[ios] Can't install app: "The executable was signed with invalid entitlements."

[j3k0]

Problem Description

I'm trying to sign the iOS app with the AIR SDK, then deploy it using ios-deploy -b MyApp.ipa

We're using AIR SDK: 33.1.1.686

ios-deploy fails with the following error.

[ 70%] VerifyingApplication
Error 0xe8008016: The executable was signed with invalid entitlements,

I'm trying to resign the build with codesign (which I believed wasn't necessary anymore). It then fails with a different error.

Error 0xe8008001: An unknown error has occurred

Process to resign the app: unzip it, remove _CodeSignature then do:

/usr/bin/codesign --verbose --force --sign "Apple Development: Jean-Christophe Hoelt (xxxxxxxx)" --deep --entitlements "/path/to/entitlements.mobileprovision" MyApp.app

There are 2 dynamic frameworks in the bundle: FBSDKCoreKit.framework and FBSDKLoginKit.framework

I package the app this way:

JAVA_HOME="/Library/Java/JavaVirtualMachines/jdk-11.0.3.jdk/Contents/Home" bin/AIRSDK_33.1.1.686/bin/adt -package -target ipa-debug -listen -provisioning-profile /path/platforms/mobile/ios/Devel.mobileprovision -storetype KeychainStore -alias "Apple Development: Jean-Christophe Hoelt (xxxxxxxx)" bin/ios-debug-device/MyApp.ipa bin/ios-debug-device/MyApp-app.xml  -C bin/ios-debug-device MyApp.swf icons Default-375w-667h@2x~iphone.png [...more Default-*.png] Frameworks/FBSDKCoreKit.framework Frameworks/FBSDKLoginKit.framework Assets.car ping.aiff -extdir bin/apm-mobile/libs -extdir bin/apm-mobile/ane

App signature reported as valid:

$ /usr/bin/codesign --verify --verbose --deep MyApp.app
MyApp.app: valid on disk
MyApp.app: satisfies its Designated Requirement

However not the frameworks'

$ /usr/bin/codesign --verify --verbose MyApp.app/Frameworks/FBSDKCoreKit.framework
MyApp.app/Frameworks/FBSDKCoreKit.framework: invalid or unsupported format for signature
In architecture: armv7

Eventually, if I remove the Frameworks folder and the app will install (but not start). So the problem lies there.

---

Running out of ideas, I'm trying to upgrade to XCode 13. See if that might help.

Anything else I should be looking into? Thanks

[ajwfrost]

Hi

I know we had a problem with frameworks signatures in an earlier release of ADT but that should be fixed in 33.1.1.686.

Are you able to send us this IPA file that's generated from ADT and that gives the installation error The executable was signed with invalid entitlements? We can look at this to see what has gone wrong here.. https://transfer.harman.com/requests/AVLPR2gkFRKHf0VNeALTNf

thanks

Andrew

[ajwfrost]

Thanks for the file - definitely something wrong with that, although it's going to now be a case of wading through the binary formats...

One idea to get it moving forward though: after you've unzipped the .ipa into a folder, if you delete the FBSDKxxx.framework folders and then copy in the original folders that you have for these from where you're packing them up, you can then hopefully just re-sign the top-level package using the mechanism you mention above:

/usr/bin/codesign --verbose --force --sign "Apple Development: Jean-Christophe Hoelt (xxxxxxxx)" --deep --entitlements "/path/to/entitlements.mobileprovision" MyApp.app

Although I'm not 100% sure on that .. it may be that frameworks do need to be signed, they perhaps shouldn't be signed with entitlements, so you can always try the above line - without the 'entitlements' option - on the two frameworks before doing the top-level signing...

In the meantime, we'll look into why this binary isn't working properly....

thanks

[j3k0]

The install worked by doing this:

• Copy the original .framework directories (they include Headers and Modules, but it's small),
• Resign each framework individually.
• Resign the application.

In shell:

$ unzip MyApp.ipa
$ rm -fr Payload/MyApp.app/Frameworks/*
$ cp -r /path/to/Frameworks/* Payload/MyApp.app/Frameworks/
$ /usr/bin/codesign --force --sign "$SIGNING_IDENTITY_IOS_DEBUG" Payload/MyApp.app/Frameworks/FBSDKCoreKit.framework
FBSDKCoreKit.framework/: replacing existing signature
$ /usr/bin/codesign --force --sign "$SIGNING_IDENTITY_IOS_DEBUG" Payload/MyApp.app/Frameworks/FBSDKLoginKit.framework
FBSDKLoginKit.framework/: replacing existing signature
$ /usr/bin/codesign --force --sign "$SIGNING_IDENTITY_IOS_DEBUG" --verbose --entitlements "$ENTITLEMENTS_IOS_DEBUG" Payload/MyApp.app

I tried the exact same procedure without overriding the entitlements with --entitlements in the last command, install fails with error:

Error 0xe800003a: The application could not be verified

The --entitlements option is required for the app to install successfully.

[ajwfrost]

Thanks for sorting out a workaround! We have an updated adt.jar file that should also fix the underlying problem from the ADT tool where it was miscalculating part of the code signature block: https://transfer.harman.com/message/2ze0uhJ86Cg30FS8GeBqOr

thanks

[marchbold]

Although I'm not 100% sure on that .. it may be that frameworks do need to be signed, they perhaps shouldn't be signed with entitlements, so you can always try the above line - without the 'entitlements' option - on the two frameworks before doing the top-level signing...

Dynamic Frameworks definitely need to be signed, however not with the application entitlements! They generally have their own identifier etc which will break if you use the app entitlements. You can see this in the resign script we have used in the past. eg https://github.com/distriqt/ANE-IronSource/blob/master/lib/facebookaudience/scripts/resign

You probably need the --generate-entitlement-der option on the app codesign command now too.

[j3k0]

@ajwfrost I tried the patched adt.jar (2021.11.25) but it didn't generate a valid IPA either. I'm getting the same error: Error 0xe8008016: The executable was signed with invalid entitlements

It's an improvement though, because I can now fix the install with a single command:

unzip MyApp.ipa
codesign --deep --sign "$SIGNING_IDENTITY_IOS_DEBUG" --force --entitlements "$ENTITLEMENTS_IOS_DEBUG" Payload/MyApp.app

No need to replace the Frameworks and resign them individually anymore.

@marchbold Thanks for the --generate-entitlement-der tip. I've read it is required for iOS 15. Not sure what it does, but it works with or without with my debug build (none of our test devices are upgraded to iOS 15 yet though).

[idanasher]

I am also having signing issues with air 33.1.1686 for ios.

I taught that with rather new version I won't have to resign and other signing issues, but when I try to upload via Transporter I get:

ERROR ITMS-90034: "Missing or invalid signature. The bundle 'com.facebook.sdk.FBSDKCoreKit' at bundle path 'Payload/Rummy World.app/Frameworks/FBSDKCoreKit.framework' is not signed using an Apple submission certificate."

I have then tried to manually resign using district script, but I got this in the resign console: ..../Frameworks/FBSDKCoreKit.framework: invalid or unsuppoted format for signature

and of course that the upload resolves in another signing issue. what am I doing wrong here ?

I'm focusing on 64-bit device only now I have upgrade my mac ios to: macOS Monterey 12.0.1 I have upgrade my xcode to : 13.1

[marchbold]

@idanasher Which version of the script are you using, there are potentially some modifications required to get it functioning correctly with the latest AIR and iOS versions?

[idanasher]

This is the resign script i use

distriqt/ANE-AppleSignIn#26 (comment)

[idanasher]

@marchbold , what modification do i need ?

[ajwfrost]

Re this part:

../Frameworks/FBSDKCoreKit.framework: invalid or unsuppoted format for signature

there was a bug with ADT that screwed up the signature format which may make the other tools then fail. Can you copy the raw framework folder from wherever you first had it (or unzip the ane?) and overwrite it in that location?

I think if you can restore that binary so that it's 'normal'/unsigned, then the resign script above would work.

FYI we're about to publish an update that solves this, there was a patch binary but that may have expired now..

thanks

[marchbold]

@idanasher This is our current version:

https://gist.github.com/marchbold/ac126ea57ca9d2d9fea236e9f0009e08

but as @ajwfrost mentions you need to copy the frameworks from an original source with this current release. Unless you are in a rush, I'd suggest waiting for the update.