Skip to content

Instantly share code, notes, and snippets.

@boodle

boodle/Re-sign Windows and iOS apps.md

Last active April 9, 2023 19:16
Show Gist options
  • Save boodle/96b9b02044e5a396caf68c1c3a026b99 to your computer and use it in GitHub Desktop.
Save boodle/96b9b02044e5a396caf68c1c3a026b99 to your computer and use it in GitHub Desktop.
Download ZIP
Unpack, edit, repack, and re-sign Windows Phone apps
Raw
Re-sign Windows and iOS apps.md

iOS

Pre-requisites

  1. These command line tools to stramline the process
  2. The mobile provisioning profile you want to apply
  3. The certificate used in that process, which has been imported into your Keychain

Re-signing process

ipa_sign SayNoToolkit.ipa ~/Dropbox/Provisioning\ Profiles/com_ch2m_snt_totalonion_distribution.mobileprovision "iPhone Distribution: Total Onion Ltd (3U978V6C3T)"

Explanation:

  • SayNoToolkit.ipa: the app to resign
  • com_ch2m_snt_totalonion_distribution.mobileprovision: The provisioning profile
  • "iPhone Distribution: Total Onion Ltd (3U978V6C3T)": The name of the certificate as it appears in your Keychain

Windows 8.1

Pre-requisites

The command line tools are Windows only and are part of the Driver Development Kit

https://msdn.microsoft.com/windows/hardware/drivers/devtest/signtool

unpack, repack, re-sign process

We had to sign an appx created with PhoneGap Build (Cordova) with an Enterprise certificate. PGB should have added the publisher information with this entry in the config.xml file:

<preference name="WindowsStorePublisherName"    value="OID.0.9.2342.19200300.100.1.1=9223794, CN=Total Onion, OU=Total Onion" />

It didn't, so we had to unpack, edit the manifest, re-pack, and re-sign:

  1. Unpack with "C:\Program Files (x86)\Windows Kits\10\bin\x86\makeappx.exe" unpack /p myApplication.appx /d unpacked /l
    • /p is the appx in question\
    • /d is the directory to unpack it into
    • /l ignores a bunch of manifest errors
  2. Edit the manifest.xml to set the correct Publisher="" line
  3. Re-pack with "C:\Program Files (x86)\Windows Kits\10\bin\x86\makeappx.exe" pack /d unpacked /p myRepackedApplication.appx /l
  4. Re-sign with "C:\Program Files (x86)\Windows Kits\10\bin\x86\signtool.exe" sign /fd SHA256 /a /f myEnterpriseCertificate.pfx /p "myCertificatePassword" myRepackedApplication.appx
    • /fd is the hashing algorithm (SHA256 is the default)
    • /f is the certificate

Further reading

Windows 10

1. Create a self signed certificate

  1. Open PowerShell as a regular user on a Windows 10 machine
  2. Check that it has the PKI module installed:
PS D:\Users\boodle> Get-Module

ModuleType Version    Name                                ExportedCommands
---------- -------    ----                                ----------------
Manifest   3.1.0.0    Microsoft.PowerShell.Utility        {Add-Member, Add-Type, Clear-Variable, Compare-Object...}
Manifest   1.0.0.0    PKI                                 {Add-CertificateEnrollmentPolicyServer, Export-Certificate...
Script     1.2        PSReadline                          {Get-PSReadlineKeyHandler, Get-PSReadlineOption, Remove-PS...
  1. Exit PowerShell, and re-open is at an Administrator
  2. Login to the Windows Developer Console (https://developer.microsoft.com/), open an app, and get the value from : -> "App identity" -> "Package/Identity/Publisher"
  3. Using that, run the command:
PS C:\Windows\system32> New-SelfSignedCertificate -Type Custom -Subject "CN=Contoso Software, O=Contoso Corporation, C=US" -KeyUsage DigitalSignature -FriendlyName <Your Friendly Name> -CertStoreLocation "Cert:\LocalMachine\My"
  1. Change to the location of the certs, and list them to make sure it's there:
PS C:\Windows\system32> Set-Location Cert:\LocalMachine\My
PS Cert:\LocalMachine\My> Get-ChildItem | Format-Table Subject, FriendlyName, Thumbprint

Subject                                 FriendlyName                        Thumbprint
-------                                 ------------                        ----------
CN=IP-C0A81A8                           IP-C0A81A8                          < hex thumbprint >
CN=IP-C0A88411                          IP-C0A88411                         < hex thumbprint >
CN=< ID from Windows dev account >      < friendly name >                   < hex thumbprint >
CN=localhost                            IIS Express Development Certificate < hex thumbprint >

2. Export the cert as a pfx

  1. Set a password and export it with:
PS Cert:\LocalMachine\My> $pwd = ConvertTo-SecureString -String <Password> -Force -AsPlainText
PS Cert:\LocalMachine\My> Export-PfxCertificate -cert "Cert:\LocalMachine\My\< Thumb print>" -FilePath "< path to cert >.pfx" -Password $pwd

Further reading: https://docs.microsoft.com/en-gb/windows/uwp/packaging/create-certificate-package-signing

3. Sign an .appx file

  1. The SignTool is part of Visual Studio. It's about 400KB, but you have to install the whole 6GB. Seriously. Here: https://go.microsoft.com/fwlink/?LinkID=698771
  2. Once installed it should be in C:\Program Files (x86)\Windows Kits\10\bin\x64
  3. Sign it the same as the Windows 8.1 version above, but with the x64 version:
"C:\Program Files (x86)\Windows Kits\10\bin\x64\makeappx.exe" unpack /p CordovaApp.Phone_1.6.6.0_arm_debug.appx /d unpacked /l
"C:\Program Files (x86)\Windows Kits\10\bin\x64\makeappx.exe" pack /d unpacked /p BAT_1.6.6.0_arm.appx /l
"C:\Program Files (x86)\Windows Kits\10\bin\x64\signtool.exe" sign /fd SHA256 /a /f "< signing key location here >.pfx" /p "< certificate password here >" BAT_1.6.6.0_arm.appx

Deploy Windows Phone 8.1 to test devices

"C:\Program Files (x86)\Microsoft SDKs\Windows Phone\v8.1\Tools\AppDeploy\AppDeploy.exe"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment