How to tell what profile/signing certificate was used to sign .ipa?
Solution 1
Provisioning Profiles have a UUID that can be seen using the Terminal command:
security cms -D -i (path_to_your_provisioning_profile)
See the UUID section of the command output like:
<key>UUID</key>
<string>A008C022-7B82-4E40-8B37-172763E1E3CC</string>
Xcode inserts the provisioning profile used to sign the application within the .app bundle. To find it, rename your .ipa to .zip, uncompress it with Finder, find the .app file in /Payload. "Show Package Contents" on the .app file and find the provisioning profile with the name embedded.mobileprovision.
Dump its entitlements using the above command and compare that with the UUID found within your profiles in your Xcode Organizer > Devices tab > Provisioning Profile section under "Library". You can use "Show in Finder" on those to reveal their location on disk.
Solution 2
Late to the party....
But this tool saves me some time: nomad/shenzhen
$ ipa info /path/to/app.ipa
+-----------------------------+----------------------------------------------------------+
| ApplicationIdentifierPrefix | DJ73OPSO53 |
| CreationDate | 2014-03-26T02:53:00+00:00 |
| Entitlements | application-identifier: DJ73OPSO53.com.nomad.shenzhen |
| | aps-environment: production |
| | get-task-allow: false |
| | keychain-access-groups: ["DJ73OPSO53.*"] |
| CreationDate | 2017-03-26T02:53:00+00:00 |
| Name | Shenzhen |
| TeamIdentifier | S6ZYP4L6TY |
| TimeToLive | 172 |
| UUID | P7602NR3-4D34-441N-B6C9-R79395PN1OO3 |
| Version | 1 |
+-----------------------------+----------------------------------------------------------+
2020: Update from the maintainer
https://github.com/nomad/shenzhen/blob/master/README.md
Note: shenzhen uses the Xcode 6 build API, which has been deprecated for almost 3 years now. This causes problems if your app makes use of Swift 3, watchOS and other app targets.
A maintained alternative to build your iOS apps is gym which uses the latest Xcode API. To distribute builds, you can use fastlane. More information on how to get started is available on the iOS Beta deployment guide.
Solution 3
Based on Bobjt's answer, I used IPCU to get the details of the profile:
- Rename your .ipa to .zip
- Uncompress it with Finder
- Find the .app file in /Payload.
"Show Package Contents" on the .app file and find the provisioning profile with the name embedded.mobileprovision.
Drag the mobileprovisioning file into iPhone Configuration Utility
IPCU shows the Name/Expiration Date etc of the profile.
Solution 4
I ended up using a mixture of Bobjt and HaemEternal solutions proposals.
- Find archive.
- Show package content.
- Copy .app file out
- Show package content of the .app file.
- Copy embedded.mobileprovision file out.
- Run "security cms -D -i (path_to_your_provisioning_profile)"
- Find the UUID number from the outcome of the of call in step 6.
- Open Iphone Configuration Utility and look at the profiles to find the one that has the same UUID number.
Solution 5
I've been able to successfully test using the following process.
- Install original .ipa onto device.
- Go to Settings->General->Profiles (see old provisioning profile)
- Delete app and old profile from device
- Resign app.
- Install re-signed app on device
- Go to Settings->General->Profiles (see new provisioning profile)
This seems to be a bullet-proof way to confirm the provisioning profile was updated and since the profile only has the 1 signing certificate in it... then we must be signed with the new cert.
(but I still want to find a better way)
Comments
-
DBD over 2 years
I have a bunch of .ipa files and I've used a script to resign them.
So how can check the provisioning profile/signing certificate to conform they are using the correct information?
Ideally, I'd like to be able to take any .ipa file and tell which provisioning profile/signing certificate was used to sign it.
Backstory: Our enterprise distribution certificate is expiring and I want to re-sign our stuff. It's a simple take for all the stuff we've made and archived in Xcode, but for 3rd party vendor made distributables I can't do that. I want to avoid asking for a re-signed .ipa file because a new .ipa might include unknown changes and introduce issues and they'd probably charge us too... but I'm more worried about the first issue.
Since both our old and new distribution certificates are still valid (you get a 6month overlap) I need to be able to confirm the new one is used otherwise I'd look really silly when the old one expires and the "resigning" script didn't actually do the job.