Re-signing iOS apps without Apple tools
Project description
A tool and library to re-sign iOS applications, without proprietary Apple software.
For example, an iOS app in development would probably only run on the developer’s iPhone. isign can alter the app so that it can run on another developer’s iPhone.
Apple tools already exist to do this. But with isign, now you can do this on operating systems like Linux.
Where to get it
The latest version can be installed via PyPi:
$ pip install isign
or:
$ easy_install isign
The source code repository and issue tracker are maintained on GitHub.
How to get started
Ensure openssl is at version 1.0.1j or better.
You’ll probably want libimobiledevice, so you can try installing your re-signed apps.
You’ll need an Apple Developer Account. Obtaining everything you need is beyond the scope of this documentation, but if you’re already making apps and running them on real iOS devices, you have everything you need.
You should have a key and certificate in Keychain Access, and a provisioning profile associated with that certificate, that you can use to sign iOS apps for one or more of your own iOS devices.
Caution: We’re going to be exporting important and private information out of Keychain Access. Keep these files secure, especially your private key.
First, make the .isign directory:
$ mkdir ~/.isign
Next, export your key and certificate from Keychain Access. In Keychain Access, open the Keys. Find the key you use to sign apps. Your certificate will appear as a “descendant” of this key. Right click on it and export the key as a .p12 file, let’s say Certificates.p12. If Keychain asks you for a password to protect this file, just leave it blank.
For security, you should immediately chmod 400 Certificates.p12, so only you can read it.
Next, let’s use openssl to split that into a PEM cert and a PEM key.
$ openssl pkcs12 -in Certificates.p12 -out ~/.isign/certificate.pem -clcerts -nokeys
$ openssl pkcs12 -in Certificates.p12 -out ~/.isign/key.pem -nocerts -nodes
$ chmod 400 ~/.isign/key.pem
Then delete Certificates.p12.
$ rm Certificates.p12
Finally, download a provisioning profile from the Apple Developer Portal that uses the same certificate. Save it as ~/.isign/isign.mobileprovision.
How to use isign
If you’ve installed all the files in the proper locations above, then isign can be now invoked on any iOS .app directory, or .ipa archive, or .app.zip zipped directory. For example:
$ isign -o resigned.ipa my.ipa
2015-10-28 16:14:30,548 - isign.app - INFO - archived Ipa to /home/alice/resigned.ipa
You can also call it from Python:
from isign import isign
try:
isign.resign("my.ipa", output_path="resigned.ipa")
except isign.NotSignable as e:
print "Not an iOS native app: " + e
isign command line arguments
Synopsis:
isign [-h] [-a <path to applecerts.pem>]
[-c <path to your cert in .pem form>]
[-k <path to your key in .pem form>]
[-p <your.mobileprovision>]
[-o <output path>]
<path to app to resign>
-a <path>, –apple-cert <path>
Path to Apple certificate in PEM format. This is already included in the library, so you will likely never need it. In the event that the certificates need to be changed, See the Apple Certificate documentation.
-c <path>, –certificate <path>
Path to your certificate in PEM format. Defaults to $HOME/.isign/certificate.pem.
-h, –help
Show a help message and exit.
-k <path>, –key <path>
Path to your private key in PEM format. Defaults to $HOME/.isign/key.pwm.
-o <path>, –output <path>
Path to write the re-signed application. Defaults to out in your current working directory.
-p <path>, –provisioning-profile <path>
Path to your provisioning profile. This should be associated with your certificate. Defaults to $HOME/.isign/isign.mobileprovision.
Testing
./run_tests.sh
Some tests require Apple’s codesign to run, so they are skipped unless you run them on a Macintosh computer with developer tools.
Packaging
If you were wondering what the version.sh and dev was all about, this library is packaged according to the Sauce Labs standard for Python packages. For the most part, you don’t have to touch those.
Community contributions
Sauce Labs supports ongoing public isign development. isign is a part of our infrastructure for the iOS Real Device Cloud, which allows customers to test apps and websites on real iOS devices. isign has been successfully re-signing submitted customer apps in production since June 2015.
Goals for this library include:
ongoing maintenance as new versions of iOS are released
speed improvements via parallelization and caching
better documentation of the data structures involved in code signing (LC_CODE_SIGNATURE)
public continuous integration - currently Sauce Labs tests every change to this library, but it should be more public
the thrilling work of code cleanups
Your contributions are valued and welcome. Get in touch with the maintainers, file an issue, or fork the code!
Code of conduct
This project not have an official code of conduct, yet, but one is forthcoming. Please contribute to discussion here.
More documentation
See the docs directory of this repository for random stuff that didn’t fit here.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
File details
Details for the file isign-1.3.5.tar.gz
.
File metadata
- Download URL: isign-1.3.5.tar.gz
- Upload date:
- Size: 5.3 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
File hashes
Algorithm | Hash digest | |
---|---|---|
SHA256 | 2b2176e12bc7ce75381496111a688adfe93baea5d179bc15f2548ed82b136b80 |
|
MD5 | c487ebb030f68a855e12b767ad0fd699 |
|
BLAKE2b-256 | c52ce696b1300bfcdd5e215d3117aa3f0a296d5908e2aa7e727323d22213c4b7 |