问题
I use a continuous integration tool that builds an app using a Distribution identity and an Ad Hoc mobile provision. This app is sent on a web site for ad-hoc deployment and everything works well.
But now I would like to add a step in my build workflow to execute UI Automation tests. Instruments needs an app signed with a Developer identity, so instead of building a new version of the app signed with a developer certificate, I want/need (Q.A. team wants actually) to resign the previous created .ipa with developer certificates. I use the following commands to resign the app :
unzip "App.ipa"
rm -rf "Payload/App.app/_CodeSignature" "Payload/App.app/CodeResources"
cp "Dev.mobileprovision" "Payload/App.app/embedded.mobileprovision"
/usr/bin/codesign -f -s "iPhone Developer: john doe" --resource-rules "Payload/App.app/ResourceRules.plist" "Payload/App.app"
Then I use fruitstrap to install the "Payload/App.app" (I tried to just install using the organizer it does not change anything), and I finally execute Instruments like this :
instruments -w 5f9...3fd -t /Applications/Xcode.app/Contents/Applications/Instruments.app/Contents/PlugIns/AutomationInstrument.bundle/Contents/Resources/Automation.tracetemplate "App" -e UIASCRIPT /Users/../automation-tests-scripts/test-instruments.js -e UIARESULTSPATH /Users/../test-reports/
Instruments fail with the following error :
2013-11-28 14:32:56.679 instruments[68408:1007] Permission to debug com.company.App was denied. The app must be signed with a development identity (e.g. iOS Developer).
2013-11-28 14:32:56.681 instruments[68408:1007] Recording cancelled : At least one target failed to launch; aborting run
Instruments Trace Error : Error Domain=com.apple.instruments Code=1 "Error Starting Recording" UserInfo=0x7fb15b290560 {NSLocalizedDescription=Error Starting Recording, NSLocalizedRecoverySuggestion=At least one target failed to launch; aborting run}
Instruments Trace Error : Failed to start trace.
These commands works on iOS devices running on iOS 6.x but fails with the previous error on iOS 7.x only (I tried 2 iOS 6.x devices, iPhone 4S and 5, and also I tried with 4 devices running iOS 7.x). So the problem is related to iOS 7.
If the application is built directly with the Developer identity it works well, so i guess that something failed in the signing phase. I Also did a codesign -d -vvv on the resigned app and it shows this output
Executable=/Users/.../App.app/App Identifier=com.company.App
Format=bundle with Mach-O universal (armv7 armv7s)
CodeDirectory v=20100 size=8547 flags=0x0(none) hashes=420+3 location=embedded
Hash type=sha1 size=20 CDHash=f00fac8eabf174e88042f2b875505a6cacdd6b0a
Signature size=4326
Authority=iPhone Developer: john doe (BXX559V2VW)
Authority=Apple Worldwide Developer Relations Certification Authority
Authority=Apple Root CA
Signed Time=28 nov. 2013 11:56:04
Info.plist entries=27
Sealed Resources version=2 rules=5 files=290
Internal requirements count=2 size=708
I looked at Xcode signing process and it exports a "CODESIGN_ALLOCATE" variable, I tried that and I did not get more success.
PS: I read somewhere about the "iOS Developer" that could have replaced "iPhone Developer" in certificates titles, but I did not find more information about this.
回答1:
If you want to adapt your original entitlements you can do this.
Grab the original distribution entitlements:
/usr/libexec/PlistBuddy -x -c "print :Entitlements " /dev/stdin <<< $(security cms -D -i production.app/embedded.mobileprovision) > entitlements.plist
Turn them into Development entitlements with
/usr/libexec/PlistBuddy -c 'Set :get-task-allow true' entitlements.plist
and update any other entitlements that can differ, e.g. push notifications
/usr/libexec/PlistBuddy -c'Set :aps-environment development' entitlements.plist
p.s. no need to remove _CodeSignature, codesign -f will replace it for you.
回答2:
I finally found the problem, When a developer identity is used during a build, Xcode embed an Entitlements.plist file that contains a get-task-allow => true, when the identity is distribution, this get-task-allow is set to false. When the "distribution" app was "resigned", I was not passing a --entitlements option to codesign, so the app was still not a valid "developer" app for instruments.
Adding an Entitlements.plist file with a get-task-allow set to true in my project and referencing it in my Distribution configuration solved the problem, now when the app is built it contains get-task-allow => true, and when it is resigned, I pass this same Entitlements.plist to the codesign option.
It works for now, I hope that the other keys added by Xcode to the Entitlements file won't miss (since the one I'm using in my codesign command call only contains the get-task-allow key).
来源:https://stackoverflow.com/questions/20268172/resign-ios-app-from-a-distribution-identity-to-a-developer-identity