search

jmoody / briar-resigning-example

Instructions on how to resign an .ipa with briar
9 stars 1 forks source link

Trying to install my resigned .ipa via XCode8 errors with "The executable was signed with invalid entitlements." #1

Open michaelkirk opened 8 years ago

michaelkirk commented 8 years ago

Given an xcarchive from a build uploaded to ITC And I've extracted the ipa via:

xcodebuild \
  -exportArchive \
  -exportOptionsPlist \
  -exportFormat ipa \
  -archivePath "${XCARCHIVE_PATH}" \
  -exportPath MyApp.ipa

When I run bundle exec briar resign MyApp.ipa

Then I get this output:

Binary file ~/Downloads/MyApp_AdHoc_Prod_Distribution.mobileprovision matches

----------Info----------
will resign with identity 'iPhone Distribution: MY COMPANY (xxxxxxxxxx)'
---------------------------
INFO: making a directory to put the resigned ipa in
INFO: copying assets to 'resigned'
unzipping 'resigned/MyApp.ipa'
INFO: found app at 'resigned/Payload/MyApp.app'
INFO: found info plist at 'resigned/Payload/MyApp.app/Info.plist'
INFO: found mobile provision id 'MyApp_AdHoc_Prod_Distribution'
INFO: replacing embedded.mobileprovision with 'resigned/MyApp_AdHoc_Prod_Distribution.mobileprovision'
INFO: parsed plist at 'resigned/Payload/MyApp.app/Info.plist'
INFO: found bundle identifier 'me.example.myapp'
INFO: found bundle executable 'MyApp'
INFO: found appname 'MyApp'
INFO: creating new entitlements with 'U68MSDN6DR'
INFO: signing with 'xcrun codesign --verbose=4 --deep -f -s "iPhone Distribution: MY COMPANY (xxxxxxxxxx)" "resigned/Payload/MyApp.app/MyApp" --entitlements "resigned/new-entitlements.plist"'

INFO: zipping up Payload
INFO: finished signing 'resigned/MyApp.ipa'

When I go to XCode's device organizer and add my resigned .ipa to my devices "Installed Apps" Then I see a progress indicator for a few seconds

Then I see:

The executable was signed with invalid entitlements.

The entitlements specified in your application’s Code Signing Entitlements file are invalid, not permitted, or do not match those specified in your provisioning profile. (0xE8008016).

User error?

michaelkirk commented 8 years ago

Ah, it looks like the entitlements are hardcoded: https://github.com/jmoody/briar/blob/develop/bin/briar_resign.rb#L236

jmoody commented 8 years ago

Sadly, briar's resigning tools are out of date for apps that have extensions or swift dylibs.

michaelkirk commented 8 years ago

The invalid entitlement in my case was having debugging enabled.

So by removing the debug entitle I could get the app to install and sign, but I actually needed some other entitlements, e.g. push notifications, which were specified in my provisioning profile, but not in my app.

To get the entitlements file I needed I followed this guide to find entitlements from my app and provisioning profile: https://developer.apple.com/library/content/qa/qa1798/_index.html#//apple_ref/doc/uid/DTS40014167-CH1-INSPECT_IPA

I compared the two and saw that production had a reference to apples beta reports services (crash reports?). My adhoc profile did not have this.

So essentially, I took the production entitlements, removed the beta reports services, and was then able to build, sign, install, and run my app.

Phew.

Unfortunately for expediency I just hacked briar to hardcode exactly what I needed. Since entitlement files are so special case, it might be best to just have an optional --entitlements flag that takes a path to an entitlements file.

Keeping the as-is behavior for default might be ok? It depends on how often it's confusing vs how often it's useful. So far I'm 0/1. ;)