Open indygreg opened 2 years ago
I was searching for a solution to resign IPA files besides using Fastlane. Therefore, I can list what I expect from ipa resigning. Most apps have multiple targets(Notification Extention,Watch App, Watch App extension etc.) It generally looks like below
├── Main.app
│ ├── AppIcon60x60@2x.png
│ ├── Assets.car
│ ├── Frameworks
│ │ ├── Eureka.framework
│ │ │ ├── Eureka
│ │ │ ├── Info.plist
│ │ │ └── _CodeSignature
│ │ │ └── CodeResources
│ │ ├── SwiftyButton.framework
│ │ │ ├── Info.plist
│ │ │ ├── SwiftyButton
│ │ │ └── _CodeSignature
│ │ │ └── CodeResources
│ ├── Info.plist
│ ├── PkgInfo
│ ├── PlugIns
│ │ └── MainExtension.appex
│ │ ├── Info.plist
│ │ ├── MainExtension
│ │ ├── _CodeSignature
│ │ │ └── CodeResources
│ │ ├── embedded.mobileprovision
│ ├── Main
│ ├── _CodeSignature
│ │ └── CodeResources
│ ├── embedded.mobileprovision
--generate-entitlement-der
parameter.WKCompanionAppBundleIdentifier
for the Watch App and WKAppBundleIdentifier
for the WatchKit extension. Overall, Fastlane's resign script does most of the above operations. However, it doesn't support xcarhive files, It doesn't support modifying Info.plist of extensions.
Thanks for the detailed info, @tosbaha!
There's definitely a lot of small features in here to work towards IPA signing support. I would gladly accept PRs to start chipping away at the missing features.
It sounds like #57 already exists for tracking xcarchive support.
We probably also want extra CLI arguments - or potentially config files - for overriding some of the lower-level settings, such as alternative values inside Info.plist
files.
Hi @indygreg Unfortunately I don't have any experience related to Rust. I don't think I can help with PR. However, if you need some sample files to understand how the codesign
signs apps, .xcarhive
files, etc, I can try to help. Just shoot me an email.
PS: Xcarchive is not related to #57 AFAIK. The .xcarchive
is just a special folder that ends with .xcarchive. It doesn't have any compression or signing. It contains signed files and their code signature inside a folder called _CodeSignature
just like I showed above.
You don't need to sign the ipa to submit it to the appstore. You just need to sign the app bundle before you create the ipa.
This library, if implemented like Fastlane, can resign the application. For example, if you signed your app with an Ad Hoc provisioning profile you must sign with an App Store provisioning profile again if you want to send to App Store. App Store only accepts IPA files signed with App Store provisioning profiles. Signing support should cover removing the sign and signing with proper certificates and provisioning profiles and new entitlements. I think the You don't need to sign the ipa to submit it to the appstore
sentence is misleading since it doesn't cover every scenario. You can have Xcode Archive(.xcarcvhive) which can be signed with certificates but the same rules apply. In order to send to App Store, the certificate must be a distribution certificate and provisioning profiles must be created with that certificate. It also needs to signed by attaching entitlements. (Re)signing app should handle all the cases.
so resigning an ipa involves the following steps:
see here for how xbuild handles it:
The unzipping and zipping part is the easiest part. The hardest part is handling signing without using Apple's codesign. Let me once again write the peculiarities of the signing. Most people will use this library for resigning applications. Therefore library should handle the following.
WKCompanionAppBundleIdentifier
for the Watch App and WKAppBundleIdentifier
with the new value. First, you recursively resign all Watch Apps, Extensions, etc. with a new certificate, change those values according to new ones and finally sign the main app as well.I think checking out Fastlane's resign script can give you an idea of how complicated this stuff is.
This is already implemented, we can resign bundles
That's cool then. If it is implemented, this issue can be closed.
Per #29, it is apparent that we don't support signing IPAs directly.
We should implement support for signing IPAs.
I've never done iOS/iWatch/etc development and have never used IPAs. So if someone wants to chime in with what they think are a reasonable list of requirements and end-user workflows, please do so!