How do I resign app with entitlements?

Erik Engheim picture Erik Engheim · Apr 27, 2016 · Viewed 21k times · Source

I have an .ipa file which I need to resign. I tried doing it as explained on the objc.io blog:

$ codesign -f -s 'iPhone Developer: Thomas Kollbach (7TPNXN7G6K)' Example.app

However this is insufficient. When I do codesign I get something like this:

$ codesign -d --entitlements - Example.app/Example
Executable=/Users/myuser/Payload/Example.app/Example

I don't get any entitlements listed.

However if I do codesign -d --entitlements on the original IPA file from xCode I get:

<plist version="1.0">
<dict>
    <key>application-identifier</key>
    <string>UFAYDHAUP.com.company.example</string>
    <key>aps-environment</key>
    <string>production</string>
    <key>beta-reports-active</key>
    <true/>
    <key>com.apple.developer.team-identifier</key>
    <string>UFAYDHAUP</string>
    <key>get-task-allow</key>
    <false/>
    <key>keychain-access-groups</key>
    <array>
        <string>UFAYDHAUP.com.company.example</string>
    </array>
</dict>
</plist>

I tried the line below

 codesign --entitlements Example.app/archived-expanded-entitlements.xcent -f -s 'iPhone Developer: Thomas Kollbach (7TPNXN7G6K)' Example.app

But the following keys are not included:

  • beta-reports-activ
  • get-task-allow

So how am I supposed to do this? I don't have an entitlements file, in xCode 7, one only checks Capabilities. And all I have is Apple Push notifications.

Finally to clarify my requirements:

  1. I will not change App ID or use different provisioning profile or code signing identity compared to what xCode exports.
  2. Only the main executable is changed with a tool, which is why a resign is needed.

Answer

Erik Engheim picture Erik Engheim · Apr 27, 2016

The answer is actually quite self evident in the question itself. The output from:

$ codesign -d --entitlements - Example.app/Example

Is actually a perfectly valid entitlements file. So you can store the output from the original .ipa exported from xCode by writing:

$ codesign -d --entitlements entitlements.xml Example.app/Example

This will store the entitlements in entitlements.xml which you can then use in an argument to sign the .ipa file yourself:

codesign --entitlements entitlements.xml   -f -s "iPhone Distribution: Company (UFAYDHAUP)" Payload/Example.app

Naturally "iPhone Distribution: Company (UFAYDHAUP)" has to be replaced with the signing identify you use and Payload/Example.app will be the path to your app which has been unzipped from the .ipa file.