Resign MacOS App

Question

JxxIT OP

Created 1w

Replies 4

Boosts 0

Participants 2

Hi,

I want to resign my app with a different certificate. Is it possible to keep the entitlements (including com.apple.application-identifier)? I want to resign the whole app including the plugins and frameworks, but I saw --deep was considered harmful.

Sorry, I'm a bit confused. Any help would be appreciated.

Answered by DTS Engineer in 791988022

It is possible to manually re-sign an app. The basic process is the same as signing the app in the first place. If you want to do this manually, see:

Is it possible to keep the entitlements … ?

That depends on whether:

The entitlement is restricted or not — An unrestricted entitlement doesn’t need to be authorised by a provisioning profile, and that means there are no constraints on your re-signing code that claims it. A restricted entitlement must be authorised by a profile, which complicates things. See TN3125 Inside Code Signing: Provisioning Profiles for more background on this.
If the entitlement is restricted, if you’re signing identity’s certificate is included in the original provisioning profile — In that case, you don’t need to create a new profile.
Otherwise, if you can create a new profile to authorise your claim to that entitlement — Here you’ll need to create a new profile and embed it in your app before re-signing.

including com.apple.application-identifier

That entitlements is restricted. It’s also tied to your team, so if re-signing is only possible if your signing identity’s certificate was issued by the same team as the original app.

I want to resign the whole app including the plugins and frameworks

Keep in mind that entitlements are only relevant to executables. You shouldn’t sign frameworks and traditional [1] plug-ins with entitlements. Doing so won’t do anything useful and can cause problems.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] By this I mean a plug-in whose code is a bundle or dynamic library. New style plug-ins, app extensions and system extensions, have code that’s an executable and thus can claim entitlements.

Boost

Answer 1

DTS Engineer OP

Apple

5d

Recommended

It is possible to manually re-sign an app. The basic process is the same as signing the app in the first place. If you want to do this manually, see:

Is it possible to keep the entitlements … ?

That depends on whether:

The entitlement is restricted or not — An unrestricted entitlement doesn’t need to be authorised by a provisioning profile, and that means there are no constraints on your re-signing code that claims it. A restricted entitlement must be authorised by a profile, which complicates things. See TN3125 Inside Code Signing: Provisioning Profiles for more background on this.
If the entitlement is restricted, if you’re signing identity’s certificate is included in the original provisioning profile — In that case, you don’t need to create a new profile.
Otherwise, if you can create a new profile to authorise your claim to that entitlement — Here you’ll need to create a new profile and embed it in your app before re-signing.

including com.apple.application-identifier

That entitlements is restricted. It’s also tied to your team, so if re-signing is only possible if your signing identity’s certificate was issued by the same team as the original app.

I want to resign the whole app including the plugins and frameworks

Keep in mind that entitlements are only relevant to executables. You shouldn’t sign frameworks and traditional [1] plug-ins with entitlements. Doing so won’t do anything useful and can cause problems.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] By this I mean a plug-in whose code is a bundle or dynamic library. New style plug-ins, app extensions and system extensions, have code that’s an executable and thus can claim entitlements.

1

Answer 2

JxxIT OP

5d

Thanks for your reply! I first resigned all my code with --deep, and then my executable with the entitlements. Now my app can't open. The console shows: Disallowing com.myapp because no eligible provisioning profiles found.

0

Answer 3

DTS Engineer OP

Apple

4d

I first resigned all my code with --deep, and then my executable with the entitlements.

Don’t use --deep. Even if you ignore the entitlement issue, it has other issues [1].

Rather, sign each code item separately, from the inside out. Creating distribution-signed code for macOS has specific advice on this topic.

The console shows …

As I mentioned above, you may need to install new provisioning profiles, depending on your entitlement use and the relationship between your new code-signing identity and the previous code-signing identity.

If you do need new profiles, install them before you start signing (because changing a profile afterwards will break the seal on the code signature).

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] Specifically, it has its own views of how a bundle should be structured, and those don’t necessarily align with the documented rules in Placing Content in a Bundle.

1

Answer 4

JxxIT OP

4d

Thanks, I'll try that.

0