Since much of the iOS development work we do is for clients who are developing apps to distribute internally with an In House Mobile Provisioning Profile using their Enterprise Distribution Certificates, and not all of them want to share those files outside of their organization, we frequently need a way to send them the IPA file built with our own Apple account, and have them re-sign it to use their own.
This process can also be used, for instance, to test the final App Store Distribution build before sending it to iTunes Connect by resigning a copy of it from an App Store Distribution profile to an Ad Hoc one or to update an .ipa file from an In House profile with a certificate that is about to expire (they expire every year) to a new one without having to rebuild the app from the source.
If you’re doing this in order to send an app to a client, the first thing to note is that you want to use an Ad Hoc profile on your own account, not an In House profile. On the subject of customers, the license agreement for Enterprise Distribution states that you can:
Allow Your Customers to use Your Internal Use Applications, but only (i) on Your physical premises, or (ii) in other locations, provided all such use is under the direct supervision and physical control of Your Employees (e.g., a sales presentation to a Customer).
So, sending your client an .ipa signed with your In House provisioning profile is verboten. However, the rules for Ad Hoc distribution are more lax in that they allow for distribution to individuals “who are otherwise affiliated with you”:
Subject to the terms and conditions of this Agreement, You may also distribute Your Applications to individuals within Your company, organization, educational institution, group, or who are otherwise affiliated with You for use solely on a limited number of Registered Devices (as specified on the Program web portal)
Also, it’s just easier to know that you’ve re-signed it correctly if you know that you’re starting with an Ad Hoc profile, since the app will only be able to be installed on the devices specified in your provisioning portal.
This whole re-signing process will only work if the Bundle Id is the same for both profiles. So, the first thing you’ll need to do is find out what your client wants to use for the bundle id for the app. Let’s say our client, Tom’s Things, wants to use com.tomsthings.bestappever for a bundle id. To set that up, you’ll just need to set up that new bundle id in your provisioning portal (I’m using a wildcard ID here):
Then, you need to set up a new Ad Hoc profile using that bundle id and your distribution certificate, and you’ll probably also want to include a few of your client’s device UDIDs on it, so they’re able to test the app without having to re-sign it every time you send them a build.
Codesign: Re-signing the App
Now comes the fun part (for certain definitions of fun): taking the .ipa file and re-signing it to use a different account’s distribution certificate and profile. Since you’ll need the destination certificate and profile, in the example given above, this would be done by someone at Tom’s Things to use their own Enterprise Certificate and In House mobile provisioning profile. You’ll need to do all of this from the command line, so open up Terminal.app and navigate to the location of your .ipa file. The command line commands are shown here in blue.
- Step 1: Unzip the IPA file (they’re just zip files renamed to .ipa). This will leave you with a folder named “Payload”.
- Step 2: Delete the _CodeSignature from within the .app bundle.
rm -rf Payload/BestAppEver.app/_CodeSignature
- Step 3: Replace the embedded.mobileprovision file with your In House .mobileprovision profile.
cp ~/Documents/TomsThingsInHouse.mobileprovision Payload/BestAppEver.app/embedded.mobileprovision
- Step 4: Use codesign to replace the existing signature using a certificate in your keychain to sign the app. In this example, I would need to have a certificate named “iPhone Distribution: Tom’s Things, Inc.” in my keychain. When you run this command, you’ll be asked to allow codesign to access this certificate. Choose to “Allow” or “Always Allow”.
/usr/bin/codesign -f -s “iPhone Distribution: Tom’s Things, Inc.” –resource-rules Payload/BestAppEver.app/ResourceRules.plist Payload/BestAppEver.app
- Step 5: You’re almost done. The last thing you need to do is to zip that Payload folder back into an .ipa file. Do do that, just use the zip command.
zip -r BestAppEver_inhouse.ipa Payload
And that’s it. Now you have an .ipa file signed with your certificate and mobile provisioning profile, ready to be uploaded to your internal app store or sent to your team for testing.