IPA Signing Support

[indygreg]

Per #29, it is apparent that we don't support signing IPAs directly.

We should implement support for signing IPAs.

I've never done iOS/iWatch/etc development and have never used IPAs. So if someone wants to chime in with what they think are a reasonable list of requirements and end-user workflows, please do so!

[tosbaha]

I was searching for a solution to resign IPA files besides using Fastlane. Therefore, I can list what I expect from ipa resigning. Most apps have multiple targets(Notification Extention,Watch App, Watch App extension etc.) It generally looks like below

├── Main.app
│   ├── AppIcon60x60@2x.png
│   ├── Assets.car
│   ├── Frameworks
│   │   ├── Eureka.framework
│   │   │   ├── Eureka
│   │   │   ├── Info.plist
│   │   │   └── _CodeSignature
│   │   │       └── CodeResources
│   │   ├── SwiftyButton.framework
│   │   │   ├── Info.plist
│   │   │   ├── SwiftyButton
│   │   │   └── _CodeSignature
│   │   │       └── CodeResources
│   ├── Info.plist
│   ├── PkgInfo
│   ├── PlugIns
│   │   └── MainExtension.appex
│   │       ├── Info.plist
│   │       ├── MainExtension
│   │       ├── _CodeSignature
│   │       │   └── CodeResources
│   │       ├── embedded.mobileprovision
│   ├── Main
│   ├── _CodeSignature
│   │   └── CodeResources
│   ├── embedded.mobileprovision

• Resigning app should accept both xcarchive or IPA files. Xcarchive file actually contains both IPA file and extra files containing debugging symbols.
• Resigning app should resign the app with given provisioning profiles. Basically, embedded.mobileprovision files should be replaced and must be signed with new certificates. Let's say the user signed the app with developer mobile provisioning profile. The user should be able to resign the app with new provisioning profiles. During this process, resigning app should emulate the codesign. For example with iOS 15, codesign adds --generate-entitlement-der parameter.
• Sometimes users want to change the bundle id or version numbers (CFBundleVersion, CFBundleShortVersionString ,CFBundleIdentifier).Resigning should have the option to change the Info.plist first, then resign the application. However, there are some nuances here. For example, if you're changing the main app's bundle id, you also need to change WKCompanionAppBundleIdentifier for the Watch App and WKAppBundleIdentifier for the WatchKit extension.

Overall, Fastlane's resign script does most of the above operations. However, it doesn't support xcarhive files, It doesn't support modifying Info.plist of extensions.

[indygreg]

Thanks for the detailed info, @tosbaha!

There's definitely a lot of small features in here to work towards IPA signing support. I would gladly accept PRs to start chipping away at the missing features.

It sounds like #57 already exists for tracking xcarchive support.

We probably also want extra CLI arguments - or potentially config files - for overriding some of the lower-level settings, such as alternative values inside Info.plist files.

[tosbaha]

Hi @indygreg Unfortunately I don't have any experience related to Rust. I don't think I can help with PR. However, if you need some sample files to understand how the codesign signs apps, .xcarhive files, etc, I can try to help. Just shoot me an email.

PS: Xcarchive is not related to #57 AFAIK. The .xcarchive is just a special folder that ends with .xcarchive. It doesn't have any compression or signing. It contains signed files and their code signature inside a folder called _CodeSignature just like I showed above.

[dvc94ch]

You don't need to sign the ipa to submit it to the appstore. You just need to sign the app bundle before you create the ipa.

[tosbaha]

This library, if implemented like Fastlane, can resign the application. For example, if you signed your app with an Ad Hoc provisioning profile you must sign with an App Store provisioning profile again if you want to send to App Store. App Store only accepts IPA files signed with App Store provisioning profiles. Signing support should cover removing the sign and signing with proper certificates and provisioning profiles and new entitlements. I think the You don't need to sign the ipa to submit it to the appstore sentence is misleading since it doesn't cover every scenario. You can have Xcode Archive(.xcarcvhive) which can be signed with certificates but the same rules apply. In order to send to App Store, the certificate must be a distribution certificate and provisioning profiles must be created with that certificate. It also needs to signed by attaching entitlements. (Re)signing app should handle all the cases.

[dvc94ch]

so resigning an ipa involves the following steps:

1. unzip the ipa
2. resign the app bundle
3. zip the app bundle

see here for how xbuild handles it:

• [0] https://github.com/rust-mobile/xbuild/blob/master/xbuild/src/command/build.rs#L208

[tosbaha]

The unzipping and zipping part is the easiest part. The hardest part is handling signing without using Apple's codesign. Let me once again write the peculiarities of the signing. Most people will use this library for resigning applications. Therefore library should handle the following.

• Changing the bundle id and version number
• If you change the bundle id, you must change WKCompanionAppBundleIdentifier for the Watch App and WKAppBundleIdentifier with the new value. First, you recursively resign all Watch Apps, Extensions, etc. with a new certificate, change those values according to new ones and finally sign the main app as well.
• You need to think about entitlements. Provisioning profiles have capabilities. You need to inject new capabilities into newly signed binaries. Some capabilities must be removed.
• If the team changed, you also need to update the TEAM_ID and Application Identifier
• With iOS 15, Apple added a new parameter to codesign. I think this parameter adds entitlements binary as DER encoded.

I think checking out Fastlane's resign script can give you an idea of how complicated this stuff is.

[dvc94ch]

This is already implemented, we can resign bundles

[tosbaha]

That's cool then. If it is implemented, this issue can be closed.