didge/coderesign.sh

## coderesign.sh
#!/bin/bash -x

# Copyright (c) 2011 Float Mobile Learning
# http://www.floatlearning.com/
# Extension Copyright (c) 2013 Weptun Gmbh
# http://www.weptun.de
# Extension Copyright (c) 2013 FoundryLogic LLC
# http://foundrylogic.com
#
# Extended by Ronan O Ciosoig January 2012
#
# Extended by Patrick Blitz, April 2013
#
# Extended by didge, March 2014
#
# Permission is hereby granted, free of charge, to any person obtaining
# a copy of this software and associated documentation files (the "Software"),
# to deal in the Software without restriction, including without limitation
# the rights to use, copy, modify, merge, publish, distribute, sublicense,
# and/or sell copies of the Software, and to permit persons to whom the
# Software is furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be included
# in all copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
# OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
# IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
# CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
# TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
# SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
#
# Please let us know about any improvements you make to this script!
#
# Usage
#   ./coderesign.sh source "iPhone Distribution: Name" -p "path/to/profile" [-d "display name"]  [-e entitlements] [-k keychain] [-b "BundleIdentifier"] outputIpa
#
# Changes

# January 2012
# 1. change the app display name
#
# April 2013
# 1. specify the target bundleId on the command line
# 2. correctly handles entitlements for keychain-enabled resigning
#
# March 2014
# 1. Update App Identifier Prefix and Bundle Id from provided provisioning file.
# 2. Cleaned up old code, naming.
# 3. Fixed file extension check to handle *.something.ipa or *.something.app
# 4. Renamed to coderesign.sh.
#
# June 2015
# 1. Fixed issue with adding keychain-access-groups.
# 2. Removed ` that somehow got added in last update.
#
# Nov 2018
# 1. Fixed logic determining when to replace bundle id.
#
function checkStatus {

if [ $? -ne 0 ];
then
echo 'Had an Error, aborting!'
exit 1
fi
}

if [ $# -lt 3 ]; then
echo "usage: $0 source identity [-p provisioning] [-e entitlements] [-d displayName] [-b bundleId] outputIpa" >&2
echo "\t\t -p and -b are optional, but their use is heavly recommonded" >&2
exit 1
fi

ORIGINAL_FILE="$1"
CERTIFICATE="$2"
NEW_PROVISION=
ENTITLEMENTS=
NEW_BUNDLE_ID=""
DISPLAY_NAME=""
NEW_APP_ID_PREFIX=""
OLD_APP_ID_PREFIX=""
KEYCHAIN=""

# options start index
OPTIND=3
while getopts p:d:e:k:b: opt; do
case $opt in
p)
NEW_PROVISION="$OPTARG"
echo "Specified provisioning profile: $NEW_PROVISION" >&2
;;
d)
DISPLAY_NAME="$OPTARG"
echo "Specified display name: $DISPLAY_NAME" >&2
;;
e)
ENTITLEMENTS="$OPTARG"
echo "Specified signing entitlements: $ENTITLEMENTS" >&2
;;
b)
NEW_BUNDLE_ID="$OPTARG"
echo "Specified bundle identifier: $NEW_BUNDLE_ID " >&2
;;
k)
KEYCHAIN="$OPTARG"
echo "Specified Keychain to use: $KEYCHAIN " >&2
;;
\?)
echo "Invalid option: -$OPTARG" >&2
exit 1
;;
:)
echo "Option -$OPTARG requires an argument." >&2
exit 1
;;
esac
done

shift $((OPTIND-1))

NEW_FILE="$1"

# Check if the supplied file is an ipa or an app file
if [ "${ORIGINAL_FILE##*.}" = "ipa" ]
then
# Unzip the old ipa quietly
unzip -q "$ORIGINAL_FILE" -d temp
checkStatus
elif [ "${ORIGINAL_FILE##*.}" = "app" ]
then
# Copy the app file into an ipa-like structure
mkdir -p "temp/Payload"
cp -Rf "${ORIGINAL_FILE}" "temp/Payload/${ORIGINAL_FILE}"
checkStatus
else
echo "Error: Only can resign .app files and .ipa files." >&2
exit
fi

# check the keychain
if [ "${KEYCHAIN}" != "" ];
then
security list-keychains -s $KEYCHAIN
security unlock $KEYCHAIN
security default-keychain -s $KEYCHAIN
fi

# Set the app name
# The app name is the only file within the Payload directory
APP_NAME=$(ls temp/Payload/)
echo "APP_NAME=$APP_NAME" >&2

export PATH=$PATH:/usr/libexec

# get the old app id prefix
OLD_APP_ID_PREFIX=`grep '<key>application-identifier</key>' "temp/Payload/$APP_NAME/embedded.mobileprovision" -A 1 --binary-files=text | sed -E -e '/<key>/ d' -e 's/(^.*<string>)//' -e 's/([A-Z0-9]*)(.*)/\1/'`
checkStatus

# get the new app id prefix
if [ "${NEW_PROVISION}" != "" ];
then
NEW_APP_ID_PREFIX=`grep '<key>application-identifier</key>' "$NEW_PROVISION" -A 1 --binary-files=text | sed -E -e '/<key>/ d' -e 's/(^.*<string>)//' -e 's/([A-Z0-9]*)(.*)/\1/'`
else
NEW_APP_ID_PREFIX=$OLD_APP_ID_PREFIX
fi
checkStatus

# get the new bundle id
OLD_BUNDLE_ID=`PlistBuddy -c "Print :CFBundleIdentifier" "temp/Payload/$APP_NAME/Info.plist"`
if [ "${NEW_BUNDLE_ID}" != "" -a "${NEW_PROVISION}" != "" ];
then
NEW_BUNDLE_ID=`egrep -a -A 2 application-identifier "${NEW_PROVISION}" | grep string | sed -e 's/<string>//' -e 's/<\/string>//' -e 's/ //' | awk '{split($0,a,"."); i = length(a); for(ix=2; ix <= i;ix++){ s=s a[ix]; if(i!=ix){s=s "."};} print s;}'`
if [[ "${NEW_BUNDLE_ID}" == *\** ]]; then
echo "Bundle Identifier contains a *, using the current bundle identifier";
NEW_BUNDLE_ID=$OLD_BUNDLE_ID
fi
else
NEW_BUNDLE_ID=$OLD_BUNDLE_ID
fi
checkStatus

echo "New App Identifier: ${NEW_APP_ID_PREFIX}.${NEW_BUNDLE_ID}"

if [ "${DISPLAY_NAME}" != "" ];
then
PlistBuddy -c "Set :CFBundleDisplayName $DISPLAY_NAME" "temp/Payload/$APP_NAME/Info.plist"
echo "New Bundle Display Name: ${DISPLAY_NAME}"
fi

# Replace the embedded mobile provisioning profile
if [ "$NEW_PROVISION" != "" ];
then
ENTITLEMENTS_TEMP=`/usr/bin/codesign -d --entitlements - "temp/Payload/$APP_NAME" |  sed -E -e '1d' -e s/$OLD_BUNDLE_ID/$NEW_BUNDLE_ID/ -e s/$OLD_APP_ID_PREFIX/$NEW_APP_ID_PREFIX/`
if [ -n "$ENTITLEMENTS_TEMP" ]; then
echo "<?xml version=\"1.0\" encoding=\"UTF-8\"?>$ENTITLEMENTS_TEMP" > temp/newEntitlements
fi
cp "$NEW_PROVISION" "temp/Payload/$APP_NAME/embedded.mobileprovision"
checkStatus
fi

# Update the bundle identifier
PlistBuddy -c "Set :CFBundleIdentifier $NEW_BUNDLE_ID" "temp/Payload/$APP_NAME/Info.plist"
checkStatus

# Uncomment to convert Info.plist to binary format (thanks imhui!)
# plutil -convert binary1 "temp/Payload/$APP_NAME/Info.plist"

# Resign the application
echo "Resigning application using certificate: $CERTIFICATE" >&2
if [ "$ENTITLEMENTS" != "" ];
then
echo "Using Entitlements: $ENTITLEMENTS" >&2
/usr/bin/codesign -f -s "$CERTIFICATE" --entitlements="$ENTITLEMENTS" --resource-rules="temp/Payload/$APP_NAME/ResourceRules.plist" "temp/Payload/$APP_NAME"
checkStatus
else
if [ "$NEW_APP_ID_PREFIX" != "" -a -s temp/newEntitlements ];
then
# extract current entitlements
PlistBuddy -c "Set :application-identifier ${NEW_APP_ID_PREFIX}.${NEW_BUNDLE_ID}" temp/newEntitlements
checkStatus
PlistBuddy -c "Add :keychain-access-groups array" temp/newEntitlements
PlistBuddy -c "Add :keychain-access-groups:0 string ${NEW_APP_ID_PREFIX}.\*" temp/newEntitlements
checkStatus
plutil -lint temp/newEntitlements
checkStatus
/usr/bin/codesign -f -s "$CERTIFICATE" --resource-rules="temp/Payload/$APP_NAME/ResourceRules.plist" --entitlements="temp/newEntitlements" "temp/Payload/$APP_NAME"
checkStatus
rm temp/newEntitlements
else
/usr/bin/codesign -f -s "$CERTIFICATE" --resource-rules="temp/Payload/$APP_NAME/ResourceRules.plist" "temp/Payload/$APP_NAME"
fi
fi

# Repackage quietly
echo "Repackaging as $NEW_FILE"

# Zip up the contents of the temp folder
# Navigate to the temporary directory (sending the output to null)
# Zip all the contents, saving the zip file in the above directory
# Navigate back to the orignating directory (sending the output to null)
pushd temp > /dev/null
zip -qr ../temp.ipa *
popd > /dev/null

# Move the resulting ipa to the target destination
mv temp.ipa "$NEW_FILE"

# Remove the temp directory
rm -rf "temp"
	#!/bin/bash -x

	# Copyright (c) 2011 Float Mobile Learning
	# http://www.floatlearning.com/
	# Extension Copyright (c) 2013 Weptun Gmbh
	# http://www.weptun.de
	# Extension Copyright (c) 2013 FoundryLogic LLC
	# http://foundrylogic.com
	#
	# Extended by Ronan O Ciosoig January 2012
	#
	# Extended by Patrick Blitz, April 2013
	#
	# Extended by didge, March 2014
	#
	# Permission is hereby granted, free of charge, to any person obtaining
	# a copy of this software and associated documentation files (the "Software"),
	# to deal in the Software without restriction, including without limitation
	# the rights to use, copy, modify, merge, publish, distribute, sublicense,
	# and/or sell copies of the Software, and to permit persons to whom the
	# Software is furnished to do so, subject to the following conditions:
	#
	# The above copyright notice and this permission notice shall be included
	# in all copies or substantial portions of the Software.
	#
	# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
	# OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
	# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
	# IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
	# CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
	# TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
	# SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
	#
	# Please let us know about any improvements you make to this script!
	#
	# Usage
	# ./coderesign.sh source "iPhone Distribution: Name" -p "path/to/profile" [-d "display name"] [-e entitlements] [-k keychain] [-b "BundleIdentifier"] outputIpa
	#
	# Changes

	# January 2012
	# 1. change the app display name
	#
	# April 2013
	# 1. specify the target bundleId on the command line
	# 2. correctly handles entitlements for keychain-enabled resigning
	#
	# March 2014
	# 1. Update App Identifier Prefix and Bundle Id from provided provisioning file.
	# 2. Cleaned up old code, naming.
	# 3. Fixed file extension check to handle .something.ipa or .something.app
	# 4. Renamed to coderesign.sh.
	#
	# June 2015
	# 1. Fixed issue with adding keychain-access-groups.
	# 2. Removed ` that somehow got added in last update.
	#
	# Nov 2018
	# 1. Fixed logic determining when to replace bundle id.
	#
	function checkStatus {

	if [ $? -ne 0 ];
	then
	echo 'Had an Error, aborting!'
	exit 1
	fi
	}

	if [ $# -lt 3 ]; then
	echo "usage: $0 source identity [-p provisioning] [-e entitlements] [-d displayName] [-b bundleId] outputIpa" >&2
	echo "\t\t -p and -b are optional, but their use is heavly recommonded" >&2
	exit 1
	fi

	ORIGINAL_FILE="$1"
	CERTIFICATE="$2"
	NEW_PROVISION=
	ENTITLEMENTS=
	NEW_BUNDLE_ID=""
	DISPLAY_NAME=""
	NEW_APP_ID_PREFIX=""
	OLD_APP_ID_PREFIX=""
	KEYCHAIN=""

	# options start index
	OPTIND=3
	while getopts p:d:e:k:b: opt; do
	case $opt in
	p)
	NEW_PROVISION="$OPTARG"
	echo "Specified provisioning profile: $NEW_PROVISION" >&2
	;;
	d)
	DISPLAY_NAME="$OPTARG"
	echo "Specified display name: $DISPLAY_NAME" >&2
	;;
	e)
	ENTITLEMENTS="$OPTARG"
	echo "Specified signing entitlements: $ENTITLEMENTS" >&2
	;;
	b)
	NEW_BUNDLE_ID="$OPTARG"
	echo "Specified bundle identifier: $NEW_BUNDLE_ID " >&2
	;;
	k)
	KEYCHAIN="$OPTARG"
	echo "Specified Keychain to use: $KEYCHAIN " >&2
	;;
	\?)
	echo "Invalid option: -$OPTARG" >&2
	exit 1
	;;
	:)
	echo "Option -$OPTARG requires an argument." >&2
	exit 1
	;;
	esac
	done

	shift $((OPTIND-1))

	NEW_FILE="$1"

	# Check if the supplied file is an ipa or an app file
	if [ "${ORIGINAL_FILE##*.}" = "ipa" ]
	then
	# Unzip the old ipa quietly
	unzip -q "$ORIGINAL_FILE" -d temp
	checkStatus
	elif [ "${ORIGINAL_FILE##*.}" = "app" ]
	then
	# Copy the app file into an ipa-like structure
	mkdir -p "temp/Payload"
	cp -Rf "${ORIGINAL_FILE}" "temp/Payload/${ORIGINAL_FILE}"
	checkStatus
	else
	echo "Error: Only can resign .app files and .ipa files." >&2
	exit
	fi

	# check the keychain
	if [ "${KEYCHAIN}" != "" ];
	then
	security list-keychains -s $KEYCHAIN
	security unlock $KEYCHAIN
	security default-keychain -s $KEYCHAIN
	fi

	# Set the app name
	# The app name is the only file within the Payload directory
	APP_NAME=$(ls temp/Payload/)
	echo "APP_NAME=$APP_NAME" >&2

	export PATH=$PATH:/usr/libexec

	# get the old app id prefix
	OLD_APP_ID_PREFIX=`grep '<key>application-identifier</key>' "temp/Payload/$APP_NAME/embedded.mobileprovision" -A 1 --binary-files=text \| sed -E -e '/<key>/ d' -e 's/(^.<string>)//' -e 's/([A-Z0-9])(.*)/\1/'`
	checkStatus

	# get the new app id prefix
	if [ "${NEW_PROVISION}" != "" ];
	then
	NEW_APP_ID_PREFIX=`grep '<key>application-identifier</key>' "$NEW_PROVISION" -A 1 --binary-files=text \| sed -E -e '/<key>/ d' -e 's/(^.<string>)//' -e 's/([A-Z0-9])(.*)/\1/'`
	else
	NEW_APP_ID_PREFIX=$OLD_APP_ID_PREFIX
	fi
	checkStatus

	# get the new bundle id
	OLD_BUNDLE_ID=`PlistBuddy -c "Print :CFBundleIdentifier" "temp/Payload/$APP_NAME/Info.plist"`
	if [ "${NEW_BUNDLE_ID}" != "" -a "${NEW_PROVISION}" != "" ];
	then
	NEW_BUNDLE_ID=`egrep -a -A 2 application-identifier "${NEW_PROVISION}" \| grep string \| sed -e 's/<string>//' -e 's/<\/string>//' -e 's/ //' \| awk '{split($0,a,"."); i = length(a); for(ix=2; ix <= i;ix++){ s=s a[ix]; if(i!=ix){s=s "."};} print s;}'`
	if [[ "${NEW_BUNDLE_ID}" == \* ]]; then
	echo "Bundle Identifier contains a *, using the current bundle identifier";
	NEW_BUNDLE_ID=$OLD_BUNDLE_ID
	fi
	else
	NEW_BUNDLE_ID=$OLD_BUNDLE_ID
	fi
	checkStatus

	echo "New App Identifier: ${NEW_APP_ID_PREFIX}.${NEW_BUNDLE_ID}"

	if [ "${DISPLAY_NAME}" != "" ];
	then
	PlistBuddy -c "Set :CFBundleDisplayName $DISPLAY_NAME" "temp/Payload/$APP_NAME/Info.plist"
	echo "New Bundle Display Name: ${DISPLAY_NAME}"
	fi

	# Replace the embedded mobile provisioning profile
	if [ "$NEW_PROVISION" != "" ];
	then
	ENTITLEMENTS_TEMP=`/usr/bin/codesign -d --entitlements - "temp/Payload/$APP_NAME" \| sed -E -e '1d' -e s/$OLD_BUNDLE_ID/$NEW_BUNDLE_ID/ -e s/$OLD_APP_ID_PREFIX/$NEW_APP_ID_PREFIX/`
	if [ -n "$ENTITLEMENTS_TEMP" ]; then
	echo "<?xml version=\"1.0\" encoding=\"UTF-8\"?>$ENTITLEMENTS_TEMP" > temp/newEntitlements
	fi
	cp "$NEW_PROVISION" "temp/Payload/$APP_NAME/embedded.mobileprovision"
	checkStatus
	fi

	# Update the bundle identifier
	PlistBuddy -c "Set :CFBundleIdentifier $NEW_BUNDLE_ID" "temp/Payload/$APP_NAME/Info.plist"
	checkStatus

	# Uncomment to convert Info.plist to binary format (thanks imhui!)
	# plutil -convert binary1 "temp/Payload/$APP_NAME/Info.plist"

	# Resign the application
	echo "Resigning application using certificate: $CERTIFICATE" >&2
	if [ "$ENTITLEMENTS" != "" ];
	then
	echo "Using Entitlements: $ENTITLEMENTS" >&2
	/usr/bin/codesign -f -s "$CERTIFICATE" --entitlements="$ENTITLEMENTS" --resource-rules="temp/Payload/$APP_NAME/ResourceRules.plist" "temp/Payload/$APP_NAME"
	checkStatus
	else
	if [ "$NEW_APP_ID_PREFIX" != "" -a -s temp/newEntitlements ];
	then
	# extract current entitlements
	PlistBuddy -c "Set :application-identifier ${NEW_APP_ID_PREFIX}.${NEW_BUNDLE_ID}" temp/newEntitlements
	checkStatus
	PlistBuddy -c "Add :keychain-access-groups array" temp/newEntitlements
	PlistBuddy -c "Add :keychain-access-groups:0 string ${NEW_APP_ID_PREFIX}.\*" temp/newEntitlements
	checkStatus
	plutil -lint temp/newEntitlements
	checkStatus
	/usr/bin/codesign -f -s "$CERTIFICATE" --resource-rules="temp/Payload/$APP_NAME/ResourceRules.plist" --entitlements="temp/newEntitlements" "temp/Payload/$APP_NAME"
	checkStatus
	rm temp/newEntitlements
	else
	/usr/bin/codesign -f -s "$CERTIFICATE" --resource-rules="temp/Payload/$APP_NAME/ResourceRules.plist" "temp/Payload/$APP_NAME"
	fi
	fi

	# Repackage quietly
	echo "Repackaging as $NEW_FILE"

	# Zip up the contents of the temp folder
	# Navigate to the temporary directory (sending the output to null)
	# Zip all the contents, saving the zip file in the above directory
	# Navigate back to the orignating directory (sending the output to null)
	pushd temp > /dev/null
	zip -qr ../temp.ipa *
	popd > /dev/null

	# Move the resulting ipa to the target destination
	mv temp.ipa "$NEW_FILE"

	# Remove the temp directory
	rm -rf "temp"