sigh 0.2.4 → 0.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 22e89f083c78667b420dc18851b06214624b0a31
-  data.tar.gz: 21fa51c43e3dbfb8b2c3d40c576b0dffe35e9973
+  metadata.gz: ef27c541a6d91c50a1a6230aa2dc3598456603b4
+  data.tar.gz: a9cb32dca3f10b03502ee41589d54db9d7d1d6bb
 SHA512:
-  metadata.gz: 91b189b8dc6ff527e51751d3913ac951eab6e900bcdaf5ebde860f2a3ca816f2b92fca733b1e5a138fe47a85306ef017dd7790737f1b05ccd2da647bdf281693
-  data.tar.gz: c88c9ea33d835863a2772ce79f4efd50d3aba88a7fc6b454b0c2ee9c8cf36a62d092928695b837200254349f116316f08c0a3612fd2dbe38a0d0bd6a6d728a24
+  metadata.gz: 2cfc39277183515956b30fcd2df642657f60ea084af41a3d8c248bc71f892440e6ffe8c62a1f787654f7ec24569f37fefcd9f68288c306af25697ec7ebafea53
+  data.tar.gz: f53445cff10af39c000800130eeeb139734ddc92f05feb0c2c326c034556eb704be201424ebebea0e12c27e49c74a1d35551a51175dce67a6f6f4f6451884474

data/README.md

@@ -82,8 +82,6 @@ Make sure, you have the latest version of the Xcode command line tools installed
 
     xcode-select --install
 
-If you don't already have homebrew installed, [install it here](http://brew.sh/).
-
 # Usage
 
     sigh
@@ -121,16 +119,19 @@ If you need the provisioning profile to be renewed regardless of its state use t
 
     sigh --force -a com.krausefx.app -u username
 
-To renew a valid profile with a different certificate, look up the expiry date of the certificate you want to sign with in the Apple Developer Portal under Production Certificates. Copy the date string from there and use the following:
+By default, ```sigh``` will include all certificates on development profiles, and first certificate on other types. If you need to specify which certificate to use you can either use the environment variable `SIGH_CERTIFICATE`, or pass the name or expiry date of the certificate as argument:
+
+    sigh -c "SunApps GmbH"
 
-    sigh --force -a com.krausefx.app -u username -d "Nov 11, 2017"
 
+    sigh -d "Nov 11, 2017"
 
 ## Environment Variables
 In case you prefer environment variables:
 
 - ```SIGH_USERNAME```
 - ```SIGH_APP_IDENTIFIER```
+- ```SIGH_CERTIFICATE``` (The name of the certificate to use)
 - ```SIGH_TEAM_ID``` (The Team ID, e.g. `Q2CBPK58CA`)
 - `SIGH_DISABLE_OPEN_ERROR` - in case of error, `sigh` won't open Preview with a screenshot of the error when this variable is set.
 

data/bin/sigh

@@ -32,6 +32,7 @@ class SighApplication
     global_option '-n', '--cert_name STRING', String, 'The name of the generated certificate file.'
     global_option '-o', '--output STRING', String, 'The folder in which the file should be generated.'
     global_option '-d', '--cert_date STRING', String, 'The certificate with the given expiry date used to renew. (e.g. "Nov 11, 2017")'
+    global_option '-c', '--cert_owner STRING', String, 'The certificate name to use for new profiles, or to renew with. (e.g. "Felix Krause")'
     global_option '-f', '--filename STRING', String, 'Filename to use for the provisioning profile'
 
     command :renew do |c|
@@ -45,7 +46,9 @@ class SighApplication
         type = Sigh::DeveloperCenter::APPSTORE
         type = Sigh::DeveloperCenter::ADHOC if options.adhoc 
         type = Sigh::DeveloperCenter::DEVELOPMENT if options.development
-        
+
+        ENV['SIGH_CERTIFICATE'] = options.cert_owner if options.cert_owner
+
         path = Sigh::DeveloperCenter.new.run(app, type, options.cert_name, options.force, options.cert_date)
 
         if path
@@ -64,6 +67,16 @@ class SighApplication
       end
     end
 
+    command :resign do |c|
+      c.syntax = 'sigh resign'
+      c.description = 'Resigns an existing ipa file with the given provisioning profile'
+      c.option '-i', '--signing_identity STRING', String, 'The signing identity to use. Must match the one defined in the provisioning profile.'
+
+      c.action do |args, options|
+        Sigh::Resign.new.run(options)
+      end
+    end
+
     default_command :renew
 
     run!

data/lib/assets/resign.sh

@@ -0,0 +1,439 @@
+# !/bin/bash
+
+# Copyright (c) 2011 Float Mobile Learning
+# http://www.floatlearning.com/
+# Extension Copyright (c) 2013 Weptun Gmbh
+# http://www.weptun.de
+#
+# Extended by Ronan O Ciosoig January 2012
+#
+# Extended by Patrick Blitz, April 2013
+#
+# Extended by John Turnipseed and Matthew Nespor, November 2014
+# http://nanonation.net/
+#
+# Permission is hereby granted, free of charge, to any person obtaining
+# a copy of this software and associated documentation files (the "Software"),
+# to deal in the Software without restriction, including without limitation
+# the rights to use, copy, modify, merge, publish, distribute, sublicense,
+# and/or sell copies of the Software, and to permit persons to whom the
+# Software is furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included
+# in all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
+# OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+# IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
+# CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
+# TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
+# SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+#
+# Please let us know about any improvements you make to this script!
+# ./floatsign source "iPhone Distribution: Name" -p "path/to/profile" [-d "display name"]  [-e entitlements] [-k keychain] -b "BundleIdentifier" outputIpa
+#
+#
+# Modifed 26th January 2012
+#
+# new features January 2012:
+# 1. change the app display name
+#
+# new features April 2013
+# 1. specify the target bundleId on the command line
+# 2. correctly handles entitlements for keychain-enabled resigning
+#
+# new features November 2014
+# 1. now re-signs embedded iOS frameworks, if present, prior to re-signing the application itself
+# 2. extracts the team-identifier from provisioning profile and uses it to update previous entitlements
+# 3. fixed bug in packaging if -e flag is used
+# 4. renamed 'temp' directory and made it a variable so it can be easily modified
+# 5. various code formatting and logging adjustments
+# 
+
+
+function checkStatus {
+
+if [ $? -ne 0 ];
+then
+    echo "Encountered an error, aborting!" >&2
+    exit 1
+fi
+}
+
+if [ $# -lt 3 ]; then
+    echo "usage: $0 source identity -p provisioning [-e entitlements] [-r adjustBetaReports] [-d displayName] [-n version] -b bundleId outputIpa" >&2
+    echo "       -p and -b are optional, but their use is heavly recommended" >&2
+    echo "       -r flag requires a value '-r yes'"
+    echo "       -r flag is ignored if -e is also used" >&2
+    exit 1
+fi
+
+ORIGINAL_FILE="$1"
+CERTIFICATE="$2"
+NEW_PROVISION=
+ENTITLEMENTS=
+BUNDLE_IDENTIFIER=""
+DISPLAY_NAME=""
+APP_IDENTIFER_PREFIX=""
+TEAM_IDENTIFIER=""
+KEYCHAIN=""
+VERSION_NUMBER=""
+ADJUST_BETA_REPORTS_ACTIVE_FLAG="0"
+TEMP_DIR="_floatsignTemp"
+
+# options start index
+OPTIND=3
+while getopts p:d:e:k:b:r:n: opt; do
+    case $opt in
+        p)
+            NEW_PROVISION="$OPTARG"
+            echo "Specified provisioning profile: '$NEW_PROVISION'" >&2
+            ;;
+        d)
+            DISPLAY_NAME="$OPTARG"
+            echo "Specified display name: '$DISPLAY_NAME'" >&2
+            ;;
+        e)
+            ENTITLEMENTS="$OPTARG"
+            echo "Specified signing entitlements: '$ENTITLEMENTS'" >&2
+            ;;
+        b)
+            BUNDLE_IDENTIFIER="$OPTARG"
+            echo "Specified bundle identifier: '$BUNDLE_IDENTIFIER'" >&2
+            ;;
+        k)
+            KEYCHAIN="$OPTARG"
+            echo "Specified Keychain to use: '$KEYCHAIN'" >&2
+            ;;
+        n)
+            VERSION_NUMBER="$OPTARG"
+            echo "Specified version to use: '$VERSION_NUMBER'" >&2
+            ;;
+        r)
+            ADJUST_BETA_REPORTS_ACTIVE_FLAG="1"
+            echo "Enabled adjustment of beta-reports-active entitlements" >&2
+            ;;
+        \?)
+            echo "Invalid option: -$OPTARG" >&2
+            exit 1
+            ;;
+        :)
+            echo "Option -$OPTARG requires an argument." >&2
+            exit 1
+            ;;
+    esac
+done
+
+shift $((OPTIND-1))
+
+NEW_FILE="$1"
+if [ -z "$NEW_FILE" ]; 
+then
+    echo "Output file name required" >&2
+    exit 1
+fi
+
+
+# Check for and remove the temporary directory if it already exists
+if [ -d "$TEMP_DIR" ]; 
+then
+    echo "Removing previous temporary directory: '$TEMP_DIR'" >&2
+    rm -Rf "$TEMP_DIR"
+fi
+
+filename=$(basename "$ORIGINAL_FILE")
+extension="${filename##*.}"
+filename="${filename%.*}"
+
+# Check if the supplied file is an ipa or an app file
+if [ "${extension}" = "ipa" ]
+then
+    # Unzip the old ipa quietly
+    unzip -q "$ORIGINAL_FILE" -d $TEMP_DIR
+    checkStatus
+elif [ "${extension}" = "app" ]
+then
+    # Copy the app file into an ipa-like structure
+    mkdir -p "$TEMP_DIR/Payload"
+    cp -Rf "${ORIGINAL_FILE}" "$TEMP_DIR/Payload/${filename}.app"
+    checkStatus
+else
+    echo "Error: Only can resign .app files and .ipa files." >&2
+    exit
+fi
+
+# check the keychain
+if [ "${KEYCHAIN}" != "" ];
+then
+    security list-keychains -s $KEYCHAIN
+    security unlock $KEYCHAIN
+    security default-keychain -s $KEYCHAIN
+fi
+
+# Set the app name
+# The app name is the only file within the Payload directory
+APP_NAME=$(ls "$TEMP_DIR/Payload/")
+
+# Make sure that PATH includes the location of the PlistBuddy helper tool as its location is not standard
+export PATH=$PATH:/usr/libexec
+
+# Make sure that the Info.plist file is where we expect it
+if [ ! -e "$TEMP_DIR/Payload/$APP_NAME/Info.plist" ];
+then
+    echo "Expected file does not exist: '$TEMP_DIR/Payload/$APP_NAME/Info.plist'" >&2
+    exit 1;
+fi
+
+# Read in current values from the app
+CURRENT_NAME=`PlistBuddy -c "Print :CFBundleDisplayName" "$TEMP_DIR/Payload/$APP_NAME/Info.plist"`
+CURRENT_BUNDLE_IDENTIFIER=`PlistBuddy -c "Print :CFBundleIdentifier" "$TEMP_DIR/Payload/$APP_NAME/Info.plist"`
+if [ "${BUNDLE_IDENTIFIER}" == "" ];
+then
+    BUNDLE_IDENTIFIER=`egrep -a -A 2 application-identifier "${NEW_PROVISION}" | grep string | sed -e 's/<string>//' -e 's/<\/string>//' -e 's/ //' | awk '{split($0,a,"."); i = length(a); for(ix=2; ix <= i;ix++){ s=s a[ix]; if(i!=ix){s=s "."};} print s;}'`
+    if [[ "${BUNDLE_IDENTIFIER}" == *\** ]]; then
+        echo "Bundle Identifier contains a *, using the current bundle identifier" >&2
+        BUNDLE_IDENTIFIER=$CURRENT_BUNDLE_IDENTIFIER;
+    fi
+    checkStatus
+fi
+
+echo "Current bundle identifier is: '$CURRENT_BUNDLE_IDENTIFIER'" >&2
+echo "New bundle identifier will be: '$BUNDLE_IDENTIFIER'" >&2
+
+# Update the CFBundleDisplayName property in the Info.plist if a new name has been provided
+if [ "${DISPLAY_NAME}" != "" ];
+then
+    if [ "${DISPLAY_NAME}" != "${CURRENT_NAME}" ];
+    then
+        echo "Changing display name from '$CURRENT_NAME' to '$DISPLAY_NAME'" >&2
+        `PlistBuddy -c "Set :CFBundleDisplayName $DISPLAY_NAME" "$TEMP_DIR/Payload/$APP_NAME/Info.plist"`
+    fi
+fi
+
+# Replace the embedded mobile provisioning profile
+if [ "$NEW_PROVISION" != "" ];
+then
+    if [[ -e "$NEW_PROVISION" ]];
+    then
+        echo "Validating the new provisioning profile: $NEW_PROVISION" >&2
+        security cms -D -i "$NEW_PROVISION" > "$TEMP_DIR/profile.plist"
+        checkStatus
+
+        APP_IDENTIFER_PREFIX=`PlistBuddy -c "Print :Entitlements:application-identifier" "$TEMP_DIR/profile.plist" | grep -E '^[A-Z0-9]*' -o | tr -d '\n'` 
+        if [ "$APP_IDENTIFER_PREFIX" == "" ];
+        then
+            APP_IDENTIFER_PREFIX=`PlistBuddy -c "Print :ApplicationIdentifierPrefix:0" "$TEMP_DIR/profile.plist"` 
+            if [ "$APP_IDENTIFER_PREFIX" == "" ];
+            then
+                echo "Failed to extract any app identifier prefix from '$NEW_PROVISION'" >&2
+                exit 1;
+            else
+                echo "WARNING: extracted an app identifier prefix '$APP_IDENTIFER_PREFIX' from '$NEW_PROVISION', but it was not found in the profile's entitlements" >&2
+            fi
+        else
+            echo "Profile app identifier prefix is '$APP_IDENTIFER_PREFIX'" >&2
+        fi
+        
+        TEAM_IDENTIFIER=`PlistBuddy -c "Print :Entitlements:com.apple.developer.team-identifier" "$TEMP_DIR/profile.plist" | tr -d '\n'` 
+        if [ "$TEAM_IDENTIFIER" == "" ];
+        then
+            TEAM_IDENTIFIER=`PlistBuddy -c "Print :TeamIdentifier:0" "$TEMP_DIR/profile.plist"` 
+            if [ "$TEAM_IDENTIFIER" == "" ];
+            then
+                echo "Failed to extract team identifier from '$NEW_PROVISION', resigned ipa may fail on iOS 8 and higher" >&2
+            else
+                echo "WARNING: extracted a team identifier '$TEAM_IDENTIFIER' from '$NEW_PROVISION', but it was not found in the profile's entitlements, resigned ipa may fail on iOS 8 and higher" >&2
+            fi
+        else
+            echo "Profile team identifier is '$TEAM_IDENTIFIER'" >&2
+        fi
+
+        cp "$NEW_PROVISION" "$TEMP_DIR/Payload/$APP_NAME/embedded.mobileprovision"
+    else
+        echo "Provisioning profile '$NEW_PROVISION' file does not exist" >&2
+        exit 1;
+    fi
+else
+    echo "-p 'xxxx.mobileprovision' argument is required" >&2
+    exit 1;
+fi
+
+
+#if the current bundle identifier is different from the new one in the provisioning profile, then change it.
+if [ "$CURRENT_BUNDLE_IDENTIFIER" != "$BUNDLE_IDENTIFIER" ];
+then
+    echo "Updating the bundle identifier from '$CURRENT_BUNDLE_IDENTIFIER' to '$BUNDLE_IDENTIFIER'" >&2
+    `PlistBuddy -c "Set :CFBundleIdentifier $BUNDLE_IDENTIFIER" "$TEMP_DIR/Payload/$APP_NAME/Info.plist"`
+    checkStatus
+fi
+
+# Update the version number properties in the Info.plist if a version number has been provided
+if [ "$VERSION_NUMBER" != "" ];
+then
+    CURRENT_VERSION_NUMBER=`PlistBuddy -c "Print :CFBundleVersion" "$TEMP_DIR/Payload/$APP_NAME/Info.plist"`
+    if [ "$VERSION_NUMBER" != "$CURRENT_VERSION_NUMBER" ];
+    then
+        echo "Updating the version from '$CURRENT_VERSION_NUMBER' to '$VERSION_NUMBER'" >&2
+        `PlistBuddy -c "Set :CFBundleVersion $VERSION_NUMBER" "$TEMP_DIR/Payload/$APP_NAME/Info.plist"`
+        `PlistBuddy -c "Set :CFBundleShortVersionString $VERSION_NUMBER" "$TEMP_DIR/Payload/$APP_NAME/Info.plist"`
+    fi
+fi
+
+# Check for and resign any embedded frameworks (new feature for iOS 8 and above apps)
+FRAMEWORKS_DIR="$TEMP_DIR/Payload/$APP_NAME/Frameworks"
+if [ -d "$FRAMEWORKS_DIR" ];
+then
+    if [ "$TEAM_IDENTIFIER" == "" ];
+    then
+        echo "ERROR: embedded frameworks detected, re-signing iOS 8 (or higher) applications wihout a team identifier in the certificate/profile does not work" >&2
+        exit 1;
+    fi
+    
+    echo "Resigning embedded frameworks using certificate: '$CERTIFICATE'" >&2
+    for framework in "$FRAMEWORKS_DIR"/*
+    do
+        if [[ "$framework" == *.framework ]]
+        then
+            /usr/bin/codesign -f -s "$CERTIFICATE" "$framework"
+            checkStatus
+        else
+            echo "Ignoring non-framework: $framework" >&2
+        fi
+    done
+fi
+
+
+# Resign the application
+if [ "$ENTITLEMENTS" != "" ];
+then
+    if [ -n "$APP_IDENTIFER_PREFIX" ];
+    then
+        # sanity check the 'application-identifier' is present in the provided entitlements and matches the provisioning profile value 
+        ENTITLEMENTS_APP_ID_PREFIX=`PlistBuddy -c "Print :application-identifier" "$ENTITLEMENTS" | grep -E '^[A-Z0-9]*' -o | tr -d '\n'` 
+        if [ "$ENTITLEMENTS_APP_ID_PREFIX" == "" ]; 
+        then
+            echo "Provided entitlements file is missing a value for the required 'application-identifier' key" >&2
+            exit 1;
+        elif [ "$ENTITLEMENTS_APP_ID_PREFIX" != "$APP_IDENTIFER_PREFIX" ]; 
+        then
+            echo "Provided entitlements file's app identifier prefix value '$ENTITLEMENTS_APP_ID_PREFIX' does not match the provided provisioning profile's value '$APP_IDENTIFER_PREFIX'" >&2
+            exit 1;
+        fi
+    fi
+
+    if [ -n "$TEAM_IDENTIFIER" ];
+    then
+        # sanity check the 'com.apple.developer.team-identifier' is present in the provided entitlements and matches the provisioning profile value
+        ENTITLEMENTS_TEAM_IDENTIFIER=`PlistBuddy -c "Print :com.apple.developer.team-identifier" "$ENTITLEMENTS" | tr -d '\n'` 
+        if [ "$ENTITLEMENTS_TEAM_IDENTIFIER" == "" ]; 
+        then
+            echo "Provided entitlements file is missing a value for the required 'com.apple.developer.team-identifier' key" >&2
+            exit 1;
+        elif [ "$ENTITLEMENTS_TEAM_IDENTIFIER" != "$TEAM_IDENTIFIER" ]; 
+        then
+            echo "Provided entitlements file's 'com.apple.developer.team-identifier' '$ENTITLEMENTS_TEAM_IDENTIFIER' does not match the provided provisioning profile's value '$TEAM_IDENTIFIER'" >&2
+            exit 1;
+        fi
+    fi
+
+    echo "Resigning application using certificate: '$CERTIFICATE'" >&2
+    echo "and entitlements: $ENTITLEMENTS" >&2
+    /usr/bin/codesign -f -s "$CERTIFICATE" --entitlements="$ENTITLEMENTS" "$TEMP_DIR/Payload/$APP_NAME"
+    checkStatus
+else
+    echo "Extracting existing entitlements for updating" >&2
+    /usr/bin/codesign -d --entitlements - "$TEMP_DIR/Payload/$APP_NAME" > "$TEMP_DIR/newEntitlements" 2> /dev/null
+    if [ $? -eq 0 ];
+    then
+        ENTITLEMENTS_TEMP=`cat "$TEMP_DIR/newEntitlements" | sed -E -e '1d'`
+        if [ -n "$ENTITLEMENTS_TEMP" ]; then
+            echo "<?xml version=\"1.0\" encoding=\"UTF-8\"?>$ENTITLEMENTS_TEMP" > "$TEMP_DIR/newEntitlements"
+            if [ -s "$TEMP_DIR/newEntitlements" ];
+            then
+                if [ "$TEAM_IDENTIFIER" != "" ];
+                then
+                    PlistBuddy -c "Set :com.apple.developer.team-identifier ${TEAM_IDENTIFIER}" "$TEMP_DIR/newEntitlements"
+                    checkStatus
+                fi
+                PlistBuddy -c "Set :application-identifier ${APP_IDENTIFER_PREFIX}.${BUNDLE_IDENTIFIER}" "$TEMP_DIR/newEntitlements"
+                checkStatus
+                PlistBuddy -c "Set :keychain-access-groups:0 ${APP_IDENTIFER_PREFIX}.${BUNDLE_IDENTIFIER}" "$TEMP_DIR/newEntitlements"
+#               checkStatus  -- if this fails it's likely because the keychain-access-groups key does not exist, so we have nothing to update
+                if [[ "$CERTIFICATE" == *Distribution* ]]; then
+                    echo "Assuming Distribution Identity"
+                    if [ "$ADJUST_BETA_REPORTS_ACTIVE_FLAG" == "1" ]; then
+                        echo "Ensuring beta-reports-active is present and enabled"
+                        # new beta key is only used for Distribution; might not exist yet, if we were building Development
+                        PlistBuddy -c "Add :beta-reports-active bool true" "$TEMP_DIR/newEntitlements"
+                        if [ $? -ne 0 ]; then
+                            PlistBuddy -c "Set :beta-reports-active YES" "$TEMP_DIR/newEntitlements"
+                        fi
+                        checkStatus
+                    fi
+                    echo "Setting get-task-allow entitlement to NO"
+                    PlistBuddy -c "Set :get-task-allow NO" "$TEMP_DIR/newEntitlements"
+                else
+                    echo "Assuming Development Identity"
+                    if [ "$ADJUST_BETA_REPORTS_ACTIVE_FLAG" == "1" ]; then
+                        # if we were building with Distribution profile, we have to delete the beta key
+                        echo "Ensuring beta-reports-active is not included"
+                        PlistBuddy -c "Delete :beta-reports-active" "$TEMP_DIR/newEntitlements"
+                        # do not check status here, just let it fail if entry does not exist
+                    fi
+                    echo "Setting get-task-allow entitlement to YES"
+                    PlistBuddy -c "Set :get-task-allow YES" "$TEMP_DIR/newEntitlements"
+                fi
+                checkStatus
+                plutil -lint "$TEMP_DIR/newEntitlements" > /dev/null
+                checkStatus
+                echo "Resigning application using certificate: '$CERTIFICATE'" >&2
+                echo "using existing entitlements updated with bundle identifier: '$APP_IDENTIFER_PREFIX.$BUNDLE_IDENTIFIER'" >&2
+                if [ "$TEAM_IDENTIFIER" != "" ];
+                then
+                    echo "and team identifier: '$TEAM_IDENTIFIER'" >&2
+                fi
+                /usr/bin/codesign -f -s "$CERTIFICATE" --entitlements="$TEMP_DIR/newEntitlements" "$TEMP_DIR/Payload/$APP_NAME"
+                checkStatus
+            else
+                echo "Failed to create required intermediate file" >&2
+                exit 1;
+            fi
+        else
+            echo "No entitlements found" >&2
+            echo "Resigning application using certificate: '$CERTIFICATE'" >&2
+            echo "without entitlements" >&2
+            /usr/bin/codesign -f -s "$CERTIFICATE" "$TEMP_DIR/Payload/$APP_NAME"
+            checkStatus
+        fi
+    else
+        echo "Failed to extract entitlements" >&2
+        echo "Resigning application using certificate: '$CERTIFICATE'" >&2
+        echo "without entitlements" >&2
+        /usr/bin/codesign -f -s "$CERTIFICATE" "$TEMP_DIR/Payload/$APP_NAME"
+        checkStatus
+    fi
+fi
+
+# Remove the temporary files if they were created before generating ipa
+rm -f "$TEMP_DIR/newEntitlements"
+rm -f "$TEMP_DIR/profile.plist"
+
+# Repackage quietly
+echo "Repackaging as $NEW_FILE" >&2
+
+# Zip up the contents of the "$TEMP_DIR" folder
+# Navigate to the temporary directory (sending the output to null)
+# Zip all the contents, saving the zip file in the above directory
+# Navigate back to the orignating directory (sending the output to null)
+pushd "$TEMP_DIR" > /dev/null
+zip -qr "../$TEMP_DIR.ipa" *
+popd > /dev/null
+
+# Move the resulting ipa to the target destination
+mv "$TEMP_DIR.ipa" "$NEW_FILE"
+
+# Remove the temp directory
+rm -rf "$TEMP_DIR"
+
+echo "Process complete" >&2

data/lib/sigh.rb

@@ -4,6 +4,7 @@ require 'sigh/helper'
 require 'sigh/dependency_checker'
 require 'sigh/developer_center'
 require 'sigh/update_checker'
+require 'sigh/resign'
 
 # Third Party code
 require 'colored'

data/lib/sigh/developer_center.rb

@@ -76,19 +76,15 @@ module Sigh
         result = visit PROFILES_URL
         raise "Could not open Developer Center" unless result['status'] == 'success'
 
-        if page.has_content?"Member Center"
-          # Already logged in
-          return true
-        end
+        # Already logged in
+        return true if page.has_content? "Member Center"
 
         (wait_for_elements(".button.blue").first.click rescue nil) # maybe already logged in
 
         (wait_for_elements('#accountpassword') rescue nil) # when the user is already logged in, this will raise an exception
 
-        if page.has_content?"Member Center"
-          # Already logged in
-          return true
-        end
+        # Already logged in
+        return true if page.has_content? "Member Center"
 
         fill_in "accountname", with: user
         fill_in "accountpassword", with: password
@@ -96,9 +92,8 @@ module Sigh
         all(".button.large.blue.signin-button").first.click
 
         begin
-          if page.has_content?"Select Team" # If the user is not on multiple teams
-            select_team
-          end
+          # If the user is not on multiple teams
+          select_team if page.has_content? "Select Team"
         rescue => ex
           Helper.log.debug ex
           raise DeveloperCenterLoginError.new("Error loggin in user #{user}. User is on multiple teams and we were unable to correctly retrieve them.")
@@ -198,37 +193,27 @@ module Sigh
         certs = post_ajax(@list_certs_url)
 
         Helper.log.info "Checking if profile is available. (#{certs['provisioningProfiles'].count} profiles found)"
+        required_cert_types = type == DEVELOPMENT ? ['iOS Development'] : ['iOS Distribution', 'iOS UniversalDistribution']
         certs['provisioningProfiles'].each do |current_cert|
-          if type == DEVELOPMENT
-            if current_cert['type'] != "iOS Development"
-              next
-            end
-          end
-
-          if type != DEVELOPMENT
-            if not ['iOS Distribution', 'iOS UniversalDistribution'].include?current_cert['type']
-              next
-            end
-          end
+          next unless required_cert_types.include?(current_cert['type'])
           
           details = profile_details(current_cert['provisioningProfileId'])
 
           if details['provisioningProfile']['appId']['identifier'] == app_identifier
-            if type == APPSTORE and details['provisioningProfile']['deviceCount'] > 0
-              next # that's an Ad Hoc profile. I didn't find a better way to detect if it's one ... skipping it
-            end
-            if type != APPSTORE and details['provisioningProfile']['deviceCount'] == 0
-              next # that's an App Store profile ... skipping it
-            end
+            # that's an Ad Hoc profile. I didn't find a better way to detect if it's one ... skipping it
+            next if type == APPSTORE && details['provisioningProfile']['deviceCount'] > 0
+
+            # that's an App Store profile ... skipping it
+            next if type != APPSTORE && details['provisioningProfile']['deviceCount'] == 0
 
             # We found the correct certificate
-            if force and type != DEVELOPMENT
+            if force && type != DEVELOPMENT
               provisioningProfileId = current_cert['provisioningProfileId']
               renew_profile(provisioningProfileId, type, cert_date) # This one needs to be forcefully renewed
               return maintain_app_certificate(app_identifier, type, false, cert_date) # recursive
             elsif current_cert['status'] == 'Active'
               return download_profile(details['provisioningProfile']['provisioningProfileId']) # this one is already finished. Just download it.
-            elsif ['Expired', 'Invalid'].include?current_cert['status']
+            elsif ['Expired', 'Invalid'].include? current_cert['status']
               renew_profile(current_cert['provisioningProfileId'], type, cert_date) # This one needs to be renewed
               return maintain_app_certificate(app_identifier, type, false, cert_date) # recursive
             end
@@ -250,7 +235,7 @@ module Sigh
 
     def create_profile(app_identifier, type, cert_date)
       Helper.log.info "Creating new profile for app '#{app_identifier}' for type '#{type}'.".yellow
-      certificate = code_signing_certificate(type, cert_date)
+      certificates = code_signing_certificates(type, cert_date)
 
       create_url = "https://developer.apple.com/account/ios/profile/profileCreate.action"
       visit create_url
@@ -265,7 +250,7 @@ module Sigh
         enterprise = true
       end
 
-      value = (enterprise ? 'inhouse' : 'store')
+      value = enterprise ? 'inhouse' : 'store'
       value = 'limited' if type == DEVELOPMENT
       value = 'adhoc' if type == ADHOC
 
@@ -273,7 +258,7 @@ module Sigh
       click_next
 
       # 2) Select the App ID
-      while not page.has_content?"Select App ID" do sleep 1 end
+      sleep 1 while !page.has_content? "Select App ID"
       # example: <option value="RGAWZGXSY4">ABP (5A997XSHK2.net.sunapps.34)</option>
       identifiers = all(:xpath, "//option[contains(text(), '.#{app_identifier})')]")
       if identifiers.count == 0
@@ -288,19 +273,32 @@ module Sigh
       click_next
 
       # 3) Select the certificate
-      while not page.has_content?"Select certificates" do sleep 1 end
+      sleep 1 while !page.has_content? "Select certificates"
       sleep 3
-      Helper.log.info "Using certificate ID '#{certificate['certificateId']}' from '#{certificate['ownerName']}'"
+      Helper.log.info "Using certificates: #{certificates.map { |c| "#{c['ownerName']} (#{c['certificateId']})" } }"
 
       # example: <input type="radio" name="certificateIds" class="validate" value="[XC5PH8D47H]"> (production)
-      id = certificate["certificateId"]
-      certs = all(:xpath, "//input[@type='radio' and @value='[#{id}]']") if type != DEVELOPMENT # production uses radio and has a [] around the value
-      certs = all(:xpath, "//input[@type='checkbox' and @value='#{id}']") if type == DEVELOPMENT # development uses a checkbox and has no [] around the value
-      if certs.count != 1
-        Helper.log.info "Looking for certificate: #{certificate}. Found: #{certs.count}"
+
+      clicked = false
+      certificates.each do |cert|
+        cert_id = cert['certificateId']
+        input = if type == DEVELOPMENT
+          # development uses a checkbox and has no [] around the value
+          first(:xpath, "//input[@type='checkbox' and @value='#{cert_id}']")
+        else
+          break if clicked
+          # production uses radio and has a [] around the value
+          first(:xpath, "//input[@type='radio' and @value='[#{cert_id}]']")
+        end
+        if input
+          input.click
+          clicked = true
+        end
+      end
+
+      if !clicked
         raise "Could not find certificate in the list of available certificates."
       end
-      certs.first.click
       click_next
 
       if type != APPSTORE
@@ -321,7 +319,7 @@ module Sigh
     end
 
     def renew_profile(profile_id, type, cert_date)
-      certificate = code_signing_certificate(type, cert_date)
+      certificate = code_signing_certificates(type, cert_date).first
 
       details_url = "https://developer.apple.com/account/ios/profile/profileEdit.action?type=&provisioningProfileId=#{profile_id}"
       Helper.log.info "Renewing provisioning profile '#{profile_id}' using URL '#{details_url}'"
@@ -367,9 +365,9 @@ module Sigh
         end
       end
 
-      # Returns a hash, that contains information about the iOS certificate
+      # Returns a array of hashs, that contains information about the iOS certificate
       # @example
-        # {"certRequestId"=>"B23Q2P396B",
+        # [{"certRequestId"=>"B23Q2P396B",
         # "name"=>"SunApps GmbH",
         # "statusString"=>"Issued",
         # "expirationDate"=>"2015-11-25T22:45:50Z",
@@ -385,10 +383,10 @@ module Sigh
         # "certificateTypeDisplayId"=>"...",
         # "serialNum"=>"....",
         # "typeString"=>"iOS Distribution"},
-      def code_signing_certificate(type, cert_date)
+        # {another sertificate...}]
+      def code_signing_certificates(type, cert_date)
         certs_url = "https://developer.apple.com/account/ios/certificate/certificateList.action?type="
-        certs_url << "distribution" if type != DEVELOPMENT
-        certs_url << "development" if type == DEVELOPMENT
+        certs_url << (type == DEVELOPMENT ? 'development' : 'distribution')
         visit certs_url
 
         certificateDataURL = wait_for_variable('certificateDataURL')
@@ -400,27 +398,44 @@ module Sigh
         # https://developer.apple.com/services-account/.../account/ios/certificate/listCertRequests.action?content-type=application/x-www-form-urlencoded&accept=application/json&requestId=...&userLocale=en_US&teamId=...&types=...&status=4&certificateStatus=0&type=distribution
 
         certs = post_ajax(url)['certRequests']
+
+        ret_certs = []
+        certificate_name = ENV['SIGH_CERTIFICATE']
+
+        # The other profiles are push profiles
+        certificate_type = type == DEVELOPMENT ? 'iOS Development' : 'iOS Distribution'
+        
+        # New profiles first
+        certs.sort! do |a, b|
+          Time.parse(b['expirationDate']) <=> Time.parse(a['expirationDate'])
+        end
+
         certs.each do |current_cert|
-          if type != DEVELOPMENT and current_cert['typeString'] == 'iOS Distribution' 
-            # The other profiles are push profiles
-            # We only care about the distribution profile
-            unless cert_date
-              return current_cert # mostly we only care about the 'certificateId'
-            else
-              if current_cert['expirationDateString'] == cert_date
-                Helper.log.info "Certificate ID '#{current_cert['certificateId']}' with expiry date '#{current_cert['expirationDateString']}' located"
-                return current_cert
-              end
+          next unless current_cert['typeString'] == certificate_type
+
+          if cert_date || certificate_name
+            if current_cert['expirationDateString'] == cert_date
+              Helper.log.info "Certificate ID '#{current_cert['certificateId']}' with expiry date '#{current_cert['expirationDateString']}' located"
+              ret_certs << current_cert
+            end
+            if current_cert['name'] == certificate_name
+              Helper.log.info "Certificate ID '#{current_cert['certificateId']}' with name '#{certificate_name}' located"
+              ret_certs << current_cert
             end
-          elsif type == DEVELOPMENT and current_cert['typeString'] == 'iOS Development'
-            return current_cert # mostly we only care about the 'certificateId'
+          else
+            ret_certs << current_cert
           end
         end
 
-        error_message_no_cert_with_date = "Could not find a Certificate with expiry date '#{cert_date}'. Please open #{current_url} and make sure you have a signing profile created.".red
-        error_message_no_cert = "Could not find a Certificate. Please open #{current_url} and make sure you have a signing profile created.".red
+        return ret_certs unless ret_certs.empty?
+
+        predicates = []
+        predicates << "name: #{certificate_name}" if certificate_name
+        predicates << "expiry date: #{cert_date}" if cert_date
+
+        predicates_str = " with #{predicates.join(' or ')}"
 
-        raise cert_date ? error_message_no_cert_with_date : error_message_no_cert
+        raise "Could not find a Certificate#{predicates_str}. Please open #{current_url} and make sure you have a signing profile created.".red
       end
 
       # Download a file from the dev center, by using a HTTP client. This will return the content of the file
@@ -464,7 +479,7 @@ module Sigh
       def wait_for(method, parameter, success)
         counter = 0
         result = method.call(parameter)
-        while !success.call(result)     
+        while !success.call(result)
           sleep 0.2
 
           result = method.call(parameter)

data/lib/sigh/helper.rb

@@ -45,5 +45,14 @@ module Sigh
       return "" if self.is_test? and not OS.mac?
       `xcode-select -p`.gsub("\n", '') + "/"
     end
+
+    # Path to the installed gem to load resources (e.g. resign.sh)
+    def self.gem_path
+      if not Helper.is_test? and Gem::Specification::find_all_by_name('sigh').any?
+        return Gem::Specification.find_by_name('sigh').gem_dir
+      else
+        return './'
+      end
+    end
   end
 end

data/lib/sigh/resign.rb

@@ -0,0 +1,59 @@
+module Sigh
+  # Resigns an existing ipa file
+  class Resign
+    def run(options)
+      get_inputs(options)
+
+      command = [
+        @resign_path,
+        "'#{@ipa}'",
+        "'#{@signing_identity}'",
+        "-p '#{@provisioning_profile}'",
+        "'#{@ipa}'"
+      ].join(' ')
+
+      puts command.magenta
+      puts `#{command}`
+    end
+
+    def get_inputs(options)
+      @resign_path = File.join(Helper.gem_path, 'lib', 'assets', 'resign.sh')
+      raise "Could not find resign.sh file. Please try re-installing the gem.".red unless File.exists?@resign_path
+
+      @ipa = options.ipa || find_ipa || ask("Path to ipa file: ")
+      @signing_identity = options.signing_identity || ask_for_signing_identity
+      validate_signing_identity
+      @provisioning_profile = options.provisioning_profile || find_provisioning_profile || ask("Path to provisioning file: ")
+    end
+
+    def find_ipa
+      Dir[File.join(Dir.pwd, "*.ipa")].sort { |a,b| File.mtime(a) <=> File.mtime(b) }.first
+    end
+
+    def find_provisioning_profile
+      Dir[File.join(Dir.pwd, "*.mobileprovision")].sort { |a,b| File.mtime(a) <=> File.mtime(b) }.first
+    end
+
+    def validate_signing_identity
+      while not installed_identies.include?@signing_identity
+        Helper.log.error "Couldn't find signing identity '#{@signing_identity}'. Available identities: \n\t#{installed_identies.join("\n\t")}\n"
+        @signing_identity = ask_for_signing_identity
+      end
+    end
+
+    def ask_for_signing_identity
+      ask("Signing Identity (e.g. 'iPhone Distribution: SunApps GmbH (5A997XAHK2)'): ")
+    end
+
+    # Array of available signing identities
+    def installed_identies
+      available = `security find-identity -v -p codesigning`
+      ids = []
+      available.split("\n").each do |current|
+        (ids << current.match(/.*\"(.*)\"/)[1]) rescue nil # the last line does not match
+      end
+
+      return ids
+    end
+  end
+end

data/lib/sigh/version.rb

@@ -1,3 +1,3 @@
 module Sigh
-  VERSION = "0.2.4"
+  VERSION = "0.3.0"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: sigh
 version: !ruby/object:Gem::Version
-  version: 0.2.4
+  version: 0.3.0
 platform: ruby
 authors:
 - Felix Krause
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2015-02-05 00:00:00.000000000 Z
+date: 2015-02-11 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: json
@@ -58,14 +58,14 @@ dependencies:
     requirements:
     - - ~>
       - !ruby/object:Gem::Version
-        version: 4.2.0
+        version: 4.3.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ~>
       - !ruby/object:Gem::Version
-        version: 4.2.0
+        version: 4.3.0
 - !ruby/object:Gem::Dependency
   name: credentials_manager
   requirement: !ruby/object:Gem::Requirement
@@ -232,10 +232,12 @@ files:
 - LICENSE
 - README.md
 - bin/sigh
+- lib/assets/resign.sh
 - lib/sigh.rb
 - lib/sigh/dependency_checker.rb
 - lib/sigh/developer_center.rb
 - lib/sigh/helper.rb
+- lib/sigh/resign.rb
 - lib/sigh/update_checker.rb
 - lib/sigh/version.rb
 homepage: http://fastlane.tools