Hi,
I want to resign my app with a different certificate. Is it possible to keep the entitlements (including com.apple.application-identifier)? I want to resign the whole app including the plugins and frameworks, but I saw --deep was considered harmful.
Sorry, I'm a bit confused. Any help would be appreciated.
It is possible to manually re-sign an app. The basic process is the same as signing the app in the first place. If you want to do this manually, see:
That depends on whether:
-
The entitlement is restricted or not — An unrestricted entitlement doesn’t need to be authorised by a provisioning profile, and that means there are no constraints on your re-signing code that claims it. A restricted entitlement must be authorised by a profile, which complicates things. See TN3125 Inside Code Signing: Provisioning Profiles for more background on this.
-
If the entitlement is restricted, if you’re signing identity’s certificate is included in the original provisioning profile — In that case, you don’t need to create a new profile.
-
Otherwise, if you can create a new profile to authorise your claim to that entitlement — Here you’ll need to create a new profile and embed it in your app before re-signing.
That entitlements is restricted. It’s also tied to your team, so if re-signing is only possible if your signing identity’s certificate was issued by the same team as the original app.
Keep in mind that entitlements are only relevant to executables. You shouldn’t sign frameworks and traditional [1] plug-ins with entitlements. Doing so won’t do anything useful and can cause problems.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
[1] By this I mean a plug-in whose code is a bundle or dynamic library. New style plug-ins, app extensions and system extensions, have code that’s an executable and thus can claim entitlements.