app resigning + get certificate -...
TRANSCRIPT
Certificates and Application Resigning
Introduction In the following chapters we will be reviewing how to resign an application along with how to get the needed resources for the process. To successfully resign the application we have to check if the following resources:
• Apple Enterprise distribution certificate • Distribution Profile • .IPA file: This should be the application to be resigned • ResourcesRules.plist file • Entitlements.plist file
Let’s start describing how to obtain the distribution certificate and profile from the Apple Portal. This document assumes that your company is already enrolled in the iOS Developer Enterprise Program. For more information about the program, visit the enterprise developer home at apple.com
How to get Distribution Certificate and Profile Once you enroll your company in the Apple’s Enterprise Program, you need to get a couple of files from the apple’s portal to sign the application for enterprise distribution. These files are: • Distribution Certificate • Distribution Profile The Certificates: To get the distribution certificate from the portal, first we have to create a client request, which will be uploaded to the portal in order to generate the certificate. The following are the complete steps in order to get the Certificate correctly:
• Launch the Keychain Access app. • In the Preferences menu, set Online Certificate Status Protocol (OSCP) and
Certificate Revocation List (CRL) to “Off”.
• Choose Keychain Access -‐> Certificate Assistant -‐> Request a Certificate from a Certificate Authority.
Note: If you have a non-‐compliant private key highlighted in the Keychain during this process, the resulting Certificate Request will not be accepted by the Provisioning Portal. Confirm that you are selecting “Request a Certificate From a Certificate Authority...” and not selecting “Request a Certificate From a Certificate Authority with <Private Key>…”
• In the User Email Address field, enter your email address. Please ensure that the email address entered matches the information that was submitted when you registered as an iOS Developer.
• In the Common Name field enter your name. Please ensure that the name entered matches the information that was submitted when you registered as an iOS Developer.
• • No CA (Certificate Authority) Email Address is required. The ‘Required’
message will be removed after completing the following step.
• Select the ‘Saved to Disk’ radio button and if prompted, select ‘Let me specify key pair information’ and click ‘Continue’.
• If ‘Let me specify key pair’ was selected, specify a file name and click ‘Save’. In
the following screen select ‘2048 bits’ for the Key Size and ‘RSA’ for the Algorithm. Click ‘Continue’.
• The Certificate Assistant will create a CSR file on your desktop.
• After creating a CSR, log in to the iOS Provisioning Portal and navigate to ‘Certificates’ > ‘Distribution’ and click ‘Add Certificate’.
• Click the ‘Choose file’ button, select your CSR and click ‘Submit’. If the Key Size
was not set to 2048 bits during the CSR creation process, the Portal will reject the CSR.
• Once approved you should be able to download certificate. Certificate Installation: Now that we are done with the certificate, we have to install the certificate locally:
• In the ‘Certificates’ > ’Distribution’ section of the Portal, control-‐click the WWDR Intermediate Certificate link and select “Saved Linked File to Downloads” to initiate download of the certificate.
• On your local machine, double-‐click the WWDR Intermediate certificate to launch Keychain Access and install.
• Upon CSR approval, Team Members and Team Admins can download their certificates via the ‘Certificates’ section of the Provisioning Portal. Click ‘Download’ next to the certificate name to download your iOS Development Certificate to your local machine.
• On your local machine, double-‐click the downloaded .cer file to launch Keychain Access and install your certificate.
Saving the Certificate Assuming that you already have the distribution/development certificate, you can also export it from your computer in order to save it as back up or to use it i another computer. To export the certificate from your computer following these steps:
• Open the keychain access application • Locate the certificate under login keychain for My Certificates category, and
check that it has an identity key associated
After that, send us the p12 file, this file should embed the identity key along with the certificate Note: the certificate must have an identity key associated, otherwise the certificate will not work.
Application ID and Distribution Profile To get the distribution profile, you need to follow a few steps:
• First you need to create a new application ID (unless you already got one for the application you are trying to distribute), so go to your developer center home (http://developer.apple.com/devcenter/ios)
• Login in dev center and enter the iOS provisioning portal. • Click on the App IDs section and then the New App ID button:
• Once there you will see a form like the following, so fill the blanks with the corresponding data.
• Basically you have three fields • Description: Name or description for the app id for further
recognition around the portal • Bundle Seed ID: Option “Generate New” recommended. Choosing one
of possible existing seeds are useful for suit of application that shares certain private information
• Bundle Identifier: A unique identifier for your App ID. The use of a reverse-‐domain name style string is the best practice for the Bundle Identifier portion of the App ID. i.e.: com.mycompany.appName
Finally click the submit button. Getting the Profile: Go to the Provisioning section, and under the distribution tab click New Profile
• Now you should see a form like the following, so fill the blanks with the needed information.
• Fields that you need to fill are: o Distribution Method: Ad Hoc is for internal distribution for testing
purposes and specific device IDs are needed; the In House option let you create a profile that helps you to distribute the release build of the application internally and no device IDs are needed.
o Profile Name: A name for the profile file. o Distribution Certificate: Tick the certificate that matches the profile,
this should be the certificate that we exported in the first section o App ID: The application identifier we created above.
After filling the fields, click the submit button.
Once you have created the profile, go back to the Provisioning section under the Distribution tab. There you will find a list of the profiles that you already have, so locate the one we just created and download it. Note: Sometimes the profile takes just a minute to be available for download, in
case you are not able to download the profile, just refresh the page after a few seconds and the download button should appear next to the profile name.
Application Resigning
Once we have the needed certificate and profile from the Apple portal, it’s time to resign the application. To resign the application we are going to follow these steps:
• Gather the needed resources to the resign process • Open the IPA package and make changes when needed • Resign the application. • Close the IPA package
Gather the needed resources to the resign process Assuming that you have the distribution certificate installed, we will need the following files to perform the resigning:
1. Distribution Profile: You should have this file already if you followed the steps of the previous chapter.
2. ResourcesRules.plist file: Create a plain text file and paste the following text in it. Make sure there are no additional characters, it is important not to break the plist structure. After that save the file as ‘ResourcesRules’ and change its extension to .plist.
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>rules</key> <dict> <key>.*</key> <true/> <key>Info.plist</key> <dict> <key>omit</key> <true/> <key>weight</key> <real>10</real> </dict> <key>ResourceRules.plist</key> <dict> <key>omit</key> <true/> <key>weight</key> <real>100</real> </dict> </dict> </dict> </plist>
3. Entitlements.plist file: The same as the ResourcesRules.plist file, create an empty plain text file and paste the following.
But this time, we have to replace the value for the <key> entry with the
corresponding bundle identifier specified in the profile. So instead of PREFIX.bundle.id you should specify something like EQ84GUVU7D.com.mycompany.myapp. (check appendix I to learn how to get this value from the distribution profile). After making the changes, save the file as ‘Entitlements’ and change its extension to .plist.
4. app.IPA file: Application file to be modify and resign. The name of this file may change depending on the application
At this point you should have the following files in a folder in order to proceed with this steps.
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>application-identifier</key> <string>PREFIX.bundle.id</string> <key>get-task-allow</key> <false/> </dict> </plist>
Opening an IPA and perform modifications
When modifying any part of an application's bundle, the target application must be in the app format. If the target application is in the ipa file format, it must be decompressed into the app file format in order to perform any code signature operations. The ipa format is just a renamed zip file which can be easily decompressed with any compression tool. To open the ipa file follow this instructions:
1. Locate the target file. 2. Change its extension to zip by renaming it. For instance, if the target is
app.ipa change the file name to app.zip. 3. Decompress the new zip file. 4. Open the "Payload" folder that is in MyApplication.zip. 5. myApp.app is inside of the Payload folder.
Once the .app package is unveiled, let’s make the needed modifications in order to match this application to the certificate and profile of your company.
Provisioning Profile The embedded provisioning profile is just a copy of the profile with which you sign the application for archive in a developer environment. In most distribution and re-‐signing scenarios this needs to be removed or changed. When removed, the user has to manually install the profile in the device in order to install the application from a remote location successfully; this is a way of control of which user has access to the application. The most common scenario when resigning for internal distribution is to change the profile with a new one, which is the one related to the certificate used to resign de build
Removing/Changing an Embedded Provisioning Profile 1. Assuming the target IPA has been decompressed, the myApp.app
should be inside the Playload folder. 2. Control click (or right click) over the .app file, and select “Show
Package Contents”
3. Once there, locate the embedded.mobileprovision file and delete it.
4. If you want to embed a new profile, rename your profile the same way (embedded.mobileprovision), and drop it in the same place.
In addition, if you are about to resign an application with new certificates, the following changes must be done in order to suceed the resigning:
a. Locate the Info.plist file inside of the target's bundle (this means it is in the same place as the embedded.mobileprovision we deleted/replaced above). Open Info.plist with the Property List Editor application.
b. Change the bundle identifier's value (CFBundleIdentifier) to the new app ID's bundle identifier. In this case com.mycompany.myapp
c. Change the bundle name (CFBundleName) to the last component of the boundle identifier. In this case myapp.
d. Save the plist and close the Property List Editor.
You can optionally change the CFBundleDisplayName to change the name of the application (which is the text that will be displayed under the icon in the device’s home screen; can be different than the app name) or the CFBundleIconFile to change the icon file name, but its important not to do changes over the Info.plist file without certain information about the keys that are being changed.
Resign the Application
Now it’s time to resign the package.
To resign the build, the codesign command line tool is used, and it is executed as follows:
Parameters to be replaced: A. {SIGNER IDENTITY}: The signer identity of the certificate. For example
"iPhone Distribution: MyCompany". To get this value, you can launch the Keychain Access app, and find the correct certificate. The name of the certificate is the value you need to specify in the command.
B. {RESOURCES RULES PATH}: Path to the ResourcesRules.plist we created above.
C. {ENTITLEMENTS FILE PATH} Path of the Entitlements.plist file we also generated in previous steps.
/usr/bin/codesign -f -s "{SIGNER IDENTITY}" --resource-rules={RESOURCE RULES PATH} --entitlements {ENTITLEMENTS FILE PATH} {APPLICATION BUNDLE PATH}
D. {APPLICATION BUNDLE PATH} needs to be the path to the target application's bundle, such as myapp.app.
For this example, the command should look as follows:
Once you have all the parameters in place, just open the Terminal application and paste the command. If everything is ok, you should get the following message if the app was previously signed with a different certificate:
Or the following message if the app was previously signed with the same certificate:
Note: • The certificate used for the resigning process must be installed in Mac OS X,
and must have an identity key associated. You can check this using the Keychain Access application under the login Keychains and My Certificates category.
If the certificate doesn’t have an identity key associated, the resigning process will fail.
/usr/bin/codesign -f -s "iPhone Distribution: Southlabs S.R.L." --resource-rules=/Users/myUser/Desktop/Resigning/ResourceRules.plist --entitlements /Users/myUser/Desktop/Resigning/Entitlements.plist /Users/myUser/Desktop/Resigning/Playload/myApp.app
replacing invalid existing signature
replacing existing signature
Closing package an IPA To finish the process, we have to re-‐pack the .app file into an ipa file. To do this you have to follow these instructions:
1. Locate the target application's Payload folder. 2. Compress the Payload folder.
a. In Mac OS X, this can be accomplished by secondary clicking (control-‐click or right-‐click) on the Payload folder and choosing "Compress 'Payload'".
3. Rename Payload.zip to app.ipa again.
Important: Before zipping the Playload folder, make sure there are no additional files inside the folder. Any additional file in the folder, even hidden files like the common .DS_store file will make the application to return errors when trying to install the ipa file generated by re-‐zipping Playload folder.
Conclusion After these steps the application is resigned with the appropriate certificate and ready for distribution. This method works for In-‐House distribution scenarios and also when dealing with MDM servers. To test the new resigned application you can use iTunes or iPhone Configuration Utility in order to install the application locally in a device before updating it to your distribution environment.
Apendix I – How to get application identifier from the distribution profile To get the application identifier from the provisioning profile, follow these steps: • Locate the corresponding distribution profile. • Open the profile with a simple text editor such as TextEdit. • Scroll through the file until find the Entitlements section:
• The value for the <key>application-‐identifier</key> key represent your application identifier. From there you will also have your bundle identifier, which is the application identifier without the seed number:
o App identifier: EQ84GUVU7D.com.mycompany.myapp o Bundle Identifier : com.mycompany.myapp