app_signer 0.0.1

data/README.md

@@ -0,0 +1,52 @@
+# app_signer
+
+app_signer is a tool to re-sign iOS .app files to create a new .ipa with a given
+provisioning profile and certificate.
+
+## Usage
+
+### Explanation of Parameters
+
+* `app_path` - Path to the iOS .app file to be signed.
+* `provisioning_profile_path` - Path to the provisioning profile to be used to
+sign the ipa.
+* `signing_identity` - Common name in the certificate to be used to sign the
+ipa. This can be found by opening the keychain, right clicking the certificate,
+and clicking 'get info'.
+* `signing_identity_SHA1` - SHA1 of the certificate to be used to sign the app.
+This can be found by opening the keychain, right clicking the certificate,
+and clicking 'get info'. This is needed because it's possible to have two
+certificates with the same common name.
+* `generated_ipa_name` - Name to use for the generated ipa file
+* `bundle_id` - Used to changed the bundle id during re-signing. *(optional)*
+
+### In a Ruby Script
+
+```ruby
+require 'app_signer'
+
+# Create signer
+signer = AppSigner::Signer.new
+
+# Set needed params
+signer.app_path = # path to .app
+signer.provisioning_profile_path = # path to provisioning profile
+signer.signing_identity = # signing identity common name
+signer.signing_identity_SHA1 = # signing identity SHA1
+signer.generated_ipa_name = # name for generated ipa
+signer.bundle_id = # optional new bundle id to use in info plist
+
+# Create new ipa
+signer.sign
+```
+
+### From the Command Line
+
+```bash
+app_signer --app-path PATH_TO_APP\
+ --profile-path PATH_TO_PROVISIONING_PROFILE\
+ --signing-identity SIGNING_IDENTITY\
+ --signing-identity-SHA1 SIGNING_IDENTITY_SHA1\
+ --ipa-name IPA_NAME\
+ --bundle-id OPTIONAL_NEW_BUNDLE_ID
+ ```

data/bin/app_signer

@@ -0,0 +1,25 @@
+#!/usr/bin/env ruby
+
+require 'app_signer'
+require 'fileutils'
+require 'pathname'
+require 'trollop'
+
+opts = Trollop::options do
+  opt :app_path, "Path to .app file", :type => :string, :required => true
+  opt :profile_path, "Path to provisioning profile", :type => :string, :required => true
+  opt :signing_identity, "Signing Identity", :type => :string, :required => true
+  opt :signing_identity_SHA1, "SHA1 of Signing Identity", :type => :string, :required => true
+  opt :ipa_name, "Name of signed IPA", :type => :string, :required => true
+  opt :bundle_id, "bundle id to be used in signed IPA", :type => :string
+end
+
+signer = AppSigner::Signer.new
+signer.app_path = opts[:app_path]
+signer.provisioning_profile_path = opts[:profile_path]
+signer.signing_identity = opts[:signing_identity]
+signer.signing_identity_SHA1 = opts[:signing_identity_SHA1]
+signer.generated_ipa_name = opts[:ipa_name]
+signer.bundle_id = opts[:bundle_id]
+
+signer.sign

data/lib/app_signer.rb

@@ -0,0 +1,189 @@
+require 'plist'
+require 'openssl'
+
+# AppSigner is an easy way to re-sign iOS apps. This module contains only one
+# class {AppSigner::Signer} which contains all functionality.
+module AppSigner
+
+  # Used to re-sign iOS .app files. Generates a .ipa based upon the set
+  # attributes when calling {AppSigner::Signer#sign}
+  class Signer
+
+    # @!attribute app_path
+    #   @return [String] path to the .app file to be re-signed
+    attr_accessor :app_path
+
+    # @!attribute provisioning_profile_path
+    #   @return [String] path to provisioning profile to be used during signing
+    attr_accessor :provisioning_profile_path
+
+    # @!attribute signing_identity
+    #   @return [String] signing identity of the certificate to be used to sign
+    attr_accessor :signing_identity
+
+    # @!attribute bundle_id
+    #   @return [String] bundle id to set in the re-signed ipa's info plist
+    attr_accessor :bundle_id
+
+    # @!attribute signing_identity_SHA1
+    #   @return [String] SHA1 of certificate to be used during signing
+    attr_reader :signing_identity_SHA1
+
+    # @!attribute signing_identity_SHA1
+    #   @return [String] name tp be used for the generated .ipa
+    attr_accessor :generated_ipa_name
+
+    # Sets signing_identity_SHA1 by removing spaces in the giving hash
+    def signing_identity_SHA1=(value)
+      @signing_identity_SHA1 = value.gsub(" ", "")
+    end
+
+    # Extracts XML from provisioning profile to be used to for obtaining proper
+    # entitlements
+    #
+    # @param signed_data [String] contents of provisioing profile
+    # @return [String]
+    def unwrap_signed_data(signed_data)
+      pkcs7 = OpenSSL::PKCS7.new(signed_data)
+      store = OpenSSL::X509::Store.new
+      flags = OpenSSL::PKCS7::NOVERIFY
+      pkcs7.verify([], store, nil, flags) # VERIFY IT SO WE CAN PULL OUT THE DATA
+      return pkcs7.data
+    end
+
+    # Checks to see if a givin certificate exists in the keychain by looking it
+    # up by the name and SHA1
+    #
+    # @param common_name [String] common name used in the certificate
+    # @param sha1 [String] SHA1 of the certificate
+    # @return [Boolean]
+    def cert_valid?(common_name, sha1)
+      certs = `security find-certificate -c "#{common_name}" -Z -p -a`
+      end_certificate = "-----END CERTIFICATE-----"
+      state = :searching
+      cert = ""
+
+      certs.lines.each do |line|
+        case state
+          when :searching
+
+            if line.include? sha1
+              state = :found_hash
+            end
+
+          when :found_hash
+            cert << line
+          if line.include? end_certificate
+            state = :did_end
+          end
+          when :did_end
+        end
+      end
+
+      if cert.empty?
+        throw 'Failed to find Signing Certificate'
+      end
+
+      File.open("pem", 'w') {|f| f.write(cert) }
+      system("security verify-cert -c \"pem\"")
+      File.unlink("pem")
+      return $?.success?
+    end
+
+    # Returns a PList by parsing the provisioning profile at the given path
+    #
+    # @param path [String] path to plist to parse
+    # @return [PList]
+    def parse_provisioning_proflie(path)
+      # Read provisioning profile into signedData
+      signed_data=File.read(path)
+      # Parse profile
+      r = Plist::parse_xml(unwrap_signed_data(signed_data))
+      return r
+    end
+
+    # Raises an exception if attributes needed for signing aren't set
+    def validate_attributes
+      if self.app_path.nil?
+        raise 'app_path required to sign'
+      end
+
+      if self.provisioning_profile_path.nil?
+        raise 'provisioning_profile_path required to sign'
+      end
+
+      if self.signing_identity.nil?
+        raise 'signing_identity required to sign'
+      end
+
+      if self.signing_identity_SHA1.nil?
+        raise 'signing_identity_SHA1 required to sign'
+      end
+
+      if self.generated_ipa_name.nil?
+        raise 'generated_ipa_name required to sign'
+      end
+    end
+
+    # Creates an ipa by using the signing information given in the set
+    # attributes
+    def sign
+
+      validate_attributes
+
+      # Parse profile
+      r = parse_provisioning_proflie(self.provisioning_profile_path)
+
+      # Grab entitlements
+      entitlements=r['Entitlements']
+
+      if self.bundle_id
+        # Update info plist to have bundle id specified in the config
+        info_plist_path="#{app_path}/Info.plist"
+        system("plutil -convert xml1 \"#{info_plist_path}\"")
+        file_data=File.read(info_plist_path)
+        info_plist=Plist::parse_xml(file_data)
+        info_plist['CFBundleIdentifier']=self.bundle_id
+
+        # Save updated info plist and entitlements plist
+        info_plist.save_plist info_plist_path
+      end
+
+      entitlements.save_plist("#{app_path}/Entitlements.plist")
+
+      # Remove old embedded provisioning profile
+      File.unlink("#{app_path}/embedded.mobileprovision") if File.exists? "#{app_path}/embedded.mobileprovision"
+
+      # Embed new profile
+      FileUtils.cp_r(self.provisioning_profile_path,"#{app_path}/embedded.mobileprovision")
+
+      puts 'Verifying Signing Certificate'
+      unless cert_valid?(self.signing_identity, self.signing_identity_SHA1)
+        throw 'Failed to verify Signing Certificate'
+      end
+      puts 'Certificate Valid'
+
+      # Re-sign application using correct profile and entitlements
+      $stderr.puts "running /usr/bin/codesign -f -s \"#{self.signing_identity}\" --resource-rules=\"#{app_path}/ResourceRules.plist\" \"#{app_path}\""
+      result=system("/usr/bin/codesign -f -s \"#{self.signing_identity_SHA1}\" --resource-rules=\"#{app_path}/ResourceRules.plist\" --entitlements=\"#{app_path}/Entitlements.plist\" \"#{app_path}\"")
+
+      $stderr.puts "codesigning returned #{result}"
+      throw 'Codesigning failed' if !result
+
+      # Create temporary folder to zip up the application
+      app_folder=Pathname.new(app_path).dirname.to_s
+      temp_folder="#{app_folder}/temp_#{generated_ipa_name}"
+      Dir.mkdir(temp_folder)
+      Dir.mkdir("#{temp_folder}/Payload")
+      FileUtils.cp_r(app_path,"#{temp_folder}/Payload")
+
+      # Zip it up into the correct directory
+      system("pushd \"#{temp_folder}\" && /usr/bin/zip -r \"../#{generated_ipa_name}.ipa\" Payload")
+
+      # Remove temporary folder
+      FileUtils.rm_rf(temp_folder)
+    end
+
+  end
+
+end

metadata

@@ -0,0 +1,85 @@
+--- !ruby/object:Gem::Specification
+name: app_signer
+version: !ruby/object:Gem::Version
+  version: 0.0.1
+  prerelease: 
+platform: ruby
+authors:
+- Andrew Carter
+- WillowTree Apps
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2014-05-15 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: plist
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 3.1.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 3.1.0
+- !ruby/object:Gem::Dependency
+  name: trollop
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: '2.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: '2.0'
+description: Sign an iOS .app package with a given provisioning profile.
+email:
+- andrew.carter@willowtreeapps.com
+- andrew.carter@gmail.com
+executables:
+- app_signer
+extensions: []
+extra_rdoc_files: []
+files:
+- lib/app_signer.rb
+- README.md
+- bin/app_signer
+homepage: https://github.com/willowtreeapps/app_signer
+licenses:
+- MIT
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 1.8.23
+signing_key: 
+specification_version: 3
+summary: Easily sign an iOS .app package.
+test_files: []
+has_rdoc: yard