Failure to export App Store with a development certificate IPA
Question
Is it possible to revoke / grant an IPA exported for the AppStore with a development certificate and profile?
I can do the actual dismiss and when manually checked everything looks fine, however any application I try to fail on startup. I am not trying to cancel an application downloaded from the AppStore, these are applications built on my computer.
None of the popular tools seem to do it right. Has anyone ever filmed this or is it not possible for some reason?
conclusions
In the device log, I don't see anything in the application process itself, so the OS had to kill it before starting it. I see it:
securityd[101] <Notice>: cert[0]: CheckLeafMarkerOid =(leaf)[]> 0
securityd[101] <Notice>: cert[0]: SubjectCommonName =(leaf)[]> 0
securityd[101] <Notice>: cert[0]: IssuerCommonName =(path)[]> 0
amfid(Security)[196] <Notice>: [leaf CheckLeafMarkerOid IssuerCommonName SubjectCommonName]
amfid(libmis.dylib)[196] <Info>: Blacklist does not exist.
amfid(libmis.dylib)[196] <Info>: Using empty blacklist.
amfid(libmis.dylib)[196] <Info>: CreateMISAuthListWithStream: open stream failed (may be non-existing)
amfid(libmis.dylib)[196] <Info>: CreateMISAuthListWithStream: creating empty auth list
assertiond[66] <Notice>: Unable to obtain a task name port right for pid 1683: (os/kern) failure (5)
SpringBoard(FrontBoard)[57] <Error>: Unable to register for exec notifications: No such process
SpringBoard(BaseBoard)[57] <Error>: Unable to get short BSD proc info for 1683: No such process
SpringBoard(BaseBoard)[57] <Error>: Unable to get proc info for 1683: No such process
SpringBoard(BaseBoard)[57] <Error>: Unable to obtain a task name port right for pid 1683: (os/kern) failure (0x5)
SpringBoard(BaseBoard)[57] <Error>: Unable to get short BSD proc info for 1683: No such process
SpringBoard(FrontBoard)[57] <Error>: Unable to obtain a process handle for <FBApplicationProcess: 0x10bc26cd0; com.company.product.name; pid: 1683>
This seemed to indicate a rights issue. However, when I manually print them ( /usr/libexec/PlistBuddy -x -c "print :Entitlements " /dev/stdin <<< $(security cms -D -i "$1"/embedded.mobileprovision) > entitlements.plist
) from the installed IPA, I have:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>application-identifier</key>
<string>TEAMID.*</string>
<key>com.apple.developer.default-data-protection</key>
<string>NSFileProtectionComplete</string>
<key>com.apple.developer.team-identifier</key>
<string>TEAMID</string>
<key>get-task-allow</key>
<true/>
<key>keychain-access-groups</key>
<array>
<string>TEAMID.*</string>
</array>
</dict>
</plist>
This clearly shows that trueget-task-allow
is eligible .
Instruments
Whatever tool I try, I get the same result like
- https://dantheman827.github.io/ios-app-signer/
- https://github.com/nowsecure/node-applesign
- https://github.com/fastlane/fastlane/blob/master/sigh/lib/assets/resign.sh
Similar questions
- Can we opt out of building the appstore with our development certificates? The simple no answer seems to be wrong as I can perform the actual undo operation without warnings or errors.
- Revoke iOS App from Distro ID to Developer ID Show how to check and / or adapt final rights in retired IPA.
- iOS will cancel IPA from appstore with developer profile The question is a little older, but one commenter ends up reporting the same observable behavior: "but it can't work properly, it's flashback. I still don't know about that."
Update 1
(reaction to @Yoshkebab)
The otool output assumes the binary is not encrypted
otool -l App/Payload/App.app/App | grep -A 4 -i encrypt
::
cmd LC_ENCRYPTION_INFO
cmdsize 20
cryptoff 0
cryptsize 0
cryptid 0
--
cmd LC_ENCRYPTION_INFO_64
cmdsize 24
cryptoff 0
cryptsize 0
cryptid 0
However, for example, Hopper cannot parse it ... Are there any links apple applies encryption in Xcode? Does this mean they have a key on user systems? Also I don't see any build steps that would indicate this (codeign just adds a signature, no?)
The clutch does not see my application and the Stefan Esser scripting library does not work because the application fires immediately, I suspect (my setup is fine because it works for other applications).
source to share
Apps signed by the AppStore are not only signed with a developer certificate, but binaries are also encrypted with Apple's private key. This way you can opt out of the application, but if you don't decrypt the binary, you won't be able to run it. Check the binary LC_ENCRYPTION_INFO boot command (easiest to use MachoView ), if you see a flag Crypt ID! = 0, the binary file is encrypted.
Assuming it does, you can still do it, it's a bit tedious and you need to install a corrupted device with the app installed.
- Connect to the device using SSH. The easiest way to do this is with gandalf
- Get Clutch and install it on your device - follow their instructions (I found the easiest way to compile it is to change the package name)
- Dump the decrypted application to a new IPA (Clutch -d "YOUR_PACKAGE_ID")
You now have a decrypted IPA that you can undo
source to share