-
-
Save WeptunUser/5406993 to your computer and use it in GitHub Desktop.
# !/bin/bash | |
# Copyright (c) 2011 Float Mobile Learning | |
# http://www.floatlearning.com/ | |
# Extension Copyright (c) 2013 Weptun Gmbh | |
# http://www.weptun.de | |
# | |
# Extended by Ronan O Ciosoig January 2012 | |
# | |
# Extended by Patrick Blitz, April 2013 | |
# | |
# Permission is hereby granted, free of charge, to any person obtaining | |
# a copy of this software and associated documentation files (the "Software"), | |
# to deal in the Software without restriction, including without limitation | |
# the rights to use, copy, modify, merge, publish, distribute, sublicense, | |
# and/or sell copies of the Software, and to permit persons to whom the | |
# Software is furnished to do so, subject to the following conditions: | |
# | |
# The above copyright notice and this permission notice shall be included | |
# in all copies or substantial portions of the Software. | |
# | |
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS | |
# OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF | |
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. | |
# IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY | |
# CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, | |
# TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE | |
# SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. | |
# | |
# Please let us know about any improvements you make to this script! | |
# ./floatsign source "iPhone Distribution: Name" -p "path/to/profile" [-d "display name"] [-e entitlements] [-k keychain] -b "BundleIdentifier" outputIpa | |
# | |
# | |
# Modifed 26th January 2012 | |
# | |
# new features January 2012: | |
# 1. change the app display name | |
# | |
# new features April 2013 | |
# 1. specify the target bundleId on the command line | |
# 2. correctly handles entitlements for keychain-enabled resigning | |
# | |
function checkStatus { | |
if [ $? -ne 0 ]; | |
then | |
echo "Had an Error, aborting!" | |
exit 1 | |
fi | |
} | |
if [ $# -lt 3 ]; then | |
echo "usage: $0 source identity -p provisioning [-e entitlements] [-d displayName] -b bundleId outputIpa" >&2 | |
echo "\t\t -p and -b are optional, but their use is heavly recommonded" >&2 | |
exit 1 | |
fi | |
ORIGINAL_FILE="$1" | |
CERTIFICATE="$2" | |
NEW_PROVISION= | |
ENTITLEMENTS= | |
BUNDLE_IDENTIFIER="" | |
DISPLAY_NAME="" | |
PROVISIONING_PROFILE_PREFIX="" | |
KEYCHAIN="" | |
# options start index | |
OPTIND=3 | |
while getopts p:d:e:k:b: opt; do | |
case $opt in | |
p) | |
NEW_PROVISION="$OPTARG" | |
echo "Specified provisioning profile: $NEW_PROVISION" >&2 | |
;; | |
d) | |
DISPLAY_NAME="$OPTARG" | |
echo "Specified display name: $DISPLAY_NAME" >&2 | |
;; | |
e) | |
ENTITLEMENTS="$OPTARG" | |
echo "Specified signing entitlements: $ENTITLEMENTS" >&2 | |
;; | |
b) | |
BUNDLE_IDENTIFIER="$OPTARG" | |
echo "Specified bundle identifier: $BUNDLE_IDENTIFIER " >&2 | |
;; | |
k) | |
KEYCHAIN="$OPTARG" | |
echo "Specified Keychain to use: $KEYCHAIN " >&2 | |
;; | |
\?) | |
echo "Invalid option: -$OPTARG" >&2 | |
exit 1 | |
;; | |
:) | |
echo "Option -$OPTARG requires an argument." >&2 | |
exit 1 | |
;; | |
esac | |
done | |
shift $((OPTIND-1)) | |
NEW_FILE="$1" | |
# Check if the supplied file is an ipa or an app file | |
if [ "${ORIGINAL_FILE#*.}" = "ipa" ] | |
then | |
# Unzip the old ipa quietly | |
unzip -q "$ORIGINAL_FILE" -d temp | |
checkStatus | |
elif [ "${ORIGINAL_FILE#*.}" = "app" ] | |
then | |
# Copy the app file into an ipa-like structure | |
mkdir -p "temp/Payload" | |
cp -Rf "${ORIGINAL_FILE}" "temp/Payload/${ORIGINAL_FILE}" | |
checkStatus | |
else | |
echo "Error: Only can resign .app files and .ipa files." >&2 | |
exit | |
fi | |
# check the keychain | |
if [ "${KEYCHAIN}" != "" ]; | |
then | |
security list-keychains -s $KEYCHAIN | |
security unlock $KEYCHAIN | |
security default-keychain -s $KEYCHAIN | |
fi | |
# Set the app name | |
# The app name is the only file within the Payload directory | |
APP_NAME=$(ls temp/Payload/) | |
echo "APP_NAME=$APP_NAME" >&2 | |
export PATH=$PATH:/usr/libexec | |
CURRENT_NAME=`PlistBuddy -c "Print :CFBundleDisplayName" "temp/Payload/$APP_NAME/Info.plist"` | |
CURRENT_BUNDLE_IDENTIFIER=`PlistBuddy -c "Print :CFBundleIdentifier" "temp/Payload/$APP_NAME/Info.plist"` | |
if [ "${BUNDLE_IDENTIFIER}" == "" ]; | |
then | |
BUNDLE_IDENTIFIER=`egrep -a -A 2 application-identifier "${NEW_PROVISION}" | grep string | sed -e 's/<string>//' -e 's/<\/string>//' -e 's/ //' | awk '{split($0,a,"."); i = length(a); for(ix=2; ix <= i;ix++){ s=s a[ix]; if(i!=ix){s=s "."};} print s;}'` | |
if [[ "${BUNDLE_IDENTIFIER}" == *\** ]]; then | |
echo "Bundle Identifier contains a *, using the current bundle identifier"; | |
BUNDLE_IDENTIFIER=$CURRENT_BUNDLE_IDENTIFIER; | |
fi | |
checkStatus | |
fi | |
echo "Bundle Identifier is ${BUNDLE_IDENTIFIER}" | |
if [ "${DISPLAY_NAME}" != "" ]; | |
then | |
echo "read Info.plist file" "temp/Payload/$ORIGINAL_FILE/Info.plist" | |
# CURRENT_NAME=/usr/libexec/PlistBuddy -c "Print :CFBundleDisplayName" "temp/Payload/$ORIGINAL_FILE/Info.plist" | |
echo "Changing display name from $CURRENT_NAME to " $DISPLAY_NAME | |
`PlistBuddy -c "Set :CFBundleDisplayName $DISPLAY_NAME" "temp/Payload/$APP_NAME/Info.plist"` | |
# PlistBuddy -c "Set :CFBundleDisplayName $DISPLAY_NAME" temp/Payload/$ORIGINAL_FILE/Info.plist | |
fi | |
# Replace the embedded mobile provisioning profile | |
if [ "$NEW_PROVISION" != "" ]; | |
then | |
echo "Adding the new provision: $NEW_PROVISION" | |
ENTITLEMENTS_TEMP=`/usr/bin/codesign -d --entitlements - "temp/Payload/$APP_NAME" | sed -E -e '1d'` | |
if [ -n "$ENTITLEMENTS_TEMP" ]; then | |
echo "<?xml version=\"1.0\" encoding=\"UTF-8\"?>$ENTITLEMENTS_TEMP" > temp/newEntitlements | |
fi | |
# echo "<?xml version=\"1.0\" encoding=\"UTF-8\"?>`/usr/bin/codesign -d --entitlements - "temp/Payload/$APP_NAME" | sed -E -e '1d'`" > temp/newEntitlements | |
cp "$NEW_PROVISION" "temp/Payload/$APP_NAME/embedded.mobileprovision" | |
PROVISIONING_PROFILE_PREFIX=`grep '<key>application-identifier</key>' "temp/Payload/$APP_NAME/embedded.mobileprovision" -A 1 --binary-files=text | sed -E -e '/<key>/ d' -e 's/(^.*<string>)//' -e 's/([A-Z0-9]*)(.*)/\1/'` | |
checkStatus | |
fi | |
#if the current bundle identifier is different from the new one in the provisioning profile, then change it. | |
if [ "$CURRENT_BUNDLE_IDENTIFIER" != "$BUNDLE_IDENTIFIER" ]; | |
then | |
echo "Update the bundle identifier" | |
`PlistBuddy -c "Set :CFBundleIdentifier $BUNDLE_IDENTIFIER" "temp/Payload/$APP_NAME/Info.plist"` | |
checkStatus | |
fi | |
# Resign the application | |
echo "Resigning application using certificate: $CERTIFICATE" >&2 | |
if [ "$ENTITLEMENTS" != "" ]; | |
then | |
echo "Using Entitlements: $ENTITLEMENTS" >&2 | |
/usr/bin/codesign -f -s "$CERTIFICATE" --entitlements="$ENTITLEMENTS" --resource-rules="temp/Payload/$APP_NAME/ResourceRules.plist" "temp/Payload/$APP_NAME" | |
checkStatus | |
else | |
if [ "$PROVISIONING_PROFILE_PREFIX" != "" ] && [ -s temp/newEntitlements ]; | |
#if [ -s temp/newEntitlements ]; | |
then | |
# extract current entitlements | |
PlistBuddy -c "Set :application-identifier ${PROVISIONING_PROFILE_PREFIX}.${BUNDLE_IDENTIFIER}" temp/newEntitlements | |
checkStatus | |
PlistBuddy -c "Set :keychain-access-groups:0 ${PROVISIONING_PROFILE_PREFIX}.${BUNDLE_IDENTIFIER}" temp/newEntitlements | |
checkStatus | |
PlistBuddy -c "Set :com.apple.developer.team-identifier ${PROVISIONING_PROFILE_PREFIX}" temp/newEntitlements | |
checkStatus | |
plutil -lint temp/newEntitlements | |
checkStatus | |
/usr/bin/codesign -f -s "$CERTIFICATE" --resource-rules="temp/Payload/$APP_NAME/ResourceRules.plist" --entitlements="temp/newEntitlements" "temp/Payload/$APP_NAME" | |
checkStatus | |
rm temp/newEntitlements | |
else | |
/usr/bin/codesign -f -s "$CERTIFICATE" --resource-rules="temp/Payload/$APP_NAME/ResourceRules.plist" "temp/Payload/$APP_NAME" | |
fi | |
fi | |
# Repackage quietly | |
echo "Repackaging as $NEW_FILE" | |
# Zip up the contents of the temp folder | |
# Navigate to the temporary directory (sending the output to null) | |
# Zip all the contents, saving the zip file in the above directory | |
# Navigate back to the orignating directory (sending the output to null) | |
pushd temp > /dev/null | |
zip -qr ../temp.ipa * | |
popd > /dev/null | |
# Move the resulting ipa to the target destination | |
mv temp.ipa "$NEW_FILE" | |
# Remove the temp directory | |
rm -rf "temp" |
Script works fine for re-signing apps signed with developer certificate. Has anyone tried to re-sign the app signed with distribution cert into developer certificate?
This was a great start for my needs, but didn't handle entitlements correctly when the app id prefix changes, which would happen when you resign a .ipa having a different certificate than what you resign it with.
I addressed that and did some clean up, check it out here: https://gist.github.com/didge/9466154.
You need to add the following line around line 200 in order to change teams wit recent Xcode builds:
PlistBuddy -c "Set :com.apple.developer.team-identifier ${PROVISIONING_PROFILE_PREFIX}" temp/newEntitlements
This fixes the following in the iOS system log:
"entitlement 'com.apple.developer.team-identifier' has value not permitted by provisioning profile ..."
Thanks @markusthegeek, I applied the fix!
I have posted a modified version of this script in a repository at https://github.com/nanonation/floatsign
Specifically, we made some changes to support iOS 8's new embedded frameworks feature. We've also added some sanity checking to warn of issues we've encountered with 'com.apple.developer.team-identifier' not being found in provisioning profiles of a certain age.
Since we have the mobile provisioning profile as input, would it be possible to modify the script to use the first certificate in the DeveloperCertificates attribute of the mobileprovision? I would love to be able to reduce the amount of inputs required when I know the only certificate in the provisioning profile should be in my keychain
Also, is there a way to check that the certificate is not revoked or anything along those lines?
Can anybody tell me the steps how to run the script to resign ipa file, i tried to run but getting error like "Only can resign .app files and .ipa files.". Also possible whats do i need to do pre setup for resigning any ipa with new provisioning profile.
Hi, I tried to run this script with something like
sh floatsign.sh myapp.ipa ABC123ASD -p "myapp working dir/myapp_distribution.mobileprovision" -d "My App" -b com.mysite.myapp myappresigned.ipa
I keep getting this error (copy paste except for certificate name)
Resigning application using certificate: ABC123ASD
Set: Entry, ":keychain-access-groups:0", Does Not Exist
Had an Error, aborting!
I am not familiar with codesign command, but if I run codesign -s ABC123ASD myapp.ipa, I get a message that the file is already signed, and if I change the certificate id it will give an error, so it recognizes the string ABC123ASD as a certificate; I also see that inside the script it is called codesign, but there are some things about an optional keychain. I commented those lines about the keychain (added a # before each line that checked if there was a -k parameter), still the same result. any pointers?
thanks in advance
I was getting same issue, but when I passed the entitlement in the command with -e flag it worked.
Somthing like this....
sh floatsign.sh myapp.ipa ABC123ASD -p "myapp working dir/myapp_distribution.mobileprovision" -d "My App" -e entitlements.plist -b com.mysite.myapp myappresigned.ipa
Good luck!
In the current version, you cannot extract the entitlements correctly if you are also setting the display name.
Codesign gives you an error if the Info.plist has already been changed before exporting the entitlements. The solution is to move the display name section below the mobile provisioning section.