Stage etc.
-
Blitz about 11 yearsYes, the floatsign.sh does exactly that.
-
Alberto M almost 11 yearsI got this error security: unable to open "/tmp/resign.MyApp.WObe2/my.mobileprovision" for reading: No such file or directory easily fixed by moving the cp up in the code. Thank you!
-
iMx over 10 years@AlbertoM by moving what? I don't understand what it means.
-
Bruno Bronosky over 10 years@iMx, I just pushed an update that ought to fix this for you.
-
iMx over 10 years@RichardBronosky thanks, but I still get this error. But it works in terminal, if I enter the commands manually.
-
Bruno Bronosky over 10 years@iMx can you please send me a transcript of what does and doesn't work. Please include a
git log -1 | cat; git status
from within the ota-tools directory. -
yeesterbunny over 10 yearsthis saved me! Thanks!
-
Bruno Bronosky over 10 yearsThank you for commenting, @yeesterbunny. It encourages me to spend more time on stackoverflow... which is especially important when people choose not to accept the highest rated answers as "The correct answer."
-
Mutawe almost 10 yearsafter i run the script on the terminal, nothing happened, please advice
-
ıɾuǝʞ over 9 yearsYou may got an warning / error on --resource-rules parameters, which have been deprecated in OS X Yosemite (10.10), simply delete this parameter solve this issue.
-
simmons over 9 yearsRichardBronosky many many thanks for this - spent hours trying different solutions before finding yours. Just to help future people - I needed the excellent pointer from @kenji which I almost didn't see as it was at the very end of the comments. I suggest adding this pointer into your answer or your script.
-
dadude999 over 9 yearsOne little note: it looks like
CodeResources
is now located inside of the_CodeSignature
folder, so you just need to remove that folder. -
ıɾuǝʞ over 9 years@simmons comment added to the script
-
BryanH almost 9 years@Pavel This question was answered back when iOS 6.x was the latest version. Since then, we've had two major releases, which obviously changed many things. You might wish to limit your searches to answers that target current technology.
-
Franziskus Karsunke over 8 yearsIt worked for me. you have to replace "my_certificate" with the name of the key in your key chain.
-
Mariano Paniga over 8 years
codesign
command is also used in @BrunoBronosky response. I'm not able to use it directly on "*.ipa" file, and the "-vv" options always returnscode object is not signed at all
on files that I know they are signed... -
KarenAnne about 8 yearsAfter doing this, Application Loader still can't accept because the version is the same as the previous one
-
Bruno Bronosky about 8 years@KarenAnne, changing the version number would be a different task than what was asked for by the OP. I would suggest looking for an answer to your task and asking a new question if you can't find it.
-
KarenAnne about 8 years@BrunoBronosky I see. Because we cannot just re-submit new app to TestFlight by changing provisioning profile. It is not accepted by application if it has the same build and version number as the previous one. Thanks.
-
Bruno Bronosky about 8 years@KarenAnne I think thin may be what you need. stackoverflow.com/questions/16975049/… I haven't tried it yet but I'm going to work on it today. We can both report back and I'll add it to my answer if it works. Thanks for the idea. I'm always looking to improve my answers.
-
Bruno Bronosky about 8 yearsBTW, I was able to use the info in that answer to change the
CFBundleVersion
andCFBundleShortVersionString
of an IPA for which I did NOT have the source code and submit it to TestFlight. My team was able to install and test the app. We shipped it to Apple and it is now in the store. I've modified ipa_sign to incorporate this feature and after more personal testing I'll release an update. -
Rich almost 8 yearsWhile this bash script works perfectly, if your app has entitlements it will not. You just need to add
security cms -D -i "$PROVISION" > provision.plist
/usr/libexec/PlistBuddy -x -c 'Print :Entitlements' provision.plist > entitlements.plist
before copying the provisioning profile and then do/usr/bin/codesign -f -s "$CERTIFICATE" --entitlements entitlements.plist Payload/*.app
instead of the current code signing. I only realised that the gist is the up to date version (handling entitlements) after reading the comments! -
evilmandarine over 7 yearsHello, sorry I am totally new to bash and code signing :/ here is the error I get when executing the bash from a terminal window: Using temp dir: /tmp/resign. ... App has BundleDisplayName '...' and BundleShortVersionString '...' App has BundleIdentifier '...' and BundleVersion ... security: SecPolicySetValue: One or more parameters passed to a function were not valid. App has provision '...', which supports '...' security: unable to open "/tmp/resign..../....mobileprovision" for reading: No such file or directory ----> any thing I am doing wrong?
-
Diana Farin about 7 years
/usr/bin/codesign -f -s "$CERTIFICATE"
is not working anymore. It needs to be/usr/bin/codesign --force -s "$CERTIFICATE" -v Payload/*.app
-
Gene over 6 yearsWhat worked for me today: Execute
security find-identity -v
to determine the ID of your signing identity. Invoke/usr/bin/codesign --force -s YOUR_IDENTITY -v Payload/*.app
to actually sign the app. -
Amr Angry over 6 yearsi git the following error entitlements.plist: unrecognized blob type (accepting blindly) entitlements.plist: invalid length in entitlement blob
-
Pierre Priot over 6 yearscan you share you entitlement file contents?
-
Luis E. Prado over 6 yearsWorked like a charm!
-
Arjun Kalidas about 6 yearsWorks. Simple and beautiful.
-
Serzas about 5 yearsUseful comment from the post above (Rich): stackoverflow.com/questions/5160863/…
-
MuthuKumar Haridoss over 4 yearsYou may need to add a step for extracting the current entitlements use it as part of codesign
-
RushDroid almost 4 yearsIt's shows me unable to install the app after performing the steps. @BrunoBronosky any idea about this?
-
Pat over 3 yearsThis is a great next step, but it is missing signing of extensions. I added one more line, before the app signing: codesign -f -s "$CERTIFICATE" --entitlements entitlements.plist Payload/*.app/Plugins/*
-
Sanket_B over 3 yearsI'm facing the same issue as @RushDroid. Did you find any solution?
-
Satheesh about 3 yearszip -qr is what I was missing. I was using the compress option in Finder and was not working.
-
Eugene Biryukov over 2 years@Pat, what if appexes have different provisions?
-
Pat over 2 yearsI suppose you'd have to have a mapping or association of entitlements for each extension. Perhaps a folder that has the extension name and an entitlement for it, stored externally so you can do a for loop over the extensions and reference the appropriate entitlement by the extension name.