I can believe fly.

Thursday, March 2, 2017

使用codesign重签名ipa包

重新签名步骤

解压
unzip ysl.ipa

移除旧签名
rm -r "Payload/ysl.app/_CodeSignature" 2> /dev/null | true

替换 provisioning profile
cp "$MOBILEPROVISION" "Payload/ysl.app/embedded.mobileprovision"

entitlements生成
/usr/libexec/PlistBuddy -x -c "print :Entitlements " /dev/stdin <<< $(security cms -D -i "$MOBILEPROVISION") > "entitlements.plist"

重新签名
/usr/bin/codesign -f -s "iPhone Distribution: xxx” "--entitlements "entitlements.plist" "Payload/ysl.app"
例如:/usr/bin/codesign -f -s 8F16D32B97E8564C20613BC00699E547B265D62C --entitlements entitlements.plist Payload/ysl.app

验证签名
spctl -a -v Payload/ysl.app
/usr/bin/codesign --verify --deep --verbose=3 Payload/ysl.app

重新打包
zip -qr "ysl.resigned.ipa" Payload


重签名问题

【问题】 ERROR ITMS-90166: "Missing Code Signing Entitlements. No entitlements found in bundle 'com.ysl' for executable ‘Payload/ysl.app/ysl'.""
【解决】签名需要的Entitlements信息可以通过两个地方获取,一个是编译后生成在build/Distribute-iphone/objects/ysl.build/Distribute-iphoneos/ysl.build/ysl.app.xcent
另一种是通过从profile里获取,即/usr/libexec/PlistBuddy -x -c "print :Entitlements " /dev/stdin <<< $(security cms -D -i ~/ProvisioningProfiles/AppStore_com.ysl.mobileprovision) > entitlements.plist

【问题】ERROR ITMS-90179: "Invalid Code Signing. The executable ‘Payload/ysl.app/ysl' must be signed with the certificate that is contained in the provisioning profile."
【解决】发现是重签名指定的证书与 provisioning profile不匹配,重新分配。

[问题iPhone Distribution: xxxxx.: ambiguous (matches "iPhone Distribution: xxxxx" and "iPhone Distribution: xxxxx" in /Users/elian/Library/Keychains/ci.keychain)
按照官方提供的方案是需要删除重复的证书。但由于我们的环境是需要多证书的。故使用另一种方式解决,即获取证书的sha1值,在指定--sign时,后面跟上签名证书的sha1.例如:/usr/bin/codesign -f -s 8F16D32B97E8564C20613BC00699E547B265D62C 

如何获取sha1配置:
security find-identity -p codesigning login.keychain
8G16D32B97E8564C20613BC00699E547B265D26C "iPhone Distribution: Company11 name
003981HH13D6226942D43525E6045A23525A85AC "iPhone Distribution: Company22 name"
158DD26AD3B200CF12FE79C66CA9830C52D7813D"iPhone Distribution: Company33 name"

case “$signTeamName" in 
  *11*)
    signIdentity=9G16D32B97E8564C20613BC00699E547B265D35u
    ;;
  *22*)
    signIdentity=003981HH13D6226942D43525E6045A23525A85TD
    ;;
  *33*)
    signIdentity=868DD26AD3B200CF12FE79C66CA890C52D7890I
    ;;      
esac




No comments: