Resigning appstore exported IPA's with development certificate

Question

Question

Is it possible to resign/provision IPA's exported for the AppStore with a development certificate and profile?

I can do the actual resign and upon manual verification things seem fine, however any application I try this on crashes on launch. I am not trying to resign an app downloaded form the AppStore, these are applications built on my computer.

None of the popular tools seem to do it right either. Did anyone ever pull this off or is it impossible for some reason?

Findings

In the device log I don't see anything reported by the App process itself so the OS must have killed it before launch. I do see this:

securityd[101] <Notice>: cert[0]: CheckLeafMarkerOid =(leaf)[]> 0
securityd[101] <Notice>: cert[0]: SubjectCommonName =(leaf)[]> 0
securityd[101] <Notice>: cert[0]: IssuerCommonName =(path)[]> 0
amfid(Security)[196] <Notice>:  [leaf CheckLeafMarkerOid IssuerCommonName SubjectCommonName]
amfid(libmis.dylib)[196] <Info>: Blacklist does not exist.
amfid(libmis.dylib)[196] <Info>: Using empty blacklist.
amfid(libmis.dylib)[196] <Info>: CreateMISAuthListWithStream: open stream failed (may be non-existing)
amfid(libmis.dylib)[196] <Info>: CreateMISAuthListWithStream: creating empty auth list
assertiond[66] <Notice>: Unable to obtain a task name port right for pid 1683: (os/kern) failure (5)
SpringBoard(FrontBoard)[57] <Error>: Unable to register for exec notifications: No such process
SpringBoard(BaseBoard)[57] <Error>: Unable to get short BSD proc info for 1683: No such process
SpringBoard(BaseBoard)[57] <Error>: Unable to get proc info for 1683: No such process
SpringBoard(BaseBoard)[57] <Error>: Unable to obtain a task name port right for pid 1683: (os/kern) failure (0x5)
SpringBoard(BaseBoard)[57] <Error>: Unable to get short BSD proc info for 1683: No such process
SpringBoard(FrontBoard)[57] <Error>: Unable to obtain a process handle for <FBApplicationProcess: 0x10bc26cd0; com.company.product.name; pid: 1683>

This seemed to indicate an issue with the entitlements. However, when I manually print them (/usr/libexec/PlistBuddy -x -c "print :Entitlements " /dev/stdin <<< $(security cms -D -i "$1"/embedded.mobileprovision) > entitlements.plist ) from the IPA I installed I have:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
        <key>application-identifier</key>
        <string>TEAMID.*</string>
        <key>com.apple.developer.default-data-protection</key>
        <string>NSFileProtectionComplete</string>
        <key>com.apple.developer.team-identifier</key>
        <string>TEAMID</string>
        <key>get-task-allow</key>
        <true/>
        <key>keychain-access-groups</key>
        <array>
                <string>TEAMID.*</string>
        </array>
</dict>
</plist>

This clearly shows the get-task-allow entitlement to be true.

Tools

Whichever tool I try I end up with the same result, e.g

• https://dantheman827.github.io/ios-app-signer/
• https://github.com/nowsecure/node-applesign
• https://github.com/fastlane/fastlane/blob/master/sigh/lib/assets/resign.sh

Similar Questions

• can we resign the appstore build with our development certificates? Simple no answer, seems incorrect since I'm able to perform the actual resign operation without warnings or errors.
• Resign iOS App from a distribution identity to a developer identity Show how to verify and/or adapt the final entitlements in the resigned IPA.
• iOS resign IPA from appstore with developer profile Question bit older but one of the commenters eventually reports the same observed behaviour: "but it can't run normally, it flashback. till now i have no idea about it".

Update 1

(reaction to @Yoshkebab)

Output of otool suggest the binary is not encrypted: otool -l App/Payload/App.app/App | grep -A 4 -i encrypt:

          cmd LC_ENCRYPTION_INFO
      cmdsize 20
     cryptoff 0
    cryptsize 0
      cryptid 0
--
          cmd LC_ENCRYPTION_INFO_64
      cmdsize 24
     cryptoff 0
    cryptsize 0
      cryptid 0

However e.g. Hopper can not disassemble it... Are there any references apple applies the encryption in Xcode? That would indicate they have a that key on user's systems? Also I don't see build steps that would indicate this (codesign is just adding the signature, no?)

Clutch fails to see my application and Stefan Esser's dumpdecrypted library doesn't work because the app crashes immediately I suspect (my setup is ok because it works for other apps).

Answer 1

AppStore signed apps are not only signed by the developer's certificate, but the binary is also encrypted by Apple's private key. Thus you can resign the App's but unless you decrypt the binary you wont be able to run them. Check out the binary's LC_ENCRYPTION_INFO load command (easiest way is to use MachoView) , if you see a flag Crypt ID != 0, the binary is encrypted.

Assuming that it is, you can still do it, this is a bit tedious and you'll need a jail broken device with the App installed.

1. Connect to your device with SSH. Easiest way to do it with with gandalf
2. Get Clutch and install it on your device - follow their instructions (I found that the easiest way to compile it is to change the package name)
3. Dump the decrypted app into a new IPA (Clutch -d "YOUR_PACKAGE_ID")

Now you have a decrypted IPA that you can resign