Skip to content

Instantly share code, notes, and snippets.

@WeptunUser
Forked from mediabounds/floatsign.sh
Last active January 1, 2022 21:23
Show Gist options
  • Save WeptunUser/5406993 to your computer and use it in GitHub Desktop.
Save WeptunUser/5406993 to your computer and use it in GitHub Desktop.
Now fix when no entitlements are present.
# !/bin/bash
# Copyright (c) 2011 Float Mobile Learning
# http://www.floatlearning.com/
# Extension Copyright (c) 2013 Weptun Gmbh
# http://www.weptun.de
#
# Extended by Ronan O Ciosoig January 2012
#
# Extended by Patrick Blitz, April 2013
#
# Permission is hereby granted, free of charge, to any person obtaining
# a copy of this software and associated documentation files (the "Software"),
# to deal in the Software without restriction, including without limitation
# the rights to use, copy, modify, merge, publish, distribute, sublicense,
# and/or sell copies of the Software, and to permit persons to whom the
# Software is furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be included
# in all copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
# OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
# IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
# CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
# TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
# SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
#
# Please let us know about any improvements you make to this script!
# ./floatsign source "iPhone Distribution: Name" -p "path/to/profile" [-d "display name"] [-e entitlements] [-k keychain] -b "BundleIdentifier" outputIpa
#
#
# Modifed 26th January 2012
#
# new features January 2012:
# 1. change the app display name
#
# new features April 2013
# 1. specify the target bundleId on the command line
# 2. correctly handles entitlements for keychain-enabled resigning
#
function checkStatus {
if [ $? -ne 0 ];
then
echo "Had an Error, aborting!"
exit 1
fi
}
if [ $# -lt 3 ]; then
echo "usage: $0 source identity -p provisioning [-e entitlements] [-d displayName] -b bundleId outputIpa" >&2
echo "\t\t -p and -b are optional, but their use is heavly recommonded" >&2
exit 1
fi
ORIGINAL_FILE="$1"
CERTIFICATE="$2"
NEW_PROVISION=
ENTITLEMENTS=
BUNDLE_IDENTIFIER=""
DISPLAY_NAME=""
PROVISIONING_PROFILE_PREFIX=""
KEYCHAIN=""
# options start index
OPTIND=3
while getopts p:d:e:k:b: opt; do
case $opt in
p)
NEW_PROVISION="$OPTARG"
echo "Specified provisioning profile: $NEW_PROVISION" >&2
;;
d)
DISPLAY_NAME="$OPTARG"
echo "Specified display name: $DISPLAY_NAME" >&2
;;
e)
ENTITLEMENTS="$OPTARG"
echo "Specified signing entitlements: $ENTITLEMENTS" >&2
;;
b)
BUNDLE_IDENTIFIER="$OPTARG"
echo "Specified bundle identifier: $BUNDLE_IDENTIFIER " >&2
;;
k)
KEYCHAIN="$OPTARG"
echo "Specified Keychain to use: $KEYCHAIN " >&2
;;
\?)
echo "Invalid option: -$OPTARG" >&2
exit 1
;;
:)
echo "Option -$OPTARG requires an argument." >&2
exit 1
;;
esac
done
shift $((OPTIND-1))
NEW_FILE="$1"
# Check if the supplied file is an ipa or an app file
if [ "${ORIGINAL_FILE#*.}" = "ipa" ]
then
# Unzip the old ipa quietly
unzip -q "$ORIGINAL_FILE" -d temp
checkStatus
elif [ "${ORIGINAL_FILE#*.}" = "app" ]
then
# Copy the app file into an ipa-like structure
mkdir -p "temp/Payload"
cp -Rf "${ORIGINAL_FILE}" "temp/Payload/${ORIGINAL_FILE}"
checkStatus
else
echo "Error: Only can resign .app files and .ipa files." >&2
exit
fi
# check the keychain
if [ "${KEYCHAIN}" != "" ];
then
security list-keychains -s $KEYCHAIN
security unlock $KEYCHAIN
security default-keychain -s $KEYCHAIN
fi
# Set the app name
# The app name is the only file within the Payload directory
APP_NAME=$(ls temp/Payload/)
echo "APP_NAME=$APP_NAME" >&2
export PATH=$PATH:/usr/libexec
CURRENT_NAME=`PlistBuddy -c "Print :CFBundleDisplayName" "temp/Payload/$APP_NAME/Info.plist"`
CURRENT_BUNDLE_IDENTIFIER=`PlistBuddy -c "Print :CFBundleIdentifier" "temp/Payload/$APP_NAME/Info.plist"`
if [ "${BUNDLE_IDENTIFIER}" == "" ];
then
BUNDLE_IDENTIFIER=`egrep -a -A 2 application-identifier "${NEW_PROVISION}" | grep string | sed -e 's/<string>//' -e 's/<\/string>//' -e 's/ //' | awk '{split($0,a,"."); i = length(a); for(ix=2; ix <= i;ix++){ s=s a[ix]; if(i!=ix){s=s "."};} print s;}'`
if [[ "${BUNDLE_IDENTIFIER}" == *\** ]]; then
echo "Bundle Identifier contains a *, using the current bundle identifier";
BUNDLE_IDENTIFIER=$CURRENT_BUNDLE_IDENTIFIER;
fi
checkStatus
fi
echo "Bundle Identifier is ${BUNDLE_IDENTIFIER}"
if [ "${DISPLAY_NAME}" != "" ];
then
echo "read Info.plist file" "temp/Payload/$ORIGINAL_FILE/Info.plist"
# CURRENT_NAME=/usr/libexec/PlistBuddy -c "Print :CFBundleDisplayName" "temp/Payload/$ORIGINAL_FILE/Info.plist"
echo "Changing display name from $CURRENT_NAME to " $DISPLAY_NAME
`PlistBuddy -c "Set :CFBundleDisplayName $DISPLAY_NAME" "temp/Payload/$APP_NAME/Info.plist"`
# PlistBuddy -c "Set :CFBundleDisplayName $DISPLAY_NAME" temp/Payload/$ORIGINAL_FILE/Info.plist
fi
# Replace the embedded mobile provisioning profile
if [ "$NEW_PROVISION" != "" ];
then
echo "Adding the new provision: $NEW_PROVISION"
ENTITLEMENTS_TEMP=`/usr/bin/codesign -d --entitlements - "temp/Payload/$APP_NAME" | sed -E -e '1d'`
if [ -n "$ENTITLEMENTS_TEMP" ]; then
echo "<?xml version=\"1.0\" encoding=\"UTF-8\"?>$ENTITLEMENTS_TEMP" > temp/newEntitlements
fi
# echo "<?xml version=\"1.0\" encoding=\"UTF-8\"?>`/usr/bin/codesign -d --entitlements - "temp/Payload/$APP_NAME" | sed -E -e '1d'`" > temp/newEntitlements
cp "$NEW_PROVISION" "temp/Payload/$APP_NAME/embedded.mobileprovision"
PROVISIONING_PROFILE_PREFIX=`grep '<key>application-identifier</key>' "temp/Payload/$APP_NAME/embedded.mobileprovision" -A 1 --binary-files=text | sed -E -e '/<key>/ d' -e 's/(^.*<string>)//' -e 's/([A-Z0-9]*)(.*)/\1/'`
checkStatus
fi
#if the current bundle identifier is different from the new one in the provisioning profile, then change it.
if [ "$CURRENT_BUNDLE_IDENTIFIER" != "$BUNDLE_IDENTIFIER" ];
then
echo "Update the bundle identifier"
`PlistBuddy -c "Set :CFBundleIdentifier $BUNDLE_IDENTIFIER" "temp/Payload/$APP_NAME/Info.plist"`
checkStatus
fi
# Resign the application
echo "Resigning application using certificate: $CERTIFICATE" >&2
if [ "$ENTITLEMENTS" != "" ];
then
echo "Using Entitlements: $ENTITLEMENTS" >&2
/usr/bin/codesign -f -s "$CERTIFICATE" --entitlements="$ENTITLEMENTS" --resource-rules="temp/Payload/$APP_NAME/ResourceRules.plist" "temp/Payload/$APP_NAME"
checkStatus
else
if [ "$PROVISIONING_PROFILE_PREFIX" != "" ] && [ -s temp/newEntitlements ];
#if [ -s temp/newEntitlements ];
then
# extract current entitlements
PlistBuddy -c "Set :application-identifier ${PROVISIONING_PROFILE_PREFIX}.${BUNDLE_IDENTIFIER}" temp/newEntitlements
checkStatus
PlistBuddy -c "Set :keychain-access-groups:0 ${PROVISIONING_PROFILE_PREFIX}.${BUNDLE_IDENTIFIER}" temp/newEntitlements
checkStatus
PlistBuddy -c "Set :com.apple.developer.team-identifier ${PROVISIONING_PROFILE_PREFIX}" temp/newEntitlements
checkStatus
plutil -lint temp/newEntitlements
checkStatus
/usr/bin/codesign -f -s "$CERTIFICATE" --resource-rules="temp/Payload/$APP_NAME/ResourceRules.plist" --entitlements="temp/newEntitlements" "temp/Payload/$APP_NAME"
checkStatus
rm temp/newEntitlements
else
/usr/bin/codesign -f -s "$CERTIFICATE" --resource-rules="temp/Payload/$APP_NAME/ResourceRules.plist" "temp/Payload/$APP_NAME"
fi
fi
# Repackage quietly
echo "Repackaging as $NEW_FILE"
# Zip up the contents of the temp folder
# Navigate to the temporary directory (sending the output to null)
# Zip all the contents, saving the zip file in the above directory
# Navigate back to the orignating directory (sending the output to null)
pushd temp > /dev/null
zip -qr ../temp.ipa *
popd > /dev/null
# Move the resulting ipa to the target destination
mv temp.ipa "$NEW_FILE"
# Remove the temp directory
rm -rf "temp"
@markusthegeek
Copy link

In the current version, you cannot extract the entitlements correctly if you are also setting the display name.

Codesign gives you an error if the Info.plist has already been changed before exporting the entitlements. The solution is to move the display name section below the mobile provisioning section.

@scheibinger
Copy link

Script works fine for re-signing apps signed with developer certificate. Has anyone tried to re-sign the app signed with distribution cert into developer certificate?

@didge
Copy link

didge commented Mar 10, 2014

This was a great start for my needs, but didn't handle entitlements correctly when the app id prefix changes, which would happen when you resign a .ipa having a different certificate than what you resign it with.

I addressed that and did some clean up, check it out here: https://gist.github.com/didge/9466154.

@markusthegeek
Copy link

You need to add the following line around line 200 in order to change teams wit recent Xcode builds:
PlistBuddy -c "Set :com.apple.developer.team-identifier ${PROVISIONING_PROFILE_PREFIX}" temp/newEntitlements

This fixes the following in the iOS system log:
"entitlement 'com.apple.developer.team-identifier' has value not permitted by provisioning profile ..."

@WeptunUser
Copy link
Author

Thanks @markusthegeek, I applied the fix!

@GoannaGuy
Copy link

I have posted a modified version of this script in a repository at https://github.com/nanonation/floatsign

Specifically, we made some changes to support iOS 8's new embedded frameworks feature. We've also added some sanity checking to warn of issues we've encountered with 'com.apple.developer.team-identifier' not being found in provisioning profiles of a certain age.

@kenman345
Copy link

Since we have the mobile provisioning profile as input, would it be possible to modify the script to use the first certificate in the DeveloperCertificates attribute of the mobileprovision? I would love to be able to reduce the amount of inputs required when I know the only certificate in the provisioning profile should be in my keychain

Also, is there a way to check that the certificate is not revoked or anything along those lines?

@phadatareshankar
Copy link

Can anybody tell me the steps how to run the script to resign ipa file, i tried to run but getting error like "Only can resign .app files and .ipa files.". Also possible whats do i need to do pre setup for resigning any ipa with new provisioning profile.

@VooDooChicken
Copy link

Hi, I tried to run this script with something like

sh floatsign.sh myapp.ipa ABC123ASD -p "myapp working dir/myapp_distribution.mobileprovision" -d "My App" -b com.mysite.myapp myappresigned.ipa

I keep getting this error (copy paste except for certificate name)

Resigning application using certificate: ABC123ASD
Set: Entry, ":keychain-access-groups:0", Does Not Exist
Had an Error, aborting!

I am not familiar with codesign command, but if I run codesign -s ABC123ASD myapp.ipa, I get a message that the file is already signed, and if I change the certificate id it will give an error, so it recognizes the string ABC123ASD as a certificate; I also see that inside the script it is called codesign, but there are some things about an optional keychain. I commented those lines about the keychain (added a # before each line that checked if there was a -k parameter), still the same result. any pointers?

thanks in advance

@deepakrout
Copy link

I was getting same issue, but when I passed the entitlement in the command with -e flag it worked.

Somthing like this....

sh floatsign.sh myapp.ipa ABC123ASD -p "myapp working dir/myapp_distribution.mobileprovision" -d "My App" -e entitlements.plist -b com.mysite.myapp myappresigned.ipa

Good luck!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment