Arun Stephens

Re-signing an Enterprise iOS app

If you have an in-house app that you've distributed across your organisation as part of the iOS Enterprise program, you may find that the app stops working or installing.

This is likely because your provisioning profile and/or certificate has expired.

If you look at the console (in Xcode, Devices), you'll see something like:

Apr 26 15:05:58 iPad amfid[3086] <Error>:  SecTrustEvaluate  [leaf IssuerCommonName SubjectCommonName]  
Apr 26 15:05:58 iPad amfid[3086] <Error>: /private/var/mobile/Containers/Bundle/Application/256F1EAD-8F72-49CA-AC96-A50CD52F788A/MyApp.app/MyApp not valid: 0xe8008015: A valid provisioning profile for this executable was not found.  
Apr 26 15:05:58 iPad com.apple.xpc.launchd[1] (UIKitApplication:nz.arun.MyApp[0xba97][3105]) <Notice>: Service exited due to signal: Killed: 9  

The error message tells the truth: the provisioning profile is not valid. You will need a new one.

Go to the iOS portal, and renew your provisioning profile. You might have lost your certificate, too. You can request a new one (a separate process). If you've changed certificates, then don't renew the profile. "Edit" it, and choose the new certificate. You'll then have a new provisioning profile that works with your new certificate.

Now to re-sign the application. You can do this without the original source. Just grab the previously published .ipa file.

Before you start, you'll need to create a new Entitlements.plist file. This used to be required in the old days. I think Xcode takes care of it for you now. But for this manual re-sign process, you'll have to do it yourself. It should look something like this (using the App ID that's in your provisioning profile):

<?xml version="1.0" encoding="UTF-8"?>  
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">  
<plist version="1.0">  
<dict>  
<key>application-identifier</key>  
<string>ABCDE12345.nz.arun.MyApp</string>  
<key>get-task-allow</key>  
<false/>  
</dict>  
</plist>  

Then you need to unzip the .ipa, delete the old signature, copy over the new provisioning profile, sign the app again, and re-zip it:

unzip MyApp.ipa  
rm -rf Payload/MyApp.app/_CodeSignature/  
cp ~/Downloads/MyApp.mobileprovision Payload/MyApp.app/embedded.mobileprovision  
codesign -f -s "iPhone Distribution: My Enterprise Ltd" --entitlements entitlements.plist Payload/MyApp.app  
zip -qr MyAppResigned.ipa Payload/  

Then you can put that .ipa where the old one was, and you're good to go again.