Skip to content

Instantly share code, notes, and snippets.

@didge
Forked from WeptunUser/floatsign.sh
Last active September 24, 2022 02:25
Show Gist options
  • Save didge/9466154 to your computer and use it in GitHub Desktop.
Save didge/9466154 to your computer and use it in GitHub Desktop.
Script to resign .ipa files with options to change the provisioning file, app name, and bundle id.
#!/bin/bash -x
# Copyright (c) 2011 Float Mobile Learning
# http://www.floatlearning.com/
# Extension Copyright (c) 2013 Weptun Gmbh
# http://www.weptun.de
# Extension Copyright (c) 2013 FoundryLogic LLC
# http://foundrylogic.com
#
# Extended by Ronan O Ciosoig January 2012
#
# Extended by Patrick Blitz, April 2013
#
# Extended by didge, March 2014
#
# Permission is hereby granted, free of charge, to any person obtaining
# a copy of this software and associated documentation files (the "Software"),
# to deal in the Software without restriction, including without limitation
# the rights to use, copy, modify, merge, publish, distribute, sublicense,
# and/or sell copies of the Software, and to permit persons to whom the
# Software is furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be included
# in all copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
# OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
# IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
# CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
# TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
# SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
#
# Please let us know about any improvements you make to this script!
#
# Usage
# ./coderesign.sh source "iPhone Distribution: Name" -p "path/to/profile" [-d "display name"] [-e entitlements] [-k keychain] [-b "BundleIdentifier"] outputIpa
#
# Changes
# January 2012
# 1. change the app display name
#
# April 2013
# 1. specify the target bundleId on the command line
# 2. correctly handles entitlements for keychain-enabled resigning
#
# March 2014
# 1. Update App Identifier Prefix and Bundle Id from provided provisioning file.
# 2. Cleaned up old code, naming.
# 3. Fixed file extension check to handle *.something.ipa or *.something.app
# 4. Renamed to coderesign.sh.
#
# June 2015
# 1. Fixed issue with adding keychain-access-groups.
# 2. Removed ` that somehow got added in last update.
#
# Nov 2018
# 1. Fixed logic determining when to replace bundle id.
#
function checkStatus {
if [ $? -ne 0 ];
then
echo 'Had an Error, aborting!'
exit 1
fi
}
if [ $# -lt 3 ]; then
echo "usage: $0 source identity [-p provisioning] [-e entitlements] [-d displayName] [-b bundleId] outputIpa" >&2
echo "\t\t -p and -b are optional, but their use is heavly recommonded" >&2
exit 1
fi
ORIGINAL_FILE="$1"
CERTIFICATE="$2"
NEW_PROVISION=
ENTITLEMENTS=
NEW_BUNDLE_ID=""
DISPLAY_NAME=""
NEW_APP_ID_PREFIX=""
OLD_APP_ID_PREFIX=""
KEYCHAIN=""
# options start index
OPTIND=3
while getopts p:d:e:k:b: opt; do
case $opt in
p)
NEW_PROVISION="$OPTARG"
echo "Specified provisioning profile: $NEW_PROVISION" >&2
;;
d)
DISPLAY_NAME="$OPTARG"
echo "Specified display name: $DISPLAY_NAME" >&2
;;
e)
ENTITLEMENTS="$OPTARG"
echo "Specified signing entitlements: $ENTITLEMENTS" >&2
;;
b)
NEW_BUNDLE_ID="$OPTARG"
echo "Specified bundle identifier: $NEW_BUNDLE_ID " >&2
;;
k)
KEYCHAIN="$OPTARG"
echo "Specified Keychain to use: $KEYCHAIN " >&2
;;
\?)
echo "Invalid option: -$OPTARG" >&2
exit 1
;;
:)
echo "Option -$OPTARG requires an argument." >&2
exit 1
;;
esac
done
shift $((OPTIND-1))
NEW_FILE="$1"
# Check if the supplied file is an ipa or an app file
if [ "${ORIGINAL_FILE##*.}" = "ipa" ]
then
# Unzip the old ipa quietly
unzip -q "$ORIGINAL_FILE" -d temp
checkStatus
elif [ "${ORIGINAL_FILE##*.}" = "app" ]
then
# Copy the app file into an ipa-like structure
mkdir -p "temp/Payload"
cp -Rf "${ORIGINAL_FILE}" "temp/Payload/${ORIGINAL_FILE}"
checkStatus
else
echo "Error: Only can resign .app files and .ipa files." >&2
exit
fi
# check the keychain
if [ "${KEYCHAIN}" != "" ];
then
security list-keychains -s $KEYCHAIN
security unlock $KEYCHAIN
security default-keychain -s $KEYCHAIN
fi
# Set the app name
# The app name is the only file within the Payload directory
APP_NAME=$(ls temp/Payload/)
echo "APP_NAME=$APP_NAME" >&2
export PATH=$PATH:/usr/libexec
# get the old app id prefix
OLD_APP_ID_PREFIX=`grep '<key>application-identifier</key>' "temp/Payload/$APP_NAME/embedded.mobileprovision" -A 1 --binary-files=text | sed -E -e '/<key>/ d' -e 's/(^.*<string>)//' -e 's/([A-Z0-9]*)(.*)/\1/'`
checkStatus
# get the new app id prefix
if [ "${NEW_PROVISION}" != "" ];
then
NEW_APP_ID_PREFIX=`grep '<key>application-identifier</key>' "$NEW_PROVISION" -A 1 --binary-files=text | sed -E -e '/<key>/ d' -e 's/(^.*<string>)//' -e 's/([A-Z0-9]*)(.*)/\1/'`
else
NEW_APP_ID_PREFIX=$OLD_APP_ID_PREFIX
fi
checkStatus
# get the new bundle id
OLD_BUNDLE_ID=`PlistBuddy -c "Print :CFBundleIdentifier" "temp/Payload/$APP_NAME/Info.plist"`
if [ "${NEW_BUNDLE_ID}" != "" -a "${NEW_PROVISION}" != "" ];
then
NEW_BUNDLE_ID=`egrep -a -A 2 application-identifier "${NEW_PROVISION}" | grep string | sed -e 's/<string>//' -e 's/<\/string>//' -e 's/ //' | awk '{split($0,a,"."); i = length(a); for(ix=2; ix <= i;ix++){ s=s a[ix]; if(i!=ix){s=s "."};} print s;}'`
if [[ "${NEW_BUNDLE_ID}" == *\** ]]; then
echo "Bundle Identifier contains a *, using the current bundle identifier";
NEW_BUNDLE_ID=$OLD_BUNDLE_ID
fi
else
NEW_BUNDLE_ID=$OLD_BUNDLE_ID
fi
checkStatus
echo "New App Identifier: ${NEW_APP_ID_PREFIX}.${NEW_BUNDLE_ID}"
if [ "${DISPLAY_NAME}" != "" ];
then
PlistBuddy -c "Set :CFBundleDisplayName $DISPLAY_NAME" "temp/Payload/$APP_NAME/Info.plist"
echo "New Bundle Display Name: ${DISPLAY_NAME}"
fi
# Replace the embedded mobile provisioning profile
if [ "$NEW_PROVISION" != "" ];
then
ENTITLEMENTS_TEMP=`/usr/bin/codesign -d --entitlements - "temp/Payload/$APP_NAME" | sed -E -e '1d' -e s/$OLD_BUNDLE_ID/$NEW_BUNDLE_ID/ -e s/$OLD_APP_ID_PREFIX/$NEW_APP_ID_PREFIX/`
if [ -n "$ENTITLEMENTS_TEMP" ]; then
echo "<?xml version=\"1.0\" encoding=\"UTF-8\"?>$ENTITLEMENTS_TEMP" > temp/newEntitlements
fi
cp "$NEW_PROVISION" "temp/Payload/$APP_NAME/embedded.mobileprovision"
checkStatus
fi
# Update the bundle identifier
PlistBuddy -c "Set :CFBundleIdentifier $NEW_BUNDLE_ID" "temp/Payload/$APP_NAME/Info.plist"
checkStatus
# Uncomment to convert Info.plist to binary format (thanks imhui!)
# plutil -convert binary1 "temp/Payload/$APP_NAME/Info.plist"
# Resign the application
echo "Resigning application using certificate: $CERTIFICATE" >&2
if [ "$ENTITLEMENTS" != "" ];
then
echo "Using Entitlements: $ENTITLEMENTS" >&2
/usr/bin/codesign -f -s "$CERTIFICATE" --entitlements="$ENTITLEMENTS" --resource-rules="temp/Payload/$APP_NAME/ResourceRules.plist" "temp/Payload/$APP_NAME"
checkStatus
else
if [ "$NEW_APP_ID_PREFIX" != "" -a -s temp/newEntitlements ];
then
# extract current entitlements
PlistBuddy -c "Set :application-identifier ${NEW_APP_ID_PREFIX}.${NEW_BUNDLE_ID}" temp/newEntitlements
checkStatus
PlistBuddy -c "Add :keychain-access-groups array" temp/newEntitlements
PlistBuddy -c "Add :keychain-access-groups:0 string ${NEW_APP_ID_PREFIX}.\*" temp/newEntitlements
checkStatus
plutil -lint temp/newEntitlements
checkStatus
/usr/bin/codesign -f -s "$CERTIFICATE" --resource-rules="temp/Payload/$APP_NAME/ResourceRules.plist" --entitlements="temp/newEntitlements" "temp/Payload/$APP_NAME"
checkStatus
rm temp/newEntitlements
else
/usr/bin/codesign -f -s "$CERTIFICATE" --resource-rules="temp/Payload/$APP_NAME/ResourceRules.plist" "temp/Payload/$APP_NAME"
fi
fi
# Repackage quietly
echo "Repackaging as $NEW_FILE"
# Zip up the contents of the temp folder
# Navigate to the temporary directory (sending the output to null)
# Zip all the contents, saving the zip file in the above directory
# Navigate back to the orignating directory (sending the output to null)
pushd temp > /dev/null
zip -qr ../temp.ipa *
popd > /dev/null
# Move the resulting ipa to the target destination
mv temp.ipa "$NEW_FILE"
# Remove the temp directory
rm -rf "temp"
@ethiopower
Copy link

How do you use this?

@didge
Copy link
Author

didge commented Mar 29, 2021

How do you use this?

Call it like this:

./coderesign.sh source "iPhone Distribution: Name" -p "path/to/profile" [-d "display name"] [-e entitlements] [-k keychain] [-b "BundleIdentifier"] outputIpa

Basically, you will pass the original .ipa (source) and an cert identify for which you must have the private key. The -p argument is useful to specify a new or different provisioning file and the other arguments allow you to rename and/or change the bundle id. It's been a few years since I last used it, i don't remember using the -k or -e arguments often.

Good luck!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment