This article is a note about codesign in iOS.
Apple products have codesign CLI to manage codesign features.
Once you unzip .ipa file (iOS case), the command allows you to check the codesign data etc.
$ unzip yourApp.ipa
$ codesign -dvvvv ./Payload/yourApp.app
Then, you could see the below data.
Executable=/path/to/yourApp.app/yourApp
Identifier=com.kazucocoa.youAppIdentifier
Format=app bundle with Mach-O thin (arm64)
CodeDirectory v=20400 size=8842 flags=0x0(none) hashes=265+7 location=embedded
VersionPlatform=2
VersionMin=851968
VersionSDK=983040
Hash type=sha256 size=32
CandidateCDHash sha256=769463b4b2a36ea2bf4a211c01dd48132ec1be65
CandidateCDHashFull sha256=769463b4b2a36ea2bf4a211c01dd48132ec1be65ca1ac55fcea3be295e81e991
Hash choices=sha256
CMSDigest=769463b4b2a36ea2bf4a211c01dd48132ec1be65ca1ac55fcea3be295e81e991
CMSDigestType=2
Executable Segment base=0
Executable Segment limit=376832
Executable Segment flags=0x11
Page size=4096
CDHash=769463b4b2a36ea2bf4a211c01dd48132ec1be65
Signature size=4742
Authority=Apple Development: Your dev name
Authority=Apple Worldwide Developer Relations Certification Authority
Authority=Apple Root CA
Signed Time=Oct 10, 2021 0:25:56
Info.plist entries=29
TeamIdentifier=xxxxxxxxxx
Sealed Resources version=2 rules=10 files=86
Internal requirements count=1 size=200
embedded.mobileprovision in the .app is the provision profile stuff. _CodeSignature has sign information. So, when you remove _CodeSignature and replace embedded.mobileprovision with a new one, you can re-sign the .app with the new provision profile.
For example, codesign -f -s "${Apple Development: Your dev name}" /path/to/yourApp.app re-signs the .app with the given sign. Once you zipped .ipa file from the .app, you can install it to a real device as well if the device was valid for the signature.
This command does not provide any entitlements, so the entitlements may be blank though. If the app has entitlements (key-value plist), you could confirm them as below:
$ codesign -d --entitlements - UIKitCatalog.app
Executable=/path/to/yourApp.app/yourApp
��qq�<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>application-identifier</key>
<string>xxxxxxxxxx.com.kazucocoa.youAppIdentifier</string>
<key>com.apple.developer.team-identifier</key>
<string>xxxxxxxxxx</string>
<key>get-task-allow</key>
<true/>
</dict>
</plist>
man codesign give you more hints about the command.
codesign --preserve-metadata=entitlements -f -s "${Apple Development: Your dev name}" /path/to/yourApp.app would help to keep the entitlement as well.
To allow old signed apps to install in iOS 15 (since it requires a new format signature), codesign -s "Your Codesign Identity" -f --preserve-metadata --generate-entitlement-der /path/to/MyApp.app in https://developer.apple.com/documentation/xcode/using-the-latest-code-signature-format may help.
About entitlements: https://developer.apple.com/documentation/bundleresources/entitlements
~ my tech diary ~ 