July 02, 2014

Signing ipa for different team ids

As soon as you leave the cozy Xcode’s build process, you find yourself fiddling with codesign dealing with, well, code signing. There are many tools that suppose to ease up the process: ota-tools, shenzhen and gists to name a few. However, once in a while you find yourself in need of more flexible solution.

Our flow includes distributing betas from one Apple account and submitting to the App Store from another. This calls for:

  • Modifying whole bunch of resources (visual and internal such as bundle id);
  • Obtaining new entitlements file;
  • Sign ipa again.

Modify resources is easy – everyone used PlistBuddy to change the app version. The trickier part is to obtain new entitlements. Remember new app id and a team id? Old entitlements simply won’t work (think keychain access etc).

Most of the articles on the internet cover signing of the apps with the same bundle ids. Therefore, no issues were noticed.

So where to find an entitlements file? “Capabilities” pane, introduced in Xcode 5, took away the pane of dealing with most of routine. But it comes with a price: unless you explicitly create an entitlements file or trigger one of the capabilities that would do it for you, you will never see it in your project folder.

The file is still being generated when “Code Signing” project setting demands so. Even if you add an entitlements file explicitly to your project, by default it will contain placeholders that would be populated according to the selected team, app id etc but only during the build. This file is generated at $DERIVED_FILES_DIR/$PRODUCT_NAME.xcent.

On the day of writing this post I have not received any answer nor on Apple developer forums nor on Stack Overflow. That brought me to two possible solutions, either generate plist on the fly during signing or simply use the one that was generated previously by Xcode.

So the workflow itself is quite trivial:

  1. Unzip existent ipa;
  2. Replace bundle ids, versions, display and product names;
  3. Replace all resources that might be App Store unsafe (e.g. we watermark beta builds with versions to point to Jenkins jobs, which, in turn, points to a particular commit on GitHub);
  4. Obtain / generate new entitlements file (stil unclear what is the best way to do it, for now it’s hardcoded);
  5. Sign using codesign tool;
  6. Ship it!

Here is a ruby script that is tailored for our needs, but I’m sure, you can tweak it to a certain extent.

By the way, if you know an answer to my question, please drop me a line.