Auto-Dev Private Signing iOS Apps

Signing iOS applications are required in order to install the applications on mobile devices. Many individuals sign within their development and integration platform, but some are required to sign the applications on designated computers in order to preserve the signing credentials within a trusted environment.  Appdome’s Auto-Dev Private Signing iOS Apps script allows users to sign fused apps locally without uploading the signing certificate to Appdome’s cloud service.

This Knowledge Base article provides step-by-step instructions on how to sign your iOS mobile app using Appdome’s Auto-Dev private signing script.

We hope you find this knowledge base useful and enjoy using Appdome!

About Auto-Dev Private Signing iOS Apps with Appdome Automatic Script

As an Appdome user, you can sign any Built app either by using Appdome’s built-in signing capabilities, Appdome’s Auto-DEV Private Signing script or using or using your own mechanism outside of Appdome. It’s your choice. However, Signing ios applications outside of Xcode is complex. a developer will need to unzip the application, sign each executable and app extension with the correct certificate and provisioning profile in a specific order, and finally zip back the files to a .ipa process that is both tedious and prone to mistakes. Appdome’s Auto-DEV Private Signing script will achieve all this in seconds, correct every time.

During the Appdome app Build, Build process adapters are added to the app to achieve the desired added functionality, therefore the app’s original signature is invalidated and must be resigned to allow deploying the app on mobile devices. Appdome allows signing your Built app easily and simply by running a single script.

Appdome’s Auto-Dev Private Signing iOS Apps script allows users to sign Built apps locally without uploading the signing certificate to Appdome’s cloud service. The unsigned app is embedded in the script generated by Appdome. Running the script on your trusted environment will extract and sign the app using a certificate in your key chain.

Appdome is a mobile integration platform as a service (iPaaS) that allows users to add a wide variety of features, SDKs, and APIs to Android and iOS apps. Using a simple ‘click to add’ user interface, Appdome allows anyone to easily integrate features to any mobile app – instantly, no code or coding required.

Prerequisites for Using Appdome’s Auto-DEV Private Signing Script

  • Appdome account – IDEAL or Higher.
  • Appdome-DEV access
  • iOS Mobile App
  • Signing Credentials (e.g., signing certificates and provisioning profile) – verify the certificate (with private key) was added to your local Keychain (to add it just ‘double click’ on the certificate).
  • Mac OS X computer with:
    • Python software (version 2.7 or higher)
    • Codesign – Apple utility that adds the signature directly to the executable file (Xcode version 10.1 or higher)

How to use Auto-Dev Private Signing iOS Apps

Please follow these steps to add a mobile app to your Appdome account.
If you don’t have an Appdome account, click here to create an account.

Complete the Build and Context workflow.

Select the Sign Tab. Note: a blue underline will appear showing the step is active.

  1. Select the signing method: Auto-DEV Private Signing.
  2. Upload the Provisioning Profile that matches your signing certificate.SCEP Certificates Mobile Authentication (Intune) on Appdome
  3. Wait for Appdome to verify the signing parameters, then click on Auto-DEV sign Privately button
  4. Click Next as the Signing Script Generation is Complete!Appdome Success message SCEP Certificates Mobile Authentication
  5. Click Download My Built App to download the automatic private signing script (sign.sh). Your Appdome Built unsigned app is embedded in this script.

How to Run Auto-DEV Private Script:

To run the automatic private signing script, use the following command:

./sign.sh --signer <"Signer Identity" or sha-1 hash> --output <signed_app_name>.ipa 

If you need some help with finding the value to enter for the Signer Identity you can enter this command:

./sign.sh --help

Note! In some environments, you may be required to grant executable permissions to the signing script (using chmod +x command):

chmod +x sign.sh

The Signer Identity is how the script identifies the certificate in the work stations Keychain Access. You can use either the certificate’s common name (marked with double quotes) or it’s SHA-1 fingerprint. To extract the certificate common name  / SHA-1 fingerprint:

  • On your computer open the Keychain Access app.
  • Choose the certificate you wish to add and open the options menu (left-click).
  • Choose ‘Get info’.
  • Get the certificate common name  / SHA-1 fingerprint

Important Note! The Codesign needs authorized access to your signing certificate in the Keychain. The password for your keychain is normally your user’s password (the one you use to log in on your computer). To ensure the automatic private signing script will run without interruptions, we recommend to ‘Always Allow’ the authorized access to the Keychain.

Now you can run the automatic private signing script with your Signer Identity value:

Troubleshooting

If you have multiple certificates with the same common name, the script will prompt you to use the SHA-1 fingerprint (which is always unique). if you enter invalid identifiers (type or non-existent certificate), the script will show an error and will print all the valid identities:

$ ./sign.sh --signer <invalid_singer> --output signed_app.ipa
>>>
ERROR: The identity: invalid_signer was not found in the keychain.
Valid identities by name are:
iPhone Distribution: 
iPhone Distribution: 
Valid identitys by sha-1 are:

The script will notify you if the Signer Identity you are trying to use doesn’t match the provisioning profile used to seal the app, and will show you the valid identities:

$ ./sign.sh --signer <mismatched_singer> --output signed_app.ipa
>>>
INFO: Successfully matched certificate SHA-1 fingerprint [] in keychain
ERROR: The input certificate doesn't match the provisioning profile.
Valid certificates are:
Cert: [iPhone Distribution: ], with fingerprint: []

How Do I Learn More?

Learn more about Signing iOS Apps on Appdome or Request a demo at any time.

If you have any questions, please send them our way at support@appdome.com or via the chat window on the Appdome platform.

Thank you!

Thanks for visiting Appdome! Our mission is to make mobile integration easy. We hope we’re living up to the mission with your project. If you don’t already have an account, you can sign up for free.

Kai Kenan

Have a question?

Ask an expert

AlanMaking your security project a success!