Certificates  and  Application  Resigning    

Introduction    In  the  following  chapters  we  will  be  reviewing  how  to  resign  an  application  along  with  how  to  get  the  needed  resources  for  the  process.  To  successfully  resign  the  application  we  have  to  check  if  the  following  resources:    

• Apple  Enterprise  distribution  certificate  • Distribution  Profile  • .IPA  file:  This  should  be  the  application  to  be  resigned  • ResourcesRules.plist  file    • Entitlements.plist  file  

 Let’s  start  describing  how  to  obtain  the  distribution  certificate  and  profile  from  the  Apple  Portal.  This  document  assumes  that  your  company  is  already  enrolled  in  the  iOS  Developer  Enterprise  Program.  For  more  information  about  the  program,  visit  the  enterprise  developer  home  at  apple.com      

How  to  get  Distribution  Certificate  and  Profile    Once  you  enroll  your  company  in  the  Apple’s  Enterprise  Program,  you  need  to  get  a  couple  of  files  from  the  apple’s  portal  to  sign  the  application  for  enterprise  distribution.    These  files  are:  • Distribution  Certificate  • Distribution  Profile      The  Certificates:    To  get  the  distribution  certificate  from  the  portal,  first  we  have  to  create  a  client  request,  which  will  be  uploaded  to  the  portal  in  order  to  generate  the  certificate.  The  following  are  the  complete  steps  in  order  to  get  the  Certificate  correctly:    

• Launch  the  Keychain  Access  app.  • In  the  Preferences  menu,  set  Online  Certificate  Status  Protocol  (OSCP)  and  

Certificate  Revocation  List  (CRL)  to  “Off”.  

   

• Choose  Keychain  Access  -­‐>  Certificate  Assistant  -­‐>  Request  a  Certificate  from  a  Certificate  Authority.    

 Note:  If  you  have  a  non-­‐compliant  private  key  highlighted  in  the  Keychain  during  this  process,  the  resulting  Certificate  Request  will  not  be  accepted  by  the  Provisioning  Portal.  Confirm  that  you  are  selecting  “Request  a  Certificate  From  a  Certificate  Authority...”  and  not  selecting  “Request  a  Certificate  From  a  Certificate  Authority  with  <Private  Key>…”      

     

• In  the  User  Email  Address  field,  enter  your  email  address.  Please  ensure  that  the  email  address  entered  matches  the  information  that  was  submitted  when  you  registered  as  an  iOS  Developer.    

• In  the  Common  Name  field  enter  your  name.  Please  ensure  that  the  name  entered  matches  the  information  that  was  submitted  when  you  registered  as  an  iOS  Developer.  

•  • No  CA  (Certificate  Authority)  Email  Address  is  required.  The  ‘Required’  

message  will  be  removed  after  completing  the  following  step.  

• Select  the  ‘Saved  to  Disk’  radio  button  and  if  prompted,  select  ‘Let  me  specify  key  pair  information’  and  click  ‘Continue’.  

   

 • If  ‘Let  me  specify  key  pair’  was  selected,  specify  a  file  name  and  click  ‘Save’.  In  

the  following  screen  select  ‘2048  bits’  for  the  Key  Size  and  ‘RSA’  for  the  Algorithm.  Click  ‘Continue’.    

 

• The  Certificate  Assistant  will  create  a  CSR  file  on  your  desktop.    

• After  creating  a  CSR,  log  in  to  the  iOS  Provisioning  Portal  and  navigate  to  ‘Certificates’  >  ‘Distribution’  and  click  ‘Add  Certificate’.  

 • Click  the  ‘Choose  file’  button,  select  your  CSR  and  click  ‘Submit’.  If  the  Key  Size  

was  not  set  to  2048  bits  during  the  CSR  creation  process,  the  Portal  will  reject  the  CSR.  

 

   

• Once  approved  you  should  be  able  to  download  certificate.        Certificate  Installation:    Now  that  we  are  done  with  the  certificate,  we  have  to  install  the  certificate  locally:    

• In  the  ‘Certificates’  >  ’Distribution’  section  of  the  Portal,  control-­‐click  the  WWDR  Intermediate  Certificate  link  and  select  “Saved  Linked  File  to  Downloads”  to  initiate  download  of  the  certificate.  

     

• On  your  local  machine,  double-­‐click  the  WWDR  Intermediate  certificate  to  launch  Keychain  Access  and  install.  

 

     

• Upon  CSR  approval,  Team  Members  and  Team  Admins  can  download  their  certificates  via  the  ‘Certificates’  section  of  the  Provisioning  Portal.  Click  ‘Download’  next  to  the  certificate  name  to  download  your  iOS  Development  Certificate  to  your  local  machine.  

 

       

• On  your  local  machine,  double-­‐click  the  downloaded  .cer  file  to  launch  Keychain  Access  and  install  your  certificate.  

 

   Saving  the  Certificate    Assuming  that  you  already  have  the  distribution/development  certificate,  you  can  also  export  it  from  your  computer  in  order  to  save  it  as  back  up  or  to  use  it  i  another  computer.  To  export  the  certificate  from  your  computer  following  these  steps:    

• Open  the  keychain  access  application  • Locate  the  certificate  under  login  keychain  for  My  Certificates  category,  and  

check  that  it  has  an  identity  key  associated    

   After  that,  send  us  the  p12  file,  this  file  should  embed  the  identity  key  along  with  the  certificate    Note:  the  certificate  must  have  an  identity  key  associated,  otherwise  the  certificate  will  not  work.      

Application  ID  and  Distribution  Profile    To  get  the  distribution  profile,  you  need  to  follow  a  few  steps:    

• First  you  need  to  create  a  new  application  ID  (unless  you  already  got  one  for  the  application  you  are  trying  to  distribute),  so  go  to  your  developer  center  home  (http://developer.apple.com/devcenter/ios)  

• Login  in  dev  center  and  enter  the  iOS  provisioning  portal.  • Click  on  the  App  IDs  section  and  then  the  New  App  ID  button:  

   

 

   

• Once  there  you  will  see  a  form  like  the  following,  so  fill  the  blanks  with  the  corresponding  data.    

   

     

• Basically you have three fields  • Description:  Name  or  description  for  the  app  id  for  further  

recognition  around  the  portal  • Bundle  Seed  ID:  Option  “Generate  New”  recommended.  Choosing  one  

of  possible  existing  seeds  are  useful  for  suit  of  application  that  shares  certain  private  information  

• Bundle  Identifier:  A  unique  identifier  for  your  App  ID.  The  use  of  a  reverse-­‐domain  name  style  string  is  the  best  practice  for  the  Bundle  Identifier  portion  of  the  App  ID.  i.e.:  com.mycompany.appName  

 Finally  click  the  submit  button.        Getting  the  Profile:    Go  to  the  Provisioning  section,  and  under  the  distribution  tab  click  New  Profile  

 

     

• Now  you  should  see  a  form  like  the  following,  so  fill  the  blanks  with  the  needed  information.      

   

• Fields  that  you  need  to  fill  are:  o Distribution  Method:  Ad  Hoc  is  for  internal  distribution  for  testing  

purposes  and  specific  device  IDs  are  needed;  the  In  House  option  let  you  create  a  profile  that  helps  you  to  distribute  the  release  build  of  the  application  internally  and  no  device  IDs  are  needed.  

o Profile  Name:  A  name  for  the  profile  file.  o Distribution  Certificate:  Tick  the  certificate  that  matches  the  profile,  

this  should  be  the  certificate  that  we  exported  in  the  first  section  o App  ID:  The  application  identifier  we  created  above.  

 After  filling  the  fields,  click  the  submit  button.      

Once  you  have  created  the  profile,  go  back  to  the  Provisioning  section  under  the  Distribution  tab.  There  you  will  find  a  list  of  the  profiles  that  you  already  have,  so  locate  the  one  we  just  created  and  download  it.      Note:  Sometimes  the  profile  takes  just  a  minute  to  be  available  for  download,  in  

case  you  are  not  able  to  download  the  profile,  just  refresh  the  page  after  a  few  seconds  and  the  download  button  should  appear  next  to  the  profile  name.          

   

Application  Resigning  

 Once  we  have  the  needed  certificate  and  profile  from  the  Apple  portal,  it’s  time  to  resign  the  application.  To  resign  the  application  we  are  going  to  follow  these  steps:    

• Gather  the  needed  resources  to  the  resign  process  • Open  the  IPA  package  and  make  changes  when  needed  • Resign  the  application.  • Close  the  IPA  package  

 

Gather  the  needed  resources  to  the  resign  process    Assuming  that  you  have  the  distribution  certificate  installed,  we  will  need  the  following  files  to  perform  the  resigning:    

1. Distribution  Profile:  You  should  have  this  file  already  if  you  followed  the  steps  of  the  previous  chapter.  

2. ResourcesRules.plist  file:    Create  a  plain  text  file  and  paste  the  following    text  in  it.  Make  sure  there  are  no  additional  characters,  it  is  important  not  to  break  the  plist  structure.  After  that  save  the  file  as  ‘ResourcesRules’  and  change  its  extension  to  .plist.  

     

<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>rules</key> <dict> <key>.*</key> <true/> <key>Info.plist</key> <dict> <key>omit</key> <true/> <key>weight</key> <real>10</real> </dict> <key>ResourceRules.plist</key> <dict> <key>omit</key> <true/> <key>weight</key> <real>100</real> </dict> </dict> </dict> </plist>

3. Entitlements.plist  file:  The  same  as  the  ResourcesRules.plist  file,  create  an  empty  plain  text  file  and  paste  the  following.    

                          But  this  time,  we  have  to  replace  the  value  for  the  <key>  entry  with  the  

corresponding  bundle  identifier  specified  in  the  profile.  So  instead  of  PREFIX.bundle.id  you  should  specify  something  like  EQ84GUVU7D.com.mycompany.myapp.  (check  appendix  I  to  learn  how  to  get  this  value  from  the  distribution  profile).    After  making  the  changes,  save  the  file  as  ‘Entitlements’  and  change  its  extension  to  .plist.    

4. app.IPA  file:  Application  file  to  be  modify  and  resign.  The  name  of  this  file  may  change  depending  on  the  application  

 At  this  point  you  should  have  the  following  files  in  a  folder  in  order  to  proceed  with  this  steps.  

   

<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>application-identifier</key> <string>PREFIX.bundle.id</string> <key>get-task-allow</key> <false/> </dict> </plist>

Opening  an  IPA  and  perform  modifications  

When  modifying  any  part  of  an  application's  bundle,  the  target  application  must  be  in  the  app  format.  If  the  target  application  is  in  the  ipa  file  format,  it  must  be  decompressed  into  the  app  file  format  in  order  to  perform  any  code  signature  operations.    The  ipa  format  is  just  a  renamed  zip  file  which  can  be  easily  decompressed  with  any  compression  tool.  To  open  the  ipa  file  follow  this  instructions:    

1. Locate  the  target  file.  2. Change  its  extension  to  zip  by  renaming  it.  For  instance,  if  the  target  is  

app.ipa  change  the  file  name  to  app.zip.  3. Decompress  the  new  zip  file.  4. Open  the  "Payload"  folder  that  is  in  MyApplication.zip.  5. myApp.app  is  inside  of  the  Payload  folder.      

Once  the  .app  package  is  unveiled,  let’s  make  the  needed  modifications  in  order  to  match  this  application  to  the  certificate  and  profile  of  your  company.    

Provisioning  Profile    The  embedded  provisioning  profile  is  just  a  copy  of  the  profile  with  which  you  sign  the  application  for  archive  in  a  developer  environment.  In  most  distribution  and  re-­‐signing  scenarios  this  needs  to  be  removed  or  changed.  When  removed,  the  user  has  to  manually  install  the  profile  in  the  device  in  order  to  install  the  application  from  a  remote  location  successfully;  this  is  a  way  of  control  of  which  user  has  access  to  the  application.  The  most  common  scenario  when  resigning  for  internal  distribution  is  to  change  the  profile  with  a  new  one,  which  is  the  one  related  to  the  certificate  used  to  resign  de  build  

Removing/Changing  an  Embedded  Provisioning  Profile  1. Assuming  the  target  IPA  has  been  decompressed,  the  myApp.app  

should  be  inside  the  Playload  folder.  2. Control  click  (or  right  click)  over  the  .app  file,  and  select  “Show  

Package  Contents”  

 

3. Once  there,  locate  the  embedded.mobileprovision  file  and  delete  it.  

 

4. If  you  want  to  embed  a  new  profile,  rename  your  profile  the  same  way  (embedded.mobileprovision),  and  drop  it  in  the  same  place.    

In  addition,  if  you  are  about  to  resign  an  application  with  new  certificates,  the  following  changes  must  be  done  in  order  to  suceed  the  resigning:  

a. Locate  the  Info.plist  file  inside  of  the  target's  bundle  (this  means  it  is  in  the  same  place  as  the  embedded.mobileprovision  we  deleted/replaced  above).  Open  Info.plist  with  the  Property  List  Editor  application.    

b. Change  the  bundle  identifier's  value  (CFBundleIdentifier)  to  the  new  app  ID's  bundle  identifier.  In  this  case  com.mycompany.myapp  

c. Change  the  bundle  name  (CFBundleName)  to  the  last  component  of  the  boundle  identifier.  In  this  case  myapp.  

d. Save  the  plist  and  close  the  Property  List  Editor.  

 

You  can  optionally  change  the  CFBundleDisplayName  to  change  the  name  of  the  application  (which  is  the  text  that  will  be  displayed  under  the  icon  in  the  device’s  home  screen;  can  be  different  than  the  app  name)  or  the  CFBundleIconFile  to  change  the  icon  file  name,  but  its  important  not  to  do  changes  over  the  Info.plist  file  without  certain  information  about  the  keys  that  are  being  changed.  

 

Resign  the  Application    

Now  it’s  time  to  resign  the  package.    

To  resign  the  build,  the  codesign  command  line  tool  is  used,  and  it  is  executed  as  follows:  

         Parameters  to  be  replaced:    A. {SIGNER  IDENTITY}:  The  signer  identity  of  the  certificate.  For  example  

"iPhone  Distribution:  MyCompany".    To  get  this  value,  you  can  launch  the  Keychain  Access  app,  and  find  the  correct  certificate.  The  name  of  the  certificate  is  the  value  you  need  to  specify  in  the  command.  

 

B. {RESOURCES  RULES  PATH}:  Path  to  the  ResourcesRules.plist  we  created  above.  

C. {ENTITLEMENTS  FILE  PATH}  Path  of  the  Entitlements.plist  file  we  also  generated  in  previous  steps.    

/usr/bin/codesign -f -s "{SIGNER IDENTITY}" --resource-rules={RESOURCE RULES PATH} --entitlements {ENTITLEMENTS FILE PATH} {APPLICATION BUNDLE PATH}  

D. {APPLICATION  BUNDLE  PATH}  needs  to  be  the  path  to  the  target  application's  bundle,  such  as  myapp.app.    

 

For  this  example,  the  command  should  look  as  follows:  

 

   

 

Once  you  have  all  the  parameters  in  place,  just  open  the  Terminal  application  and  paste  the  command.  If  everything  is  ok,  you  should  get  the  following  message  if  the  app  was  previously  signed  with  a  different  certificate:  

 

Or  the  following  message  if  the  app  was  previously  signed  with  the  same  certificate:  

 

Note:  • The  certificate  used  for  the  resigning  process  must  be  installed  in  Mac  OS  X,  

and  must  have  an  identity  key  associated.  You  can  check  this  using  the  Keychain  Access  application  under  the  login  Keychains  and  My  Certificates  category.  

 

If  the  certificate  doesn’t  have  an  identity  key  associated,  the  resigning  process  will  fail.    

/usr/bin/codesign -f -s "iPhone Distribution: Southlabs S.R.L." --resource-rules=/Users/myUser/Desktop/Resigning/ResourceRules.plist --entitlements /Users/myUser/Desktop/Resigning/Entitlements.plist /Users/myUser/Desktop/Resigning/Playload/myApp.app  

replacing invalid existing signature  

replacing existing signature  

 

Closing  package  an  IPA    To  finish  the  process,  we  have  to  re-­‐pack  the  .app  file  into  an  ipa  file.  To  do  this  you  have  to  follow  these  instructions:    

1. Locate  the  target  application's  Payload  folder.  2. Compress  the  Payload  folder.  

a. In  Mac  OS  X,  this  can  be  accomplished  by  secondary  clicking  (control-­‐click  or  right-­‐click)  on  the  Payload  folder  and  choosing  "Compress  'Payload'".    

3. Rename  Payload.zip  to  app.ipa  again.    

Important:  Before  zipping  the  Playload  folder,  make  sure  there  are  no  additional  files  inside  the  folder.  Any  additional  file  in  the  folder,  even  hidden  files  like  the  common  .DS_store  file  will  make  the  application  to  return  errors  when  trying  to  install  the  ipa  file  generated  by  re-­‐zipping  Playload  folder.  

 

Conclusion    After  these  steps  the  application  is  resigned  with  the  appropriate  certificate  and  ready  for  distribution.  This  method  works  for  In-­‐House  distribution  scenarios  and  also  when  dealing  with  MDM  servers.  To  test  the  new  resigned  application  you  can  use  iTunes  or  iPhone  Configuration  Utility  in  order  to  install  the  application  locally  in  a  device  before  updating  it  to  your  distribution  environment.      

 

Apendix  I  –  How  to  get  application  identifier  from  the  distribution  profile    To  get  the  application  identifier  from  the  provisioning  profile,  follow  these  steps:    • Locate  the  corresponding  distribution  profile.  • Open  the  profile  with  a  simple  text  editor  such  as  TextEdit.  • Scroll  through  the  file  until  find  the  Entitlements  section:  

   

• The  value  for  the  <key>application-­‐identifier</key>  key  represent  your  application  identifier.  From  there  you  will  also  have  your  bundle  identifier,  which  is  the  application  identifier  without  the  seed  number:  

o App  identifier:  EQ84GUVU7D.com.mycompany.myapp  o Bundle  Identifier  :  com.mycompany.myapp