Re: Re-Signing iPhone App?
Re: Re-Signing iPhone App?
- Subject: Re: Re-Signing iPhone App?
- From: Gwynne Raskind <email@hidden>
- Date: Mon, 25 May 2009 14:59:12 -0400
On May 25, 2009, at 10:19 AM, Alexander von Below wrote:
I understand that by the subject message, it sounds like an iPhone
question, but I firmly believe this is a "Tools" question, and thus
appropriate for this list. Please let me know if I am wrong.
It's a little bit of both, actually, but my personal opinion is that
it counts *enough* as a Tools question to get answered here :).
"We" in this case is a large enterprise organization (ca. 250,000
employees -- if you must know who exactly to answer, contact me off-
list). A vendor wants to send us an iPhone application for review.
This review will be done by a number of people, in a number of near
and remote locations, and it would be somewhat tedious to compile
all UUIDs. Also, we may be hogging precious UUID space in our
vendors profile. Thus, we would prefer this app to be signed with
our Enterprise Certificate.
However, we don't trust the vendor enough to add him to our iPhone
Developer Program, let alone send him the certificate with a private
key.
Quite sensible of you.
So here is the question:
Is it feasible for the vendor to create an unsigned binary of the
application, and we sign it (here) with our enterprise certificate?
I realize that everything should be in the detailed build output of
Xcode, but the main question is: How can someone not sign an iPhone
App, but have an executable to sign later.
Why in the world not? If you watch Xcode build an iPhone app, you'll
see that code signing is just an extra build phase that Xcode tacks
onto the end of builds when a code signing certificate is selected in
the build settings. Choose "Don't Code Sign" from the Code Signing
Identity popup.
Oops!
"CodeSign error: code signing is required for product type
'Application' in SDK 'Device - iPhone OS 2.2.1'"
Oh well. Guess you *do* have to sign every app that Xcode builds for
iPhone. I don't doubt you could research how to break that requirement
- you'd probably find it in the same place as docs for jailbreaking -
but you don't have to.
Fortunately, the codesign utility comes with a handy-dandy -f option.
When used, it replaces an existing signature. Get your vendor to send
you his binary signed normally, then run in Terminal:
/bin/sh -c 'CODESIGN_ALLOCATE=/Developer/Platforms/iPhoneOS.platform/
Developer/usr/bin/codesign_allocate codesign -f -s your-enterprise-
signing-identity-here /path/to/vendor/binary'
In other words, recreate Xcode's code signing build phase. You don't
need an unsigned binary; you can overwrite an existing signature with
your own.
(For those wondering, I tossed in the /bin/sh -c bit just in case the
default shell on the computer in question isn't bash :).
Hope this helps!
-- Gwynne, Daughter of the Code
"This whole world is an asylum for the incurable."
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Xcode-users mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden