Sign in Subscribe
2 min read Newsletter

Re-signing an Enterprise iOS app

If you have an in-house app that you’ve distributed across your organisation as part of the iOS Enterprise program, you may find that the app stops working or installing.

This is likely because your provisioning profile and/or certificate has expired.

If you look at the console (in Xcode, Devices), you’ll see something like:

Apr 26 15:05:58 iPad amfid[3086] <Error>:  SecTrustEvaluate  [leaf IssuerCommonName SubjectCommonName]
Apr 26 15:05:58 iPad amfid[3086] <Error>: /private/var/mobile/Containers/Bundle/Application/256F1EAD-8F72-49CA-AC96-A50CD52F788A/MyApp.app/MyApp not valid: 0xe8008015: A valid provisioning profile for this executable was not found.
Apr 26 15:05:58 iPad com.apple.xpc.launchd[1] (UIKitApplication:nz.arun.MyApp[0xba97][3105]) <Notice>: Service exited due to signal: Killed: 9

The error message tells the truth: the provisioning profile is not valid. You will need a new one.

Go to the iOS portal, and renew your provisioning profile. You might have lost your certificate, too. You can request a new one (a separate process). If you’ve changed certificates, then don’t renew the profile. “Edit” it, and choose the new certificate. You’ll then have a new provisioning profile that works with your new certificate.

Now to re-sign the application. You can do this without the original source. Just grab the previously published .ipa file.

Before you start, you’ll need to create a new Entitlements.plist file. This used to be required in the old days. I think Xcode takes care of it for you now. But for this manual re-sign process, you’ll have to do it yourself. It should look something like this (using the App ID that’s in your provisioning profile):

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>application-identifier</key>
<string>ABCDE12345.nz.arun.MyApp</string>
<key>get-task-allow</key>
<false/>
</dict>
</plist>

Then you need to unzip the .ipa, delete the old signature, copy over the new provisioning profile, sign the app again, and re-zip it:

unzip MyApp.ipa
rm -rf Payload/MyApp.app/_CodeSignature/
cp ~/Downloads/MyApp.mobileprovision Payload/MyApp.app/embedded.mobileprovision 
codesign -f -s "iPhone Distribution: My Enterprise Ltd" --entitlements entitlements.plist Payload/MyApp.app 
zip -qr MyAppResigned.ipa Payload/

Then you can put that .ipa where the old one was, and you’re good to go again.

Published by:

Arun Stephens

You might also like...

Apr
22
Switch expressions in C#

Switch expressions in C#

A recent introduction to the C# language is pattern matching. It was added in C# 7.0, which came out
4 min read
Apr
19
A new(sletter) journey

A new(sletter) journey

Hi! I've decided to give the blog a revamp, and actually relaunch it as a newsletter. I'
1 min read
Feb
16
What's new in .NET 7

What's new in .NET 7

.NET 7 was released a few months ago, and it brought many exciting new features. As a .NET developer, I
5 min read
Dec
06
What's inside My Vaccine Pass? (Part 1)

What's inside My Vaccine Pass? (Part 1)

When they were talking about how vaccine passports might work, I had an idea of how I’d make such
5 min read
Oct
08
Why does Docker restart all containers regularly?

Why does Docker restart all containers regularly?

For as long as I can remember, every now and then, all my Docker containers restart. I had no idea
1 min read

Member discussion