How to > AppSec Release Orchestration > Code Signing Protected Android & iOS Apps > How to Privately Code Sign Sealed iOS Apps using DevSecOps Build System

How to Privately Code Sign Sealed iOS Apps using DevSecOps Build System

Last updated August 8, 2022 by Appdome

 

Signing iOS applications are required in order to install the applications on mobile devices. Many individuals sign within their development and integration platform, but some are required to sign the applications on designated computers in order to preserve the signing credentials within a trusted environment. This Knowledge Base article summarizes how to Privately Sign Secured or Shielded iOS Apps.

We hope you find it useful and enjoy using Appdome!

Sign iOS Apps Locally

Appdome is a mobile integration platform as a service (iPaaS) that allows users to add a wide variety of features, SDKs, and APIs to Android and iOS apps. Using a simple ‘click to add’ user interface, Appdome allows anyone to easily integrate features to any mobile app – instantly, no code or coding required.

After building an iOS app on the Appdome platform, Appdome recommends signing apps on the Appdome platform. With the click of the Sign button, the Appdome platform:

  • Verifies the components of the certificate, entitlements, and provisioning profile to ensure all the components of an app are signed properly.
  • Resolves mismatching entitlements which can occur if the provisioning profile provided does not match the entitlements within an app.
  • Does not modify the iOS app in any way.  This is important so signing does not trigger a violation due to the anti-tampering protection that is automatically integrated into built apps.

For security reasons, by default, the Appdome platform does not store any certificate, certificate password, or provisioning profile used when signing apps on the platform. Once the user session is closed, the certificate, certificate password, and provisioning profile are permanently removed.

If you are required to sign iOS apps locally off the Appdome platform, you can follow the process in this KB article to sign your app.

Important Prerequisite Notes

Every time you build an app on Appdome, the final package is sealed, signed and protected automatically by ONEShield, Appdome’s app hardening (app shielding) technology. This protects the app from tampering, reverse engineering or other methods of compromise. To ensure Anti-tampering protection while signing locally, Appdome still needs to seal the app using the provisioning profile. Hence, the private signing process requires the provisioning profile.

Furthermore, the below process will only work for applications that are developed and signed in Xcode (or any other development framework) by the same certificates, provisioning profiles, and credentials that you will use to sign locally after Appdome. That is due to mismatching entitlements that may prevent the application from installing. On the Appdome platform, you can sign any app with any certificate, since the Appdome platform resolves mismatching entitlements and performs enhanced in-depth checks.

Prerequisites

  1. Appdome-GO access 
  2. A Mac OS X computer
  3. The certificate (with private key) in Keychain Access that was used to sign the app in Xcode before uploading the .ipa to Appdome. More on creating Certificates can be read here. 
  4. A provisioning profile for each executable that requires signing. The provisioning profiles must be the same that was used to sign the app in Xcode before uploading the .ipa to Appdome. The App ID for the provisioning profile should be either a Wildcard or match the bundle id of the executable that needs signing. The provisioning profile should have the entitlements that are requested by the executable. If the fusion or the app needs AppGroups, the provisioning profile should contain them.
  5. Built .ipa downloaded from Appdome without signing by selecting the Private Signing option.
  6. The vanilla non-built app

3 Easy Steps to Privately Sign Secured or Shielded iOS Apps

Follow these step-by-step instructions to Privately Sign Secured or Shielded iOS Apps.

  1. Download the secured IPA
    * In the Sign tab, Select Private Signing in How Would You Like to Sign?
    * Go to the Deploy tab and click Download my Built app.
  2. Unzip the secured IPA as well as the original IPA
    unzip <ipa_path>.ipa -d BUILT_OUTPUT_FOLDER
    unzip <ipa_path>.ipa -d VANILLA_OUTPUT_FOLDER
  3. Sign the application executables, in the correct order

 If you have a Watchkit:

cp <path to watchkit extension mobile provision> BUILT_OUTPUT_FOLDER/Payload/<app_name>.app/Watch/<watchkit_name>.app/PlugIns/<watchkit_name> Extension.appex/embedded.mobileprovision
codesign -d --entitlements :- VANILLA_OUTPUT_FOLDER/Payload/<app_name>.app/Watch/<watchkit_name>.app/PlugIns/<watchkit_extension_name>.appex/ > WATCHKIT_EXTENSION_ENTITLEMENT.plist
codesign -f -s "<Name in Keychain Access>" --entitlements WATCHKIT_EXTENSION_ENTITLEMENT.plist BUILT_OUTPUT_FOLDER/Payload/<app_name>.app/Watch/<watchkit_name>.app/PlugIns/<watchkit name> Extension.appex/
cp <path to watchkit mobile provision> BUILT_OUTPUT_FOLDER/Payload/<app_name>.app/Watch/<watchkit_name>.app/embedded.mobileprovision
codesign -d --entitlements :- VANILLA_OUTPUT_FOLDER/Payload/<app_name>.app/Watch/<watchkit_name>.app > WATCHKIT_ENTITLEMENT.plist
codesign -f -s "<Name in Keychain Access>" --entitlements WATCHKIT_ENTITLEMENT.plist BUILT_OUTPUT_FOLDER/Payload/<app_name>.app/Watch/<watchkit_name>.app/

If you have an app extension, for each app extension:

cp <path to app extension mobile provision> BUILT_OUTPUT_FOLDER/Payload/<app_name>.app/PlugIns/<plugin_name>.appex/embedded.mobileprovision
codesign -d --entitlements :- VANILLA_OUTPUT_FOLDER/Payload/<app_name>.app/PlugIns/<plugin_name>.appex/ > PLUGIN_ENTITLEMENT.plist
codesign -f -s "<Name in Keychain Access>" --entitlements PLUGIN_ENTITLEMENT.plist BUILT_OUTPUT_FOLDER/Payload/<app_name>.app/PlugIns/<plugin_name>.appex/

REQUIRED – To sign the Appdome library:

cp <path to main app mobile provision> BUILT_OUTPUT_FOLDER/Payload/<app_name>.app/Frameworks/libloader.framework/embedded.mobileprovision
echo -e "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<\0041DOCTYPE plist PUBLIC \"-//Apple Computer//DTD PLIST 1.0//EN\" \"http://www.apple.com/DTDs/PropertyList-1.0.dtd\">\n<plist version=\"1.0\">\n<dict>\n</dict>\n</plist>" > EMPTY_ENTITLEMENT.plist
codesign -f -s "<Name in Keychain Access>" --entitlements EMPTY_ENTITLEMENT.plist BUILT_OUTPUT_FOLDER/Payload/<app_name>.app/Frameworks/libloader.framework/

If there are frameworks needing signing (e.g.F5 Anti-Bot framework):

cp <path to main app mobile provision> FUSED_OUTPUT_FOLDER/Payload/<app_name>.app/embedded.mobileprovision
codesign -f -s "<Name in Keychain Access>" --entitlements EMPTY_ENTITLEMENT.plist FUSED_OUTPUT_FOLDER/Payload/<app_name>.app/Frameworks/<framework name>.framework/

REQUIREDTo sign the main application executable:

cp  <path to main app mobile provision>  FUSED_OUTPUT_FOLDER/Payload/<app_name>.app/embedded.mobileprovision
codesign -d --entitlements :- VANILLA_OUTPUT_FOLDER/Payload/<app_name>.app/ > MAIN_ENTITLEMENT.plist
codesign -f -s "<Name in Keychain Access>" --entitlements MAIN_ENTITLEMENT.plist FUSED_OUTPUT_FOLDER/Payload/<app_name>.app/

 

Next, zip the IPA again

cd FUSED_OUTPUT_FOLDER && zip -qr ../<signed_ipa_name>.ipa . && cd ../

The IPA that was created after this process should not be altered in any form.  Now that the app is signed, changing any file inside the zip will tamper with the iOS signing and will prevent the app from being able to be installed.

And finally, Upload your signed app to Appdome’s validation service and verify it is signed correctly.

For every framework that isn’t signed correctly follows the steps under “To sign the Appdome library” section. This is required for frameworks that are added to your app in the fusion process. For example F5 Anti-Bot framework.
For reading more on Appdome’s app validation, please read this knowledge base article.

After signing a framework, the main executable must be signed again.
The main executable must be signed last since it contains the signatures of all the frameworks and plugins.

How Do I Learn More?

Request a demo at any time.

If you have any questions, please send them our way at support@appdome.com or via the chat window on the Appdome platform.

To zoom out on this topic, visit The Appdome Platform section on our website.

Thank you!

Thanks for visiting Appdome! Our mission is to make mobile integration easy. We hope we’re living up to the mission with your project. If you don’t already have an account, you can sign up for free.

NEED HELP?

let's solve it together

KaiMaking your security project a success!
By filling out this form, you opt-in to recieve emails from us.