Hi,
I want to resign my app with a different certificate. Is it possible to keep the entitlements (including com.apple.application-identifier)? I want to resign the whole app including the plugins and frameworks, but I saw --deep was considered harmful.
Sorry, I'm a bit confused. Any help would be appreciated.
It is possible to manually re-sign an app. The basic process is the same as signing the app in the first place. If you want to do this manually, see:
Is it possible to keep the entitlements … ?
That depends on whether:
The entitlement is restricted or not — An unrestricted entitlement doesn’t need to be authorised by a provisioning profile, and that means there are no constraints on your re-signing code that claims it. A restricted entitlement must be authorised by a profile, which complicates things. See TN3125 Inside Code Signing: Provisioning Profiles for more background on this.
If the entitlement is restricted, if you’re signing identity’s certificate is included in the original provisioning profile — In that case, you don’t need to create a new profile.
Otherwise, if you can create a new profile to authorise your claim to that entitlement — Here you’ll need to create a new profile and embed it in your app before re-signing.
including com.apple.application-identifier
That entitlements is restricted. It’s also tied to your team, so if re-signing is only possible if your signing identity’s certificate was issued by the same team as the original app.
I want to resign the whole app including the plugins and frameworks
Keep in mind that entitlements are only relevant to executables. You shouldn’t sign frameworks and traditional [1] plug-ins with entitlements. Doing so won’t do anything useful and can cause problems.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
[1] By this I mean a plug-in whose code is a bundle or dynamic library. New style plug-ins, app extensions and system extensions, have code that’s an executable and thus can claim entitlements.
Thanks for your reply! I first resigned all my code with --deep, and then my executable with the entitlements. Now my app can't open. The console shows: Disallowing com.myapp because no eligible provisioning profiles found.
I first resigned all my code with --deep, and then my executable with the entitlements.
Don’t use --deep. Even if you ignore the entitlement issue, it has other issues [1].
Rather, sign each code item separately, from the inside out. Creating distribution-signed code for macOS has specific advice on this topic.
The console shows …
As I mentioned above, you may need to install new provisioning profiles, depending on your entitlement use and the relationship between your new code-signing identity and the previous code-signing identity.
If you do need new profiles, install them before you start signing (because changing a profile afterwards will break the seal on the code signature).
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
[1] Specifically, it has its own views of how a bundle should be structured, and those don’t necessarily align with the documented rules in Placing Content in a Bundle.
Thanks, I'll try that.
