resignios 0.1.1

data/lib/assets/resign.sh

@@ -0,0 +1,943 @@
+#!/bin/bash
+# shellcheck disable=SC2155
+
+# Copyright (c) 2011 Float Mobile Learning
+# http://www.floatlearning.com/
+# Extension Copyright (c) 2013 Weptun Gmbh
+# http://www.weptun.de
+#
+# Extended by Ronan O Ciosoig January 2012
+#
+# Extended by Patrick Blitz, April 2013
+#
+# Extended by John Turnipseed and Matthew Nespor, November 2014
+# http://nanonation.net/
+#
+# Extended by Nicolas Bachschmidt, October 2015
+#
+# Permission is hereby granted, free of charge, to any person obtaining
+# a copy of this software and associated documentation files (the "Software"),
+# to deal in the Software without restriction, including without limitation
+# the rights to use, copy, modify, merge, publish, distribute, sublicense,
+# and/or sell copies of the Software, and to permit persons to whom the
+# Software is furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included
+# in all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
+# OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+# IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
+# CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
+# TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
+# SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+#
+# Please let us know about any improvements you make to this script!
+# ./floatsign source "iPhone Distribution: Name" -p "path/to/profile" [-d "display name"]  [-e entitlements] [-k keychain] [-b "BundleIdentifier"] outputIpa
+#
+#
+# Modifed 26th January 2012
+#
+# new features January 2012:
+# 1. change the app display name
+#
+# new features April 2013
+# 1. specify the target bundleId on the command line
+# 2. correctly handles entitlements for keychain-enabled resigning
+#
+# new features November 2014
+# 1. now re-signs embedded iOS frameworks, if present, prior to re-signing the application itself
+# 2. extracts the team-identifier from provisioning profile and uses it to update previous entitlements
+# 3. fixed bug in packaging if -e flag is used
+# 4. renamed 'temp' directory and made it a variable so it can be easily modified
+# 5. various code formatting and logging adjustments
+#
+# new features October 2015
+# 1. now re-signs nested applications and app extensions, if present, prior to re-signing the application itself
+# 2. enables the -p option to be used more than once
+# 3. ensures the provisioning profile's bundle-identifier matches the app's bundle identifier
+# 4. extracts the entitlements from the provisioning profile
+# 5. copy the entitlements as archived-expanded-entitlements.xcent inside the app bundle (because Xcode does too)
+#
+# new features November 2018
+# 1. only create the archived-expanded-entitlements.xcent file if the version of Xcode < 9.3 as Xcode 10 does not create it.
+#
+# new features January 2019
+# 1. fixed bug where the com.apple.icloud-container-environment entitlement was being assigned an incorrect value
+#
+# new features March 2019
+# 1. two more fixes for only creating the archived-expanded-entitlements.xcent file if the version of Xcode < 9.3 as Xcode 10 does not create it.
+#
+# new features June 2020
+# 1. enable (re)signing of OnDemandResources when ipa has been built for the appstore
+#
+# new features August 2020
+# 1. fixes usage for users with GNU-sed in their $PATH
+#
+# new features May 2021
+# 1. fix entitlements merging when changing team
+#
+# new features June 2021
+# 1. fix the way app entitlements are extracted
+#
+# new features October 2021
+# 1. change codesign signatue to use --generate-entitlement-der to include DER encoded entitlements
+
+# Logging functions
+
+log() {
+    # Make sure it returns 0 code even when verose mode is off (test 1)
+    # To use like [[ condition ]] && log "x" && something
+    if [[ -n "$VERBOSE" ]]; then echo -e "$@"; else test 1; fi
+}
+
+error() {
+    echo "$@" >&2
+    exit 1
+}
+
+warning() {
+    echo "$@" >&2
+}
+
+function checkStatus {
+
+    # shellcheck disable=SC2181
+    if [ $? -ne 0 ]; then
+        error "Encountered an error, aborting!"
+    fi
+}
+
+usage() {
+    echo -e "Usage: $(basename "$0") source identity -p|--provisioning provisioning" >&2
+    echo -e "\t\t[-e|--entitlements entitlements]" >&2
+    echo -e "\t\t[-k|--keychain keychain]" >&2
+    echo -e "\t\t[-d|--display-name displayName]" >&2
+    echo -e "\t\t[-n|--version-number version]" >&2
+    echo -e "\t\t[--short-version shortVersion]" >&2
+    echo -e "\t\t[--bundle-version bundleVersion]" >&2
+    echo -e "\t\t[-b|--bundle-id bundleId]" >&2
+    echo -e "\t\t[--use-app-entitlements]" >&2
+    echo -e "\t\toutputIpa" >&2
+    echo "Usage: $(basename "$0") -h|--help" >&2
+    echo "Options:" >&2
+    echo -e "\t-p, --provisioning provisioning\t\tProvisioning profile option, may be provided multiple times." >&2
+    echo -e "\t\t\t\t\t\tYou can specify provisioning profile file name." >&2
+    echo -e "\t\t\t\t\t\t\t-p xxx.mobileprovision" >&2
+    echo "" >&2
+    echo -e "\t\t\t\t\t\tAlternatively you may provide multiple provisioning profiles if the application contains" >&2
+    echo -e "\t\t\t\t\t\tnested applications or app extensions, which need their own provisioning" >&2
+    echo -e "\t\t\t\t\t\tprofile. You can do so by providing -p option multiple times specifying" >&2
+    echo -e "\t\t\t\t\t\told bundle identifier and new provisioning profile for that bundle id joined with '='." >&2
+    echo -e "\t\t\t\t\t\t\t-p com.main-app=main-app.mobileprovision" >&2
+    echo -e "\t\t\t\t\t\t\t-p com.nested-app=nested-app.mobileprovision" >&2
+    echo -e "\t\t\t\t\t\t\t-p com.nested-extension=nested-extension.mobileprovision" >&2
+    echo "" >&2
+    echo -e "\t-e, --entitlements entitlements\t\tSpecify entitlements file path for code signing." >&2
+    echo -e "\t-k, --keychain keychain\t\t\tSpecify keychain for code signing." >&2
+    echo -e "\t-d, --display-name displayName\t\tSpecify new display name." >&2
+    echo -e "\t\t\t\t\t\t\tWarning: will apply for all nested apps and extensions." >&2
+    echo -e "\t-n, --version-number version\t\tSpecify new version number." >&2
+    echo -e "\t\t\t\t\t\t\tWill set CFBundleShortVersionString and CFBundleVersion values in Info.plist." >&2
+    echo -e "\t\t\t\t\t\t\tWill apply for all nested apps and extensions." >&2
+    echo -e "\t    --short-version shortVersion\tSpecify new short version string (CFBundleShortVersionString)." >&2
+    echo -e "\t\t\t\t\t\t\tWill apply for all nested apps and extensions." >&2
+    echo -e "\t\t\t\t\t\t\tCan't use together with '-n, --version-number' option." >&2
+    echo -e "\t    --bundle-version bundleVersion\tSpecify new bundle version (CFBundleVersion) number." >&2
+    echo -e "\t\t\t\t\t\t\tWill apply for all nested apps and extensions." >&2
+    echo -e "\t\t\t\t\t\t\tCan't use together with '-n, --version-number' option." >&2
+    echo -e "\t-b, --bundle-id bundleId\t\tSpecify new bundle identifier (CFBundleIdentifier)." >&2
+    echo -e "\t\t\t\t\t\t\tWarning: will NOT apply for nested apps and extensions." >&2
+    echo -e "\t    --use-app-entitlements\t\tExtract app bundle codesigning entitlements and combine with entitlements from new provisionin profile." >&2
+    echo -e "\t\t\t\t\t\t\tCan't use together with '-e, --entitlements' option." >&2
+    echo -e "\t    --remove-plugins\t\t\tRemove all plugins." >&2
+    echo -e "\t--keychain-path path\t\t\tSpecify the path to a keychain that /usr/bin/codesign should use." >&2
+    echo -e "\t-v, --verbose\t\t\t\tVerbose output." >&2
+    echo -e "\t-h, --help\t\t\t\tDisplay help message." >&2
+    exit 2
+}
+
+if [ $# -lt 3 ]; then
+    usage
+fi
+
+ORIGINAL_FILE="$1"
+CERTIFICATE="$2"
+ENTITLEMENTS=
+BUNDLE_IDENTIFIER=""
+DISPLAY_NAME=""
+KEYCHAIN=""
+VERSION_NUMBER=""
+SHORT_VERSION=
+BUNDLE_VERSION=
+KEYCHAIN_PATH=
+RAW_PROVISIONS=()
+PROVISIONS_BY_ID=()
+DEFAULT_PROVISION=""
+TEMP_DIR="_floatsignTemp"
+USE_APP_ENTITLEMENTS=""
+REMOVE_PLUGINS=""
+XCODE_VERSION="$(xcodebuild -version | grep "Xcode" | /usr/bin/cut -f 2 -d ' ')"
+
+# List of plist keys used for reference to and from nested apps and extensions
+NESTED_APP_REFERENCE_KEYS=(":WKCompanionAppBundleIdentifier" ":NSExtension:NSExtensionAttributes:WKAppBundleIdentifier")
+
+# options start index
+shift 2
+
+# Parse args
+while [ "$1" != "" ]; do
+    case $1 in
+        -p | --provisioning )
+            shift
+            RAW_PROVISIONS+=("$1")
+            ;;
+        -e | --entitlements )
+            shift
+            ENTITLEMENTS="$1"
+            ;;
+        -d | --display-name )
+            shift
+            DISPLAY_NAME="$1"
+            ;;
+        -b | --bundle-id )
+            shift
+            BUNDLE_IDENTIFIER="$1"
+            ;;
+        -k | --keychain )
+            shift
+            KEYCHAIN="$1"
+            ;;
+        -n | --version-number )
+            shift
+            VERSION_NUMBER="$1"
+            ;;
+        --short-version )
+            shift
+            SHORT_VERSION="$1"
+            ;;
+        --bundle-version )
+            shift
+            BUNDLE_VERSION="$1"
+            ;;
+        --use-app-entitlements )
+            USE_APP_ENTITLEMENTS="YES"
+            ;;
+        --remove-plugins )
+            REMOVE_PLUGINS="YES"
+            ;;
+        --keychain-path )
+            shift
+            KEYCHAIN_PATH="$1"
+            ;;
+        -v | --verbose )
+            VERBOSE="--verbose"
+            ;;
+        -h | --help )
+            usage
+            ;;
+        * )
+            [[ -n "$NEW_FILE" ]] && error "Multiple output file names specified!"
+            [[ -z "$NEW_FILE" ]] && NEW_FILE="$1"
+            ;;
+    esac
+
+    # Next arg
+    shift
+done
+
+KEYCHAIN_FLAG=
+if [ -n "$KEYCHAIN_PATH" ]; then
+    KEYCHAIN_FLAG="--keychain $KEYCHAIN_PATH"
+fi
+
+# Log the options
+for provision in "${RAW_PROVISIONS[@]}"; do
+    if [[ "$provision" =~ .+=.+ ]]; then
+        log "Specified provisioning profile: '${provision#*=}' for bundle identifier: '${provision%%=*}'"
+    else
+        log "Specified provisioning profile: '$provision'"
+    fi
+done
+
+log "Original file: '$ORIGINAL_FILE'"
+log "Certificate: '$CERTIFICATE'"
+[[ -n "${DISPLAY_NAME}" ]] && log "Specified display name: '$DISPLAY_NAME'"
+[[ -n "${ENTITLEMENTS}" ]] && log "Specified signing entitlements: '$ENTITLEMENTS'"
+[[ -n "${BUNDLE_IDENTIFIER}" ]] && log "Specified bundle identifier: '$BUNDLE_IDENTIFIER'"
+[[ -n "${KEYCHAIN}" ]] && log "Specified keychain to use: '$KEYCHAIN'"
+[[ -n "${VERSION_NUMBER}" ]] && log "Specified version number to use: '$VERSION_NUMBER'"
+[[ -n "${SHORT_VERSION}" ]] && log "Specified short version to use: '$SHORT_VERSION'"
+[[ -n "${BUNDLE_VERSION}" ]] && log "Specified bundle version to use: '$BUNDLE_VERSION'"
+[[ -n "${KEYCHAIN_FLAG}" ]] && log "Specified keychain to use: '$KEYCHAIN_PATH'"
+[[ -n "${NEW_FILE}" ]] && log "Output file name: '$NEW_FILE'"
+[[ -n "${USE_APP_ENTITLEMENTS}" ]] && log "Extract app entitlements: YES"
+[[ -n "${REMOVE_PLUGINS}" ]] && log "Remove all plugins: YES"
+
+# Check that version number option is not clashing with short or bundle version options
+[[ -n "$VERSION_NUMBER" && (-n "$SHORT_VERSION" || -n "$BUNDLE_VERSION") ]] && error "versionNumber option cannot be used in combination with shortVersion or bundleVersion options"
+
+# Check that --use-app-entitlements and -e, --entitlements are not used at the same time
+[[ -n "${USE_APP_ENTITLEMENTS}" && -n ${ENTITLEMENTS} ]] && error "--use-app-entitlements option cannot be used in combination with -e, --entitlements option."
+
+# Check output file name
+if [ -z "$NEW_FILE" ]; then
+    error "Output file name required"
+fi
+
+if [[ "${#RAW_PROVISIONS[*]}" == "0" ]]; then
+    error "-p 'xxxx.mobileprovision' argument is required"
+fi
+
+# Check for and remove the temporary directory if it already exists
+if [ -d "$TEMP_DIR" ]; then
+    log "Removing previous temporary directory: '$TEMP_DIR'"
+    rm -Rf "$TEMP_DIR"
+fi
+
+filename=$(basename "$ORIGINAL_FILE")
+extension="${filename##*.}"
+filename="${filename%.*}"
+
+# Check if the supplied file is an ipa or an app file
+if [ "${extension}" = "ipa" ]; then
+    # Unzip the old ipa quietly
+    unzip -q "$ORIGINAL_FILE" -d $TEMP_DIR
+    checkStatus
+elif [ "${extension}" = "app" ]; then
+    # Copy the app file into an ipa-like structure
+    mkdir -p "$TEMP_DIR/Payload"
+    cp -Rf "${ORIGINAL_FILE}" "$TEMP_DIR/Payload/${filename}.app"
+    checkStatus
+else
+    error "Error: Only can resign .app files and .ipa files."
+fi
+
+# check the keychain
+if [ "${KEYCHAIN}" != "" ]; then
+    security list-keychains -s "$KEYCHAIN"
+    security unlock "$KEYCHAIN"
+    security default-keychain -s "$KEYCHAIN"
+fi
+
+# Set the app name
+# In Payload directory may be another file except .app file, such as StoreKit folder.
+# Search the first .app file within the Payload directory
+# shellcheck disable=SC2010
+APP_NAME=$(ls "$TEMP_DIR/Payload/" | grep ".app$" | head -1)
+
+# Make sure that PATH includes the location of the PlistBuddy helper tool as its location is not standard
+export PATH=$PATH:/usr/libexec
+
+# Test whether two bundle identifiers match
+# The first one may contain the wildcard character '*', in which case pattern matching will be used unless the third parameter is "STRICT"
+function does_bundle_id_match {
+
+    # shellcheck disable=SC2049
+    if [[ "$1" == "$2" ]]; then
+        return 0
+    elif [[ "$3" != STRICT && "$1" =~ \* ]]; then
+        local PATTERN0="${1//\./\\.}"       # com.example.*     -> com\.example\.*
+        local PATTERN1="${PATTERN0//\*/.*}" # com\.example\.*   -> com\.example\..*
+        if [[ "$2" =~ ^$PATTERN1$ ]]; then
+            return 0
+        fi
+    fi
+
+    return 1
+}
+
+# Find the provisioning profile for a given bundle identifier
+function provision_for_bundle_id {
+
+    for ARG in "${PROVISIONS_BY_ID[@]}"; do
+        if does_bundle_id_match "${ARG%%=*}" "$1" "$2"; then
+            echo "${ARG#*=}"
+            break
+        fi
+    done
+}
+
+# Find the bundle identifier contained inside a provisioning profile
+function bundle_id_for_provision {
+
+    local FULL_BUNDLE_ID=$(PlistBuddy -c 'Print :Entitlements:application-identifier' /dev/stdin <<< "$(security cms -D -i "$1")")
+    checkStatus
+    echo "${FULL_BUNDLE_ID#*.}"
+}
+
+# Add given provisioning profile and bundle identifier to the search list
+function add_provision_for_bundle_id {
+
+    local PROVISION="$1"
+    local BUNDLE_ID="$2"
+
+    local CURRENT_PROVISION=$(provision_for_bundle_id "$BUNDLE_ID" STRICT)
+
+    if [[ "$CURRENT_PROVISION" != "" && "$CURRENT_PROVISION" != "$PROVISION" ]]; then
+        error "Conflicting provisioning profiles '$PROVISION' and '$CURRENT_PROVISION' for bundle identifier '$BUNDLE_ID'."
+    fi
+
+    PROVISIONS_BY_ID+=("$BUNDLE_ID=$PROVISION")
+}
+
+# Add given provisioning profile to the search list
+function add_provision {
+
+    local PROVISION="$1"
+
+    if [[ "$1" =~ .+=.+ ]]; then
+        PROVISION="${1#*=}"
+        add_provision_for_bundle_id "$PROVISION" "${1%%=*}"
+    elif [[ "$DEFAULT_PROVISION" == "" ]]; then
+        DEFAULT_PROVISION="$PROVISION"
+    fi
+
+    if [[ ! -e "$PROVISION" ]]; then
+        error "Provisioning profile '$PROVISION' file does not exist"
+    fi
+
+    local BUNDLE_ID=$(bundle_id_for_provision "$PROVISION")
+    add_provision_for_bundle_id "$PROVISION" "$BUNDLE_ID"
+}
+
+# Load bundle identifiers from provisioning profiles
+for ARG in "${RAW_PROVISIONS[@]}"; do
+    add_provision "$ARG"
+done
+
+# Resign the given application
+function resign {
+
+    local APP_PATH="$1"
+    local NESTED="$2"
+    local BUNDLE_IDENTIFIER="$BUNDLE_IDENTIFIER"
+    local NEW_PROVISION="$NEW_PROVISION"
+    local APP_IDENTIFIER_PREFIX=""
+    local TEAM_IDENTIFIER=""
+
+    if [[ "$NESTED" == NESTED ]]; then
+        # Ignore bundle identifier for nested applications
+        BUNDLE_IDENTIFIER=""
+    fi
+
+    # Make sure that the Info.plist file is where we expect it
+    if [ ! -e "$APP_PATH/Info.plist" ]; then
+        error "Expected file does not exist: '$APP_PATH/Info.plist'"
+    fi
+
+    # Make a copy of old Info.plist, it will come handy later to extract some old values
+    cp -f "$APP_PATH/Info.plist" "$TEMP_DIR/oldInfo.plist"
+
+    # Read in current values from the app
+    local CURRENT_NAME=$(PlistBuddy -c "Print :CFBundleDisplayName" "$APP_PATH/Info.plist")
+    local CURRENT_BUNDLE_IDENTIFIER=$(PlistBuddy -c "Print :CFBundleIdentifier" "$APP_PATH/Info.plist")
+    local NEW_PROVISION=$(provision_for_bundle_id "${BUNDLE_IDENTIFIER:-$CURRENT_BUNDLE_IDENTIFIER}")
+
+    if [[ "$NEW_PROVISION" == "" && "$NESTED" != NESTED ]]; then
+        NEW_PROVISION="$DEFAULT_PROVISION"
+    fi
+
+    if [[ "$NEW_PROVISION" == "" ]]; then
+        if [[ "$NESTED" == NESTED ]]; then
+            warning "No provisioning profile for nested application: '$APP_PATH' with bundle identifier '${BUNDLE_IDENTIFIER:-$CURRENT_BUNDLE_IDENTIFIER}'"
+        else
+            warning "No provisioning profile for application: '$APP_PATH' with bundle identifier '${BUNDLE_IDENTIFIER:-$CURRENT_BUNDLE_IDENTIFIER}'"
+        fi
+        error "Use the -p option (example: -p com.example.app=xxxx.mobileprovision)"
+    fi
+
+    local PROVISION_BUNDLE_IDENTIFIER=$(bundle_id_for_provision "$NEW_PROVISION")
+
+    # Use provisioning profile's bundle identifier
+    if [ "$BUNDLE_IDENTIFIER" == "" ]; then
+        # shellcheck disable=SC2049
+        if [[ "$PROVISION_BUNDLE_IDENTIFIER" =~ \* ]]; then
+            log "Bundle Identifier contains a *, using the current bundle identifier"
+            BUNDLE_IDENTIFIER="$CURRENT_BUNDLE_IDENTIFIER"
+        else
+            BUNDLE_IDENTIFIER="$PROVISION_BUNDLE_IDENTIFIER"
+        fi
+    fi
+
+    if ! does_bundle_id_match "$PROVISION_BUNDLE_IDENTIFIER" "$BUNDLE_IDENTIFIER"; then
+        error "Bundle Identifier '$PROVISION_BUNDLE_IDENTIFIER' in provisioning profile '$NEW_PROVISION' does not match the Bundle Identifier '$BUNDLE_IDENTIFIER' for application '$APP_PATH'."
+    fi
+
+    log "Current bundle identifier is: '$CURRENT_BUNDLE_IDENTIFIER'"
+    log "New bundle identifier will be: '$BUNDLE_IDENTIFIER'"
+
+    # Update the CFBundleDisplayName property in the Info.plist if a new name has been provided
+    if [ "${DISPLAY_NAME}" != "" ]; then
+        if [ "${DISPLAY_NAME}" != "${CURRENT_NAME}" ]; then
+            log "Changing display name from '$CURRENT_NAME' to '$DISPLAY_NAME'"
+            PlistBuddy -c "Set :CFBundleDisplayName $DISPLAY_NAME" "$APP_PATH/Info.plist"
+        fi
+    fi
+
+    # Replace the embedded mobile provisioning profile
+    log "Validating the new provisioning profile: $NEW_PROVISION"
+    security cms -D -i "$NEW_PROVISION" > "$TEMP_DIR/profile.plist"
+    checkStatus
+
+    APP_IDENTIFIER_PREFIX=$(PlistBuddy -c "Print :Entitlements:application-identifier" "$TEMP_DIR/profile.plist" | grep -E '^[A-Z0-9]*' -o | tr -d '\n')
+    if [ "$APP_IDENTIFIER_PREFIX" == "" ];
+    then
+        APP_IDENTIFIER_PREFIX=$(PlistBuddy -c "Print :ApplicationIdentifierPrefix:0" "$TEMP_DIR/profile.plist")
+        if [ "$APP_IDENTIFIER_PREFIX" == "" ]; then
+            error "Failed to extract any app identifier prefix from '$NEW_PROVISION'"
+        else
+            warning "WARNING: extracted an app identifier prefix '$APP_IDENTIFIER_PREFIX' from '$NEW_PROVISION', but it was not found in the profile's entitlements"
+        fi
+    else
+        log "Profile app identifier prefix is '$APP_IDENTIFIER_PREFIX'"
+    fi
+
+    # Set new app identifier prefix if such entry exists in plist file
+    PlistBuddy -c "Set :AppIdentifierPrefix $APP_IDENTIFIER_PREFIX." "$APP_PATH/Info.plist" 2>/dev/null
+
+    TEAM_IDENTIFIER=$(PlistBuddy -c "Print :Entitlements:com.apple.developer.team-identifier" "$TEMP_DIR/profile.plist" | tr -d '\n')
+    if [ "$TEAM_IDENTIFIER" == "" ]; then
+        TEAM_IDENTIFIER=$(PlistBuddy -c "Print :TeamIdentifier:0" "$TEMP_DIR/profile.plist")
+        if [ "$TEAM_IDENTIFIER" == "" ]; then
+            warning "Failed to extract team identifier from '$NEW_PROVISION', resigned ipa may fail on iOS 8 and higher"
+        else
+            warning "WARNING: extracted a team identifier '$TEAM_IDENTIFIER' from '$NEW_PROVISION', but it was not found in the profile's entitlements, resigned ipa may fail on iOS 8 and higher"
+        fi
+    else
+        log "Profile team identifier is '$TEAM_IDENTIFIER'"
+    fi
+
+    # Make a copy of old embedded provisioning profile for further use
+    cp -f "$APP_PATH/embedded.mobileprovision" "$TEMP_DIR/old-embedded.mobileprovision"
+
+    # Replace embedded provisioning profile with new file
+    cp -f "$NEW_PROVISION" "$APP_PATH/embedded.mobileprovision"
+
+    #if the current bundle identifier is different from the new one in the provisioning profile, then change it.
+    if [ "$CURRENT_BUNDLE_IDENTIFIER" != "$BUNDLE_IDENTIFIER" ]; then
+        log "Updating the bundle identifier from '$CURRENT_BUNDLE_IDENTIFIER' to '$BUNDLE_IDENTIFIER'"
+        PlistBuddy -c "Set :CFBundleIdentifier $BUNDLE_IDENTIFIER" "$APP_PATH/Info.plist"
+        checkStatus
+    fi
+
+    # Update the version number properties in the Info.plist if a version number has been provided
+    if [ "$VERSION_NUMBER" != "" ]; then
+        CURRENT_VERSION_NUMBER=$(PlistBuddy -c "Print :CFBundleVersion" "$APP_PATH/Info.plist")
+        if [ "$VERSION_NUMBER" != "$CURRENT_VERSION_NUMBER" ]; then
+            log "Updating the version from '$CURRENT_VERSION_NUMBER' to '$VERSION_NUMBER'"
+            PlistBuddy -c "Set :CFBundleVersion $VERSION_NUMBER" "$APP_PATH/Info.plist"
+            PlistBuddy -c "Set :CFBundleShortVersionString $VERSION_NUMBER" "$APP_PATH/Info.plist"
+        fi
+    fi
+
+    # Update short version string in the Info.plist if provided
+    if [[ -n "$SHORT_VERSION" ]]; then
+        CURRENT_VALUE="$(PlistBuddy -c "Print :CFBundleShortVersionString" "$APP_PATH/Info.plist")"
+        # Even if the old value is same - just update, less code, less debugging
+        log "Updating the short version string (CFBundleShortVersionString) from '$CURRENT_VALUE' to '$SHORT_VERSION'"
+        PlistBuddy -c "Set :CFBundleShortVersionString $SHORT_VERSION" "$APP_PATH/Info.plist"
+    fi
+
+    # Update bundle version in the Info.plist if provided
+    if [[ -n "$BUNDLE_VERSION" ]]; then
+        CURRENT_VALUE="$(PlistBuddy -c "Print :CFBundleVersion" "$APP_PATH/Info.plist")"
+        # Even if the old value is same - just update, less code, less debugging
+        log "Updating the bundle version (CFBundleVersion) from '$CURRENT_VALUE' to '$BUNDLE_VERSION'"
+        PlistBuddy -c "Set :CFBundleVersion $BUNDLE_VERSION" "$APP_PATH/Info.plist"
+    fi
+
+    # Check for and resign OnDemandResource folders
+    ODR_DIR="$(dirname "$APP_PATH")/OnDemandResources"
+    if [ -d "$ODR_DIR" ]; then
+        for assetpack in "$ODR_DIR"/*
+        do
+            if [[ "$assetpack" == *.assetpack ]]; then
+                rm -rf $assetpack/_CodeSignature
+                /usr/bin/codesign ${VERBOSE} --generate-entitlement-der ${KEYCHAIN_FLAG} -f -s "$CERTIFICATE" "$assetpack"
+                checkStatus
+            else
+                log "Ignoring non-assetpack: $assetpack"
+            fi
+        done
+    fi
+
+    # Check for and resign any embedded frameworks (new feature for iOS 8 and above apps)
+    FRAMEWORKS_DIR="$APP_PATH/Frameworks"
+    if [ -d "$FRAMEWORKS_DIR" ]; then
+        if [ "$TEAM_IDENTIFIER" == "" ]; then
+            error "ERROR: embedded frameworks detected, re-signing iOS 8 (or higher) applications wihout a team identifier in the certificate/profile does not work"
+        fi
+
+        log "Resigning embedded frameworks using certificate: '$CERTIFICATE'"
+        for framework in "$FRAMEWORKS_DIR"/*
+        do
+            if [[ "$framework" == *.framework || "$framework" == *.dylib ]]; then
+                log "Resigning '$framework'"
+                # Must not qote KEYCHAIN_FLAG because it needs to be unwrapped and passed to codesign with spaces
+                # shellcheck disable=SC2086
+                /usr/bin/codesign ${VERBOSE} --generate-entitlement-der ${KEYCHAIN_FLAG} -f -s "$CERTIFICATE" "$framework"
+                checkStatus
+            else
+                log "Ignoring non-framework: $framework"
+            fi
+        done
+    fi
+
+    # Check for and update bundle identifiers for extensions and associated nested apps
+    log "Fixing nested app and extension references"
+    for key in "${NESTED_APP_REFERENCE_KEYS[@]}"; do
+        # Check if Info.plist has a reference to another app or extension
+        REF_BUNDLE_ID=$(PlistBuddy -c "Print ${key}" "$APP_PATH/Info.plist" 2>/dev/null)
+        if [ -n "$REF_BUNDLE_ID" ]; then
+            # Found a reference bundle id, now get the corresponding provisioning profile for this bundle id
+            REF_PROVISION=$(provision_for_bundle_id "$REF_BUNDLE_ID")
+            # Map to the new bundle id
+            NEW_REF_BUNDLE_ID=$(bundle_id_for_provision "$REF_PROVISION")
+            # Change if not the same and if doesn't contain wildcard
+            # shellcheck disable=SC2049
+            if [[ "$REF_BUNDLE_ID" != "$NEW_REF_BUNDLE_ID" ]] && ! [[ "$NEW_REF_BUNDLE_ID" =~ \* ]]; then
+                log "Updating nested app or extension reference for ${key} key from ${REF_BUNDLE_ID} to ${NEW_REF_BUNDLE_ID}"
+                PlistBuddy -c "Set ${key} $NEW_REF_BUNDLE_ID" "$APP_PATH/Info.plist"
+            fi
+        fi
+    done
+
+    if [ "$ENTITLEMENTS" != "" ]; then
+        if [ -n "$APP_IDENTIFIER_PREFIX" ]; then
+            # sanity check the 'application-identifier' is present in the provided entitlements and matches the provisioning profile value
+            ENTITLEMENTS_APP_ID_PREFIX=$(PlistBuddy -c "Print :application-identifier" "$ENTITLEMENTS" | grep -E '^[A-Z0-9]*' -o | tr -d '\n')
+            if [ "$ENTITLEMENTS_APP_ID_PREFIX" == "" ]; then
+                error "Provided entitlements file is missing a value for the required 'application-identifier' key"
+            elif [ "$ENTITLEMENTS_APP_ID_PREFIX" != "$APP_IDENTIFIER_PREFIX" ]; then
+                error "Provided entitlements file's app identifier prefix value '$ENTITLEMENTS_APP_ID_PREFIX' does not match the provided provisioning profile's value '$APP_IDENTIFIER_PREFIX'"
+            fi
+        fi
+
+        if [ -n "$TEAM_IDENTIFIER" ]; then
+            # sanity check the 'com.apple.developer.team-identifier' is present in the provided entitlements and matches the provisioning profile value
+            ENTITLEMENTS_TEAM_IDENTIFIER=$(PlistBuddy -c "Print :com.apple.developer.team-identifier" "$ENTITLEMENTS" | tr -d '\n')
+            if [ "$ENTITLEMENTS_TEAM_IDENTIFIER" == "" ]; then
+                error "Provided entitlements file is missing a value for the required 'com.apple.developer.team-identifier' key"
+            elif [ "$ENTITLEMENTS_TEAM_IDENTIFIER" != "$TEAM_IDENTIFIER" ]; then
+                error "Provided entitlements file's 'com.apple.developer.team-identifier' '$ENTITLEMENTS_TEAM_IDENTIFIER' does not match the provided provisioning profile's value '$TEAM_IDENTIFIER'"
+            fi
+        fi
+
+        log "Resigning application using certificate: '$CERTIFICATE'"
+        log "and entitlements: $ENTITLEMENTS"
+        if [[ "${XCODE_VERSION/.*/}" -lt 10 ]]; then
+            log "Creating an archived-expanded-entitlements.xcent file for Xcode 9 builds or earlier"
+            cp -f "$ENTITLEMENTS" "$APP_PATH/archived-expanded-entitlements.xcent"
+        fi
+        /usr/bin/codesign ${VERBOSE} --generate-entitlement-der -f -s "$CERTIFICATE" --entitlements "$ENTITLEMENTS" "$APP_PATH"
+        checkStatus
+    elif  [[ -n "${USE_APP_ENTITLEMENTS}" ]]; then
+        # Extract entitlements from provisioning profile and from the app binary
+        # then combine them together
+
+        log "Extracting entitlements from provisioning profile"
+        PROFILE_ENTITLEMENTS="$TEMP_DIR/profileEntitlements"
+        PlistBuddy -x -c "Print Entitlements" "$TEMP_DIR/profile.plist" > "$PROFILE_ENTITLEMENTS"
+        checkStatus
+
+        log "Extracting entitlements from the app"
+        APP_ENTITLEMENTS="$TEMP_DIR/appEntitlements"
+        /usr/bin/codesign -d --entitlements :"$APP_ENTITLEMENTS" "$APP_PATH"
+        checkStatus
+
+        log "\nApp entitlements for ${APP_PATH}:"
+        log "$(cat "$APP_ENTITLEMENTS")"
+
+        # Get the old and new app identifier (prefix)
+        APP_ID_KEY="application-identifier"
+        # Extract just the identifier from the value
+        # Use the fact that we are after some identifier, which is always at the start of the string
+        OLD_APP_ID=$(PlistBuddy -c "Print $APP_ID_KEY" "$APP_ENTITLEMENTS" | grep -E '^[A-Z0-9]*' -o | tr -d '\n')
+        NEW_APP_ID=$(PlistBuddy -c "Print $APP_ID_KEY" "$PROFILE_ENTITLEMENTS" | grep -E '^[A-Z0-9]*' -o | tr -d '\n')
+
+        # Get the old and the new team ID
+        # Old team ID is not part of app entitlements, have to get it from old embedded provisioning profile
+        security cms -D -i "$TEMP_DIR/old-embedded.mobileprovision" > "$TEMP_DIR/old-embedded-profile.plist"
+        OLD_TEAM_ID=$(PlistBuddy -c "Print :TeamIdentifier:0" "$TEMP_DIR/old-embedded-profile.plist")
+        # New team ID is part of profile entitlements
+        NEW_TEAM_ID=$(PlistBuddy -c "Print com.apple.developer.team-identifier" "$PROFILE_ENTITLEMENTS" | grep -E '^[A-Z0-9]*' -o | tr -d '\n')
+
+        log "Patching profile entitlements with values from app entitlements"
+        PATCHED_ENTITLEMENTS="$TEMP_DIR/patchedEntitlements"
+        # Start with using what comes in provisioning profile entitlements before patching
+        cp -f "$PROFILE_ENTITLEMENTS" "$PATCHED_ENTITLEMENTS"
+
+        log "Removing denylisted keys from patched profile"
+        # See https://github.com/facebook/buck/issues/798 and https://github.com/facebook/buck/pull/802/files
+
+        # Update in https://github.com/facebook/buck/commit/99c0fbc3ab5ecf04d186913374f660683deccdef
+        # Update in https://github.com/facebook/buck/commit/36db188da9f6acbb9df419dc1904315ab00c4e19
+
+        # Buck changes referenced above are not self-explanatory and do not seem exhaustive or up-to-date
+        # Comments below explain the rules applied to each key in order to make realignment with future Xcode export logic easier
+        DENYLISTED_KEYS=(\
+            # PP list identifiers inconsistent with app-defined ones and this key does not seem to appear in IPA entitlements, so ignore it
+            "com.apple.developer.icloud-container-development-container-identifiers" \
+            # This key has an invalid generic value in PP (actual value is set by Xcode during export), see dedicated processing a few blocks below
+            "com.apple.developer.icloud-container-environment" \
+            # PP enable all available services and not app-defined ones, must use App entitlements value
+            "com.apple.developer.icloud-services" \
+            # Was already denylisted in previous version, but has someone ever seen this key in a PP?
+            "com.apple.developer.restricted-resource-mode" \
+            # If actually used by the App, this value will be set in its entitlements
+            "com.apple.developer.nfc.readersession.formats" \
+            # If actually used by the App, this value will be set in its entitlements
+            "com.apple.developer.siri" \
+            # PP define a generic TeamID.* identifier and not the app-defined one, must use App entitlements value
+            "com.apple.developer.ubiquity-kvstore-identifier" \
+            # If actually used by the App, this value will be set in its entitlements
+            "inter-app-audio" \
+            # PP define a generic TeamID.* identifier and not the app-defined one, must use App entitlements value
+            "keychain-access-groups" \
+            # If actually used by the App, this value will be set in its entitlements
+            "com.apple.developer.homekit" \
+            # If actually used by the App, this value will be set in its entitlements
+            "com.apple.developer.healthkit" \
+            # If actually used by the App, this value will be set in its entitlements
+            "com.apple.developer.healthkit.access" \
+            # If actually used by the App, this value will be set in its entitlements
+            "com.apple.developer.networking.vpn.api" \
+            # If actually used by the App, this value will be set in its entitlements
+            "com.apple.developer.networking.HotspotConfiguration" \
+            # PP list all available extensions and not app-defined ones, must use App entitlements value
+            "com.apple.developer.networking.networkextension" \
+            # If actually used by the App, this value will be set in its entitlements
+            "com.apple.developer.networking.multipath" \
+            # PP enable all domains via a non-AppStore-compliant '*' value, must use App entitlements value
+            "com.apple.developer.associated-domains" \
+            # If actually used by the App, this value will be set in its entitlements
+            "com.apple.developer.default-data-protection" \
+            # Was already denylisted in previous version, seems to be an artifact from an old Xcode release
+            "com.apple.developer.maps" \
+            # If actually used by the App, this value will be set in its entitlements
+            "com.apple.external-accessory.wireless-configuration"
+        )
+
+        # If we change team while resigning, we have no other choice than to use the following entitlements from the PP instead of the App
+        # because they are based on unique identifiers (defined in the developer portal) that can't be shared between teams
+        if [[ "$OLD_TEAM_ID" != "$NEW_TEAM_ID" ]]; then
+            warning "WARNING: Changing team while resigning"
+            warning "WARNING: Using these entitlements from the provisioning profile instead of the existing app:"
+            warning "WARNING: App Groups, Merchant IDs (Apple Pay In-App Payments), iCloud Containers, Pass Type IDs (Wallet)"
+            warning "WARNING: If these capabilities are enabled, make sure AppID and provisioning profile are properly configured"
+            # For Pass Types, PP only list a single TeamID.* identifier and not the potential restricted list defined in the existing App
+            # but we can't guess the new identifiers to be used, so this generic value is better than nothing and should be fine for most apps
+            warning "WARNING: Resigned app will allow all pass types from the new team, even if old app only allowed a restricted list"
+        else
+            DENYLISTED_KEYS+=(\
+                "com.apple.security.application-groups" \
+                "com.apple.developer.in-app-payments" \
+                "com.apple.developer.ubiquity-container-identifiers" \
+                "com.apple.developer.icloud-container-identifiers" \
+                "com.apple.developer.pass-type-identifiers" \
+            )
+        fi
+
+        # Denylisted keys must not be included into new profile, so remove them from patched profile
+        for KEY in "${DENYLISTED_KEYS[@]}"; do
+            log "Removing denylisted key: $KEY"
+            PlistBuddy -c "Delete $KEY" "$PATCHED_ENTITLEMENTS" 2>/dev/null
+        done
+
+        # List of rules for transferring entitlements from app to profile plist
+        # The format for each enty is "KEY[|ID_TYPE]"
+        # Where KEY is the plist key, e.g. "keychain-access-groups"
+        # and ID_TYPE is optional part separated by '|' that specifies what value to patch:
+        # TEAM_ID - patch the TeamIdentifierPrefix
+        # APP_ID - patch the AppIdentifierPrefix
+        # ICLOUD_ENV - patch the target iCloud Environment
+        # Patching means replacing old value from app entitlements with new value from provisioning profile
+        # For example, for KEY=keychain-access-groups the ID_TYPE=APP_ID
+        # Which means that old app ID prefix in keychain-access-groups will be replaced with new app ID prefix
+        # There can be only one ID_TYPE specified
+        # If entitlements use more than one ID type for single entitlement, then this way of resigning will not work
+        # instead an entitlements file must be provided explicitly
+        ENTITLEMENTS_TRANSFER_RULES=(\
+            "com.apple.developer.associated-domains" \
+            "com.apple.developer.default-data-protection" \
+            "com.apple.developer.healthkit" \
+            "com.apple.developer.healthkit.access" \
+            "com.apple.developer.homekit" \
+            "com.apple.developer.icloud-container-environment|ICLOUD_ENV" \
+            "com.apple.developer.icloud-services" \
+            "com.apple.developer.networking.HotspotConfiguration" \
+            "com.apple.developer.networking.multipath" \
+            "com.apple.developer.networking.networkextension" \
+            "com.apple.developer.networking.vpn.api" \
+            "com.apple.developer.nfc.readersession.formats" \
+            "com.apple.developer.siri" \
+            "com.apple.developer.ubiquity-kvstore-identifier|TEAM_ID" \
+            "com.apple.external-accessory.wireless-configuration" \
+            "inter-app-audio" \
+            "keychain-access-groups|APP_ID" \
+        )
+
+        # If we change team while resigning, we have no other choice than to use the following entitlements from the PP instead of the App
+        # because they are based on unique identifiers (defined in the developer portal) that can't be shared between teams
+        # If we don't change team while resigning, we should use the following entitlements from the existing App and not from the PP
+        if [[ "$OLD_TEAM_ID" == "$NEW_TEAM_ID" ]]; then
+            ENTITLEMENTS_TRANSFER_RULES+=(\
+                "com.apple.security.application-groups" \
+                "com.apple.developer.in-app-payments" \
+                "com.apple.developer.ubiquity-container-identifiers" \
+                "com.apple.developer.icloud-container-identifiers" \
+                "com.apple.developer.pass-type-identifiers|TEAM_ID" \
+            )
+        fi
+
+        # Loop over all the entitlement keys that need to be transferred from app entitlements
+        for RULE in "${ENTITLEMENTS_TRANSFER_RULES[@]}"; do
+            KEY=$(echo "$RULE" | cut -d'|' -f1)
+            ID_TYPE=$(echo "$RULE" | cut -d'|' -f2)
+
+            # Get the entry from app's entitlements
+            # Read it with PlistBuddy as XML, then strip the header and <plist></plist> part
+            ENTITLEMENTS_VALUE="$(PlistBuddy -x -c "Print $KEY" "$APP_ENTITLEMENTS" 2>/dev/null | tr -d '\n' | /usr/bin/sed -e 's,.*<plist[^>]*>\(.*\)</plist>,\1,g')"
+            if [[ -z "$ENTITLEMENTS_VALUE" ]]; then
+                log "No value for '$KEY'"
+                continue
+            fi
+
+            log "App entitlements value for key '$KEY':"
+            log "$ENTITLEMENTS_VALUE"
+
+            # Patch the ID value if specified
+            if [[ "$ID_TYPE" == "APP_ID" ]]; then
+                # Replace old value with new value in patched entitlements
+                log "Replacing old app ID '$OLD_APP_ID' with new app ID '$NEW_APP_ID'"
+                ENTITLEMENTS_VALUE=$(echo "$ENTITLEMENTS_VALUE" | /usr/bin/sed -e "s/$OLD_APP_ID/$NEW_APP_ID/g")
+            elif [[ "$ID_TYPE" == "TEAM_ID" ]]; then
+                # Replace old team identifier with new value
+                log "Replacing old team ID '$OLD_TEAM_ID' with new team ID '$NEW_TEAM_ID'"
+                ENTITLEMENTS_VALUE=$(echo "$ENTITLEMENTS_VALUE" | /usr/bin/sed -e "s/$OLD_TEAM_ID/$NEW_TEAM_ID/g")
+            elif [[ "$ID_TYPE" == "ICLOUD_ENV" ]]; then
+                # Add specific iCloud Environment key to patched entitlements
+                # This value is set by Xcode during export (manually selected for Development and AdHoc, automatically set to Production for Store)
+                # Would need an additional dedicated option to specify the iCloud environment to be used (Development or Production)
+                # For now, we assume Production is to be used when signing with a Distribution certificate, Development if not
+                local certificate_name=$CERTIFICATE
+                local sha1_pattern='[0-9A-F]{40}'
+
+                if [[ "$CERTIFICATE" =~ $sha1_pattern ]]; then
+                    log "Certificate $CERTIFICATE matches a SHA1 pattern"
+                    local certificate_matches="$( security find-identity -v -p codesigning | grep -m 1 "$CERTIFICATE" )"
+                    if [ -n "$certificate_matches" ]; then
+                        certificate_name="$(/usr/bin/sed -E s/[^\"]+\"\([^\"]+\)\".*/\\1/ <<< $certificate_matches )"
+                        log "Certificate name: $certificate_name"
+                    fi
+                fi
+
+                OLD_ICLOUD_ENV=$(echo "$ENTITLEMENTS_VALUE" | /usr/bin/sed -e 's,<string>\(.*\)</string>,\1,g')
+                if [[ "$certificate_name" =~ "Distribution:" ]]; then
+                    NEW_ICLOUD_ENV="Production"
+                else
+                    NEW_ICLOUD_ENV="Development"
+                fi
+                log "Replacing iCloud environment '$OLD_ICLOUD_ENV' with '$NEW_ICLOUD_ENV'"
+                ENTITLEMENTS_VALUE=$(echo "$ENTITLEMENTS_VALUE" | /usr/bin/sed -e "s/$OLD_ICLOUD_ENV/$NEW_ICLOUD_ENV/g")
+            fi
+
+            # Remove the entry for current key from profisioning profile entitlements (if exists)
+            PlistBuddy -c "Delete $KEY" "$PATCHED_ENTITLEMENTS" 2>/dev/null
+
+            # Add new entry to patched entitlements
+            # plutil needs dots in the key path to be escaped (e.g. com\.apple\.security\.application-groups)
+            # otherwise it interprets they key path as nested keys
+            # TODO: Should be able to replace with echo ${KEY//\./\\\\.} and remove shellcheck disable directive
+            # shellcheck disable=SC2001
+            PLUTIL_KEY=$(echo "$KEY" | /usr/bin/sed -e 's/\./\\\./g')
+            plutil -insert "$PLUTIL_KEY" -xml "$ENTITLEMENTS_VALUE" "$PATCHED_ENTITLEMENTS"
+        done
+
+        # Replace old bundle ID with new bundle ID in patched entitlements
+        # Read old bundle ID from the old Info.plist which was saved for this purpose
+        OLD_BUNDLE_ID="$(PlistBuddy -c "Print :CFBundleIdentifier" "$TEMP_DIR/oldInfo.plist")"
+        NEW_BUNDLE_ID="$(bundle_id_for_provision "$NEW_PROVISION")"
+        log "Replacing old bundle ID '$OLD_BUNDLE_ID' with new bundle ID '$NEW_BUNDLE_ID' in patched entitlements"
+        # Note: ideally we'd match against the opening <string> tag too, but this isn't possible
+        # because $OLD_BUNDLE_ID and $NEW_BUNDLE_ID do not include the team ID prefix which is
+        # present in the entitlements file.
+        # e.g. <string>AB1GP98Q19.com.example.foo</string>
+        #         vs
+        #      com.example.foo
+        /usr/bin/sed -i .bak "s!${OLD_BUNDLE_ID}</string>!${NEW_BUNDLE_ID}</string>!g" "$PATCHED_ENTITLEMENTS"
+
+        log "Resigning application using certificate: '$CERTIFICATE'"
+        log "and patched entitlements:"
+        log "$(cat "$PATCHED_ENTITLEMENTS")"
+        if [[ "${XCODE_VERSION/.*/}" -lt 10 ]]; then
+            log "Creating an archived-expanded-entitlements.xcent file for Xcode 9 builds or earlier"
+            cp -f "$PATCHED_ENTITLEMENTS" "$APP_PATH/archived-expanded-entitlements.xcent"
+        fi
+        /usr/bin/codesign ${VERBOSE} --generate-entitlement-der -f -s "$CERTIFICATE" --entitlements "$PATCHED_ENTITLEMENTS" "$APP_PATH"
+        checkStatus
+    else
+        log "Extracting entitlements from provisioning profile"
+        PlistBuddy -x -c "Print Entitlements" "$TEMP_DIR/profile.plist" > "$TEMP_DIR/newEntitlements"
+        checkStatus
+        log "Resigning application using certificate: '$CERTIFICATE'"
+        log "and entitlements from provisioning profile: $NEW_PROVISION"
+        if [[ "${XCODE_VERSION/.*/}" -lt 10 ]]; then
+            log "Creating an archived-expanded-entitlements.xcent file for Xcode 9 builds or earlier"
+            cp -- "$TEMP_DIR/newEntitlements" "$APP_PATH/archived-expanded-entitlements.xcent"
+        fi
+        # Must not qote KEYCHAIN_FLAG because it needs to be unwrapped and passed to codesign with spaces
+        # shellcheck disable=SC2086
+        /usr/bin/codesign ${VERBOSE} --generate-entitlement-der ${KEYCHAIN_FLAG} -f -s "$CERTIFICATE" --entitlements "$TEMP_DIR/newEntitlements" "$APP_PATH"
+        checkStatus
+    fi
+
+    # Remove the temporary files if they were created before generating ipa
+    rm -f "$TEMP_DIR/newEntitlements"
+    rm -f "$PROFILE_ENTITLEMENTS"
+    rm -f "$APP_ENTITLEMENTS"
+    rm -f "$PATCHED_ENTITLEMENTS"
+    rm -f "$PATCHED_ENTITLEMENTS.bak"
+    rm -f "$TEMP_DIR/old-embedded-profile.plist"
+    rm -f "$TEMP_DIR/profile.plist"
+    rm -f "$TEMP_DIR/old-embedded.mobileprovision"
+    rm -f "$TEMP_DIR/oldInfo.plist"
+}
+
+# remove all plugins
+if  [[ -n "${REMOVE_PLUGINS}" ]]; then
+    rm -rf "$TEMP_DIR/Payload/$APP_NAME/Plugins"
+fi
+
+# Sign nested applications and app extensions
+while IFS= read -d '' -r app;
+do
+    log "Resigning nested application: '$app'"
+    resign "$app" NESTED
+done < <(find "$TEMP_DIR/Payload/$APP_NAME" -d -mindepth 1 \( -name "*.app" -or -name "*.appex" \) -print0)
+
+# Resign the application
+resign "$TEMP_DIR/Payload/$APP_NAME"
+
+# Repackage quietly
+log "Repackaging as $NEW_FILE"
+
+# Zip up the contents of the "$TEMP_DIR" folder
+# Navigate to the temporary directory (sending the output to null)
+# Zip all the contents, saving the zip file in the above directory
+# Navigate back to the orignating directory (sending the output to null)
+pushd "$TEMP_DIR" > /dev/null
+# TODO: Fix shellcheck warning and remove directive
+# shellcheck disable=SC2035
+zip -qry "../$TEMP_DIR.ipa" *
+popd > /dev/null
+
+# Move the resulting ipa to the target destination
+mv "$TEMP_DIR.ipa" "$NEW_FILE"
+
+# Remove the temp directory
+rm -rf "$TEMP_DIR"
+
+log "Process complete"