6

Question

Is it possible to resign/provision IPA's exported for the AppStore with a development certificate and profile?

I can do the actual resign and upon manual verification things seem fine, however any application I try this on crashes on launch. I am not trying to resign an app downloaded form the AppStore, these are applications built on my computer.

None of the popular tools seem to do it right either. Did anyone ever pull this off or is it impossible for some reason?

Findings

In the device log I don't see anything reported by the App process itself so the OS must have killed it before launch. I do see this:

securityd[101] <Notice>: cert[0]: CheckLeafMarkerOid =(leaf)[]> 0
securityd[101] <Notice>: cert[0]: SubjectCommonName =(leaf)[]> 0
securityd[101] <Notice>: cert[0]: IssuerCommonName =(path)[]> 0
amfid(Security)[196] <Notice>:  [leaf CheckLeafMarkerOid IssuerCommonName SubjectCommonName]
amfid(libmis.dylib)[196] <Info>: Blacklist does not exist.
amfid(libmis.dylib)[196] <Info>: Using empty blacklist.
amfid(libmis.dylib)[196] <Info>: CreateMISAuthListWithStream: open stream failed (may be non-existing)
amfid(libmis.dylib)[196] <Info>: CreateMISAuthListWithStream: creating empty auth list
assertiond[66] <Notice>: Unable to obtain a task name port right for pid 1683: (os/kern) failure (5)
SpringBoard(FrontBoard)[57] <Error>: Unable to register for exec notifications: No such process
SpringBoard(BaseBoard)[57] <Error>: Unable to get short BSD proc info for 1683: No such process
SpringBoard(BaseBoard)[57] <Error>: Unable to get proc info for 1683: No such process
SpringBoard(BaseBoard)[57] <Error>: Unable to obtain a task name port right for pid 1683: (os/kern) failure (0x5)
SpringBoard(BaseBoard)[57] <Error>: Unable to get short BSD proc info for 1683: No such process
SpringBoard(FrontBoard)[57] <Error>: Unable to obtain a process handle for <FBApplicationProcess: 0x10bc26cd0; com.company.product.name; pid: 1683>

This seemed to indicate an issue with the entitlements. However, when I manually print them (/usr/libexec/PlistBuddy -x -c "print :Entitlements " /dev/stdin <<< $(security cms -D -i "$1"/embedded.mobileprovision) > entitlements.plist ) from the IPA I installed I have:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
        <key>application-identifier</key>
        <string>TEAMID.*</string>
        <key>com.apple.developer.default-data-protection</key>
        <string>NSFileProtectionComplete</string>
        <key>com.apple.developer.team-identifier</key>
        <string>TEAMID</string>
        <key>get-task-allow</key>
        <true/>
        <key>keychain-access-groups</key>
        <array>
                <string>TEAMID.*</string>
        </array>
</dict>
</plist>

This clearly shows the get-task-allow entitlement to be true.

Tools

Whichever tool I try I end up with the same result, e.g

Similar Questions

Update 1

(reaction to @Yoshkebab)

Output of otool suggest the binary is not encrypted: otool -l App/Payload/App.app/App | grep -A 4 -i encrypt:

          cmd LC_ENCRYPTION_INFO
      cmdsize 20
     cryptoff 0
    cryptsize 0
      cryptid 0
--
          cmd LC_ENCRYPTION_INFO_64
      cmdsize 24
     cryptoff 0
    cryptsize 0
      cryptid 0

However e.g. Hopper can not disassemble it... Are there any references apple applies the encryption in Xcode? That would indicate they have a that key on user's systems? Also I don't see build steps that would indicate this (codesign is just adding the signature, no?)

Clutch fails to see my application and Stefan Esser's dumpdecrypted library doesn't work because the app crashes immediately I suspect (my setup is ok because it works for other apps).

dzan
  • 425
  • 3
  • 14
  • You are only printing the entitlements in the provisioning profile with plistbuddy, to find the entitlements in the app itself you will need to use `codesign -d --entitlements - [path to app binary]` – Tristan Burnside Aug 01 '17 at 12:08
  • The entitlements of the provision profile are the ones used to resign the binary, so after signing the output of the two will (should) be identical. – Jonas Aug 01 '17 at 13:54
  • You can't. Make sure you see [here](https://stackoverflow.com/a/30018835/5175709) and [here](https://stackoverflow.com/questions/37241579/install-claimed-to-have-succeeded-but-application-could-not-be-found-on-device/62432103#62432103) – mfaani Dec 14 '20 at 13:36

1 Answers1

1

AppStore signed apps are not only signed by the developer's certificate, but the binary is also encrypted by Apple's private key. Thus you can resign the App's but unless you decrypt the binary you wont be able to run them. Check out the binary's LC_ENCRYPTION_INFO load command (easiest way is to use MachoView) , if you see a flag Crypt ID != 0, the binary is encrypted.

Assuming that it is, you can still do it, this is a bit tedious and you'll need a jail broken device with the App installed.

  1. Connect to your device with SSH. Easiest way to do it with with gandalf
  2. Get Clutch and install it on your device - follow their instructions (I found that the easiest way to compile it is to change the package name)
  3. Dump the decrypted app into a new IPA (Clutch -d "YOUR_PACKAGE_ID")

Now you have a decrypted IPA that you can resign

Yoshkebab
  • 770
  • 1
  • 7
  • 14
  • Do you have any references about Apple applying the DRM when a developer exports for the App Store? It would make sense for them to do that in the cloud after uploading? I'll update my post with more information about encryption etc. – dzan Aug 01 '17 at 10:54