I have a bunch of .ipa files and I've used a script to resign them.
So how can check the provisioning profile/signing certificate to conform they are using the correct information?
Ideally, I'd like to be able to take any .ipa file and tell which provisioning profile/signing certificate was used to sign it.
Backstory: Our enterprise distribution certificate is expiring and I want to re-sign our stuff. It's a simple take for all the stuff we've made and archived in Xcode, but for 3rd party vendor made distributables I can't do that. I want to avoid asking for a re-signed .ipa file because a new .ipa might include unknown changes and introduce issues and they'd probably charge us too... but I'm more worried about the first issue.
Since both our old and new distribution certificates are still valid (you get a 6month overlap) I need to be able to confirm the new one is used otherwise I'd look really silly when the old one expires and the "resigning" script didn't actually do the job.
Provisioning Profiles have a UUID that can be seen using the Terminal command:
security cms -D -i (path_to_your_provisioning_profile)
See the UUID section of the command output like:
<key>UUID</key>
<string>A008C022-7B82-4E40-8B37-172763E1E3CC</string>
Xcode inserts the provisioning profile used to sign the application within the .app bundle. To find it, rename your .ipa to .zip, uncompress it with Finder, find the .app file in /Payload. "Show Package Contents" on the .app file and find the provisioning profile with the name embedded.mobileprovision
.
Dump its entitlements using the above command and compare that with the UUID found within your profiles in your Xcode Organizer > Devices tab > Provisioning Profile section under "Library". You can use "Show in Finder" on those to reveal their location on disk.