OK, so I think I’ve finally got the digitally resigning of an IPA figured out.
In the first place, it’s useful to have your emacs configuration file updated so that you can modify (i.e., read and save) the binary Info.plist files in an easy way. My emacs configuration is in the file ~/.emacs.d/init.el. Your’s might be somewhere else, but in either case, add the following code to the emacs initialization file:
;; Allow editing of binary .plist files.
(add-to-list 'jka-compr-compression-info-list
["\\.plist$"
"converting text XML to binary plist"
"plutil"
("-convert" "binary1" "-o" "-" "-")
"converting binary plist to text XML"
"plutil"
("-convert" "xml1" "-o" "-" "-")
nil nil "bplist"])
;;It is necessary to perform an update!
(jka-compr-update)
You can now modify *.plist files by hand (using emacs), which is useful if you want to assign a different BundleID to your already-built (and already-signed) IPA.
The recipe for resigning (and possibly assigning a new BundleID) to an already-built-and-signed IPA is as follows:
1. Unzip the IPA:
> unzip app.ipa
2. Remove the old code signatures:
> rm -r Payload/SampleApp.app/_CodeSignature > rm -r Payload/Sampleapp.app/CodeResources
Obviously in this example, the name of the bundled app is “SampleApp.app”. You’ll have to change that name to match whatever your bundle is named.
3. Change the BundleID (optional):
The BundleID is located in the *.plist file in the directory:
> Payload/SampleApp.app/Info.plist
If you made the above changes to your emacs initialization file, you can now go in and edit this file by hand, assign a new BundleID (or change the Info.plist in any other way), save it and continue.
This step is optional, and not required.
4. Copy over a new mobile provisioning file:
> cp MyProfile.mobileprovision Payload/SampleApp.app/embedded.mobileprovision
5. Resign the app:
> codesign -f -v -s "MyIdentity" Payload/SampleApp.app
Note that you’re code-signing the SampleApp.app bundle itself.
The flags on “codesign” are as follows:
-f ==> force a code resign
-v ==> verify the signature
-s ==> signing identity
You can verify that your code was signed correctly as follows:
> codesign -dvvv Payload/SampleApp.app
The results spit back should give a clear indication as to whether the code-resigning was successful. Both the BundleID and the code signing identity are included in the returned information.
One question that may still arise at this point is what to enter for “MyIdentity” when code signing? Entering the following command at the command prompt will give you a list of all valid identities on your keychain:
> security find-identity
Choose one of these strings as your “MyIdentity” above.
6. Finally, re-package the IPA:
> zip -yr app.resigned.ipa Payload
Note that the flags “y” and “r” are required to form the IPA correctly.
And that’s it! You should be good to go..
sholtz9421 
Hi,
Your post is really interesting, I’m trying to resign an IPA by changing the app ID. I found that it is hard coded to the binary. http://oleb.net/blog/2011/06/code-signing-changes-in-xcode-4/
I’m performing a bit to bit find&replace to change the old appid in the binary. And I cannot resign my app, it says “invalid or unsupported format for signature”.
Do you have an idea?
I think, in principle, should be able to change the AppID in Step 3 above, where it talks about how to change the BundleID for the app. Did you create the new AppID in the iOS Provisioning Portal, and copy over the new Provisioning Profile? If you’re resigning the IPA w/ a different provisioning profile, you have to copy that new profile over into the bundle (i.e., Step 4 above) before you resign the IPA.
went at 5. into the following error
Payload/TouchDown.app: replacing existing signature
Payload/TouchDown.app: object file format unrecognized, invalid, or unsuitable
any help?
Looking around on Google, it seems that this issue can arise if there’s a discrepancy in the CGBundleExecutable entry (i.e., “Executable Name”) in the target’s Info.plist file. You might want to check that, to make sure it’s correct?