Is it possible to resign/provision IPA's exported for the AppStore with a development certificate and profile?
I can do the actual resign and upon manual verification things seem fine, however any application I try this on crashes on launch. I am not trying to resign an app downloaded form the AppStore, these are applications built on my computer.
None of the popular tools seem to do it right either. Did anyone ever pull this off or is it impossible for some reason?
In the device log I don't see anything reported by the App process itself so the OS must have killed it before launch. I do see this:
securityd[101] <Notice>: cert[0]: CheckLeafMarkerOid =(leaf)[]> 0
securityd[101] <Notice>: cert[0]: SubjectCommonName =(leaf)[]> 0
securityd[101] <Notice>: cert[0]: IssuerCommonName =(path)[]> 0
amfid(Security)[196] <Notice>: [leaf CheckLeafMarkerOid IssuerCommonName SubjectCommonName]
amfid(libmis.dylib)[196] <Info>: Blacklist does not exist.
amfid(libmis.dylib)[196] <Info>: Using empty blacklist.
amfid(libmis.dylib)[196] <Info>: CreateMISAuthListWithStream: open stream failed (may be non-existing)
amfid(libmis.dylib)[196] <Info>: CreateMISAuthListWithStream: creating empty auth list
assertiond[66] <Notice>: Unable to obtain a task name port right for pid 1683: (os/kern) failure (5)
SpringBoard(FrontBoard)[57] <Error>: Unable to register for exec notifications: No such process
SpringBoard(BaseBoard)[57] <Error>: Unable to get short BSD proc info for 1683: No such process
SpringBoard(BaseBoard)[57] <Error>: Unable to get proc info for 1683: No such process
SpringBoard(BaseBoard)[57] <Error>: Unable to obtain a task name port right for pid 1683: (os/kern) failure (0x5)
SpringBoard(BaseBoard)[57] <Error>: Unable to get short BSD proc info for 1683: No such process
SpringBoard(FrontBoard)[57] <Error>: Unable to obtain a process handle for <FBApplicationProcess: 0x10bc26cd0; com.company.product.name; pid: 1683>
This seemed to indicate an issue with the entitlements. However, when I manually print them (/usr/libexec/PlistBuddy -x -c "print :Entitlements " /dev/stdin <<< $(security cms -D -i "$1"/embedded.mobileprovision) > entitlements.plist
) from the IPA I installed I have:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>application-identifier</key>
<string>TEAMID.*</string>
<key>com.apple.developer.default-data-protection</key>
<string>NSFileProtectionComplete</string>
<key>com.apple.developer.team-identifier</key>
<string>TEAMID</string>
<key>get-task-allow</key>
<true/>
<key>keychain-access-groups</key>
<array>
<string>TEAMID.*</string>
</array>
</dict>
</plist>
This clearly shows the get-task-allow
entitlement to be true.
Whichever tool I try I end up with the same result, e.g
(reaction to @Yoshkebab)
Output of otool suggest the binary is not encrypted:
otool -l App/Payload/App.app/App | grep -A 4 -i encrypt
:
cmd LC_ENCRYPTION_INFO
cmdsize 20
cryptoff 0
cryptsize 0
cryptid 0
--
cmd LC_ENCRYPTION_INFO_64
cmdsize 24
cryptoff 0
cryptsize 0
cryptid 0
However e.g. Hopper can not disassemble it... Are there any references apple applies the encryption in Xcode? That would indicate they have a that key on user's systems? Also I don't see build steps that would indicate this (codesign is just adding the signature, no?)
Clutch fails to see my application and Stefan Esser's dumpdecrypted library doesn't work because the app crashes immediately I suspect (my setup is ok because it works for other apps).
AppStore signed apps are not only signed by the developer's certificate, but the binary is also encrypted by Apple's private key. Thus you can resign the App's but unless you decrypt the binary you wont be able to run them. Check out the binary's LC_ENCRYPTION_INFO load command (easiest way is to use MachoView) , if you see a flag Crypt ID != 0, the binary is encrypted.
Assuming that it is, you can still do it, this is a bit tedious and you'll need a jail broken device with the App installed.
Now you have a decrypted IPA that you can resign
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With