Digitally resigning IPA

OK, so I think I’ve finally got the digitally resigning of an IPA figured out.

In the first place, it’s useful to have your emacs configuration file updated so that you can modify (i.e., read and save) the binary Info.plist files in an easy way. My emacs configuration is in the file ~/.emacs.d/init.el. Your’s might be somewhere else, but in either case, add the following code to the emacs initialization file:

;; Allow editing of binary .plist files.
(add-to-list 'jka-compr-compression-info-list
              "converting text XML to binary plist"
              ("-convert" "binary1" "-o" "-" "-")
              "converting binary plist to text XML"
              ("-convert" "xml1" "-o" "-" "-")
              nil nil "bplist"])

;;It is necessary to perform an update!

You can now modify *.plist files by hand (using emacs), which is useful if you want to assign a different BundleID to your already-built (and already-signed) IPA.

The recipe for resigning (and possibly assigning a new BundleID) to an already-built-and-signed IPA is as follows:

1. Unzip the IPA:

> unzip app.ipa 

2. Remove the old code signatures:

> rm -r Payload/
> rm -r Payload/

Obviously in this example, the name of the bundled app is “”. You’ll have to change that name to match whatever your bundle is named.

3. Change the BundleID (optional):

The BundleID is located in the *.plist file in the directory:

> Payload/

If you made the above changes to your emacs initialization file, you can now go in and edit this file by hand, assign a new BundleID (or change the Info.plist in any other way), save it and continue.

This step is optional, and not required.

4. Copy over a new mobile provisioning file:

> cp MyProfile.mobileprovision Payload/

5. Resign the app:

> codesign -f -v -s "MyIdentity" Payload/

Note that you’re code-signing the bundle itself.

The flags on “codesign” are as follows:

-f ==> force a code resign
-v ==> verify the signature
-s ==> signing identity

You can verify that your code was signed correctly as follows:

> codesign -dvvv Payload/

The results spit back should give a clear indication as to whether the code-resigning was successful. Both the BundleID and the code signing identity are included in the returned information.

One question that may still arise at this point is what to enter for “MyIdentity” when code signing? Entering the following command at the command prompt will give you a list of all valid identities on your keychain:

> security find-identity

Choose one of these strings as your “MyIdentity” above.

6. Finally, re-package the IPA:

> zip -yr app.resigned.ipa Payload

Note that the flags “y” and “r” are required to form the IPA correctly.

And that’s it! You should be good to go..


4 thoughts on “Digitally resigning IPA

    • I think, in principle, should be able to change the AppID in Step 3 above, where it talks about how to change the BundleID for the app. Did you create the new AppID in the iOS Provisioning Portal, and copy over the new Provisioning Profile? If you’re resigning the IPA w/ a different provisioning profile, you have to copy that new profile over into the bundle (i.e., Step 4 above) before you resign the IPA.

  1. went at 5. into the following error

    Payload/ replacing existing signature
    Payload/ object file format unrecognized, invalid, or unsuitable

    any help?

    • Looking around on Google, it seems that this issue can arise if there’s a discrepancy in the CGBundleExecutable entry (i.e., “Executable Name”) in the target’s Info.plist file. You might want to check that, to make sure it’s correct?

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s