Can't push IPA on device after Resign also Entitlement file was missing from ipa

[omkarzunjurke]

I resigned spa using sign it resigned but that not able push on device it gives app verification fail error I using libmoblile command ideviceinstaller to install , I also tried using iTunes but not able install ipa ,it get stuck while installing IPA . After the extracting ipa Entitlement files was missing .

mac:sign omkarzunjurke$ ideviceinstaller -i resigned.ipa WARNING: could not locate iTunesMetadata.plist in archive! WARNING: could not locate Payload/Mobile_diagnostic.app/SC_Info/sample.sinf in archive! Copying 'resigned.ipa' to device... DONE. Installing 'sample.app.'

• CreatingStagingDirectory (5%)
• ExtractingPackage (15%)
• InspectingPackage (20%)
• TakingInstallLock (20%)
• PreflightingApplication (30%)
• InstallingEmbeddedProfile (30%)
• VerifyingApplication (40%)
• Error occurred: ApplicationVerificationFailed

Please suggest solution on this ,Thank in advance .

[omkarzunjurke]

One more thing is I have separate shell script for IPA resign which run on MAC when i resign the IPA using this shell script IPA installed on device , but when i resigned same IPA & certificate/ profiles using isign it gives me above error (Error occurred: ApplicationVerificationFailed).So the Certificates & provisions profits are c correct .

[neilk]

Thanks for the detailed bug report. Can you provide the IPA via email or post it somewhere so I can repro this?

[omkarzunjurke]

Hello Neil ,Sorry but I can't put IPA or Profiles/ Certificates related details to mail becoz its against company privacy & policy . Even i can't send demo IPA ,Send me logs location so i can send logs of pythons script .

[neilk]

isign's logs are printed to STDERR. Passing the --verbose flag will produce a more verbose log.

[asionius]

Hi omkarzunjurke, I met the same problem, have you fix the issue or have you figure out the reason?

[omkarzunjurke]

Hello asionius & Neilk , I found the RCA & solution over it , RCA is after the resign the IPA . Python script create entitlement.plist file . This entitlement.plist is not match with new provision profile, so it gives error
" Application Verification failed" Error while installing IPA on Linux Machine , then i Checked iOS device log it gives me error "IPA is signed with invalid entitlement.plist file " while install the IPA on device. After checking code I found in bundle.py file create entitlement.plist base on provision profile All values of property are taking dynamically accept "get-task-allow" property it is hardcoded to "true" but in new provision profile it is "false" so after the IPA resign process it not matching with new provision profile file while installing application . Solution :So i make it dynamic means whatever the value of property in new provision profile that that in entitlement.plist while creating it . other solution is make it " false/true " directly by checking value in provision profile .

@neilk Can I push the code on server OR your going to resolved it on your way .

So this solution is worked for me now IPA is installed properly on my device after resign .

[asionius]

@omkarzunjurke Hi omkarzunjurke， Thank you for your answer, it helps me a lot! Bundle.py construct entitlements.plist via Inofo.plist rather than mobilprofile right? Because my provisionprofile contain bundleid which is different from that in info.plist, the entitlements.plist constructed by isign is different from that in provisionprofile, which prevent the ipa package from being installed

[mkayswork]

@omkarzunjurke thanks for this detailed answer! Lucky for me that you have been discussing this just a few hours ago!

I am using isign to resign enterprise applications and the solution from above works for me too. I also can say that changing the hardcoded value from true to false solves my problem about an invalid entitlements. As changing hardcoded stuff wouldn't be that good, have do we intend to solve this? Feature request? I am asking in detail because I don't know how this is handled and I want to learn how do deal with such an situation on github projects

[omkarzunjurke]

@asionius I think it's right info is fetched from info.plist file .

[omkarzunjurke]

@mkayswork Yes right changing the hardcode value is not good ,So i already suggest that fetch value from provision profile programatically

[neilk]

Yes, this is how it should work - fetching the correct entitlements from the provisioning profile.

Sorry, I had a branch where I did some of this work, but it was tied to other fixes for iOS 10. I am trying to find the time to work on some of these fixes, I'll block off some time on Wednesday.

If you have a patch that just does this, please make a PR and I'll fix it.

[asionius]

Hello, omkarzunjurke Where can I get iOS device log?

[omkarzunjurke]

@asionius if you have Xcode then goto windows menu ->devices then select device from left side and expand bottom console panel you will see run times device log if your on linux machine by using libmobile library run " idevicesyslog " command you will get run time log of connected device .

[asionius]

@omkarzunjurke thanks for your detailed answer!

[MiguelChiang]

@omkarzunjurke Thanks for the solution. We are having the same issue about entitlement not match, hope copying all values from provision profile will fix all the problem. @neilk We have custom keychain access group and some other identifier at the entitlement. Will isign simply add --entitlement flag so that we could provide our own entitlement?

[neilk]

An --entitlement flag seems like a good idea, in case someone doesn't want to use their provisioning profile's entitlements. Making an issue here: #69

[omkarzunjurke]

@MiguelChiang welcome :) @neilk yup I think this is good option to put customs entitlement (y).

[justindhill]

Hi @neilk - I put a bit of code and a lot of research toward making a PR for making provisioning profile-based entitlements a reality in isign tonight. Basically, I am successfully extracting the entitlements dictionary from the passed provisioning profile and then writing it out to Bundle.entitlements_path. Unfortunately, it looks like there needs to be a bit more work done here, as re-signing results in only the executable path being present in the entitlements:

I've traced it all the way down to Codesig.set_entitlements, which appears to be loading and setting the bytes just fine. I'll keep chewing on this, but perhaps you have some insight you could offer here.

Current progress in #71

Edit: It looks like I am also experiencing this behavior in the unmodified code at https://github.com/saucelabs/isign/releases/tag/v1.5.55

[justindhill]

After a little more research, I found that the new entitlements plist is in fact being embedded in the image. I think this suggests that the offset isn't right. Btw, testing this on both OS X 10.11 and Ubuntu 16.04.

[justindhill]

Some more interesting info - here's a diff of jtool output (regular slot hashes snipped out) for a binary signed with codesign and one signed with isign. Interestingly, there are two Code Directory blobs (for different architecture slices?). isign doesn't touch the second blob (at index 3), which results in mismatches in special slot hashes.

[neilk]

Yes, we should talk sooner so you don't have to find out this stuff the hard way.

Probably in anticipation of iOS 10, Apple is now signing apps with two sets of hashes, SHA-1 and SHA-256. We haven't yet modified isign to deal with this, so instead, we just ignore them and create SHA-1 only. iPhones still accept apps signed only with SHA-1, but probably that will be deprecated sometime soon. So the clock is ticking on this one and we need to fix it.

I'm not sure about the bug you might have discovered there with offsets. Will need to investigate more.

[justindhill]

Sure, happy to work with you on this. Do you have a Slack you can invite me to?

[justindhill]

So it just occurred to me that all the issues I've been seeing stem from the fact that both of my personal devices are on the iOS 10 beta. I've been unable to install. Just tried to install on an iOS 9 test device and it worked fine. Yikes, need to get this taken care of asap. This is going to break you guys in a couple weeks when Apple drops the iOS 10 GM.

edit: It would break me too, but I haven't integrated isign into our workflow just yet. :P

[neilk]

Re: Slack, I asked other people who run open source projects, and they had mixed experiences. I'm going to experiment with it - only people who've submitted PR requests. Check your email.

Re: iOS 10 -- it's a big issue for us, so, yes!!