How to tell what profile/signing certificate was used to sign .ipa?

Question

I have a bunch of .ipa files and I\'ve used a script to resign them.

So how can check the provisioning profile/signing certificate to conform they are using the corr

Answer 1

I ended up using a mixture of Bobjt and HaemEternal solutions proposals.

1. Find archive.
2. Show package content.
3. Copy .app file out
4. Show package content of the .app file.
5. Copy embedded.mobileprovision file out.
6. Run "security cms -D -i (path_to_your_provisioning_profile)"
7. Find the UUID number from the outcome of the of call in step 6.
8. Open Iphone Configuration Utility and look at the profiles to find the one that has the same UUID number.

Answer 2

If you are trying to determine if a specific certificate was used to sign an .ipa, you can do the following:

If you are comfortable with python, you can use this script that I created to compare the certificate(s) embedded in the .ipa to one that you have.

https://gist.github.com/ronsims2/1b7a8b9e15898f9406788988106b2f78

python ipa_cert_checker.py /Users/janedoe/Dcouments/Foobar.ipa /Users/janedoe/Dcouments/barfoo.cer

Alternatively, you can do what the script does manually from the command line of your Mac.

1. Unzip the IPA archive. It will produce a folder called "Payload".

   unzip Foobar.ipa

2. Read the embedded provisioning information. Note the package/folder inside of the Payload directory is named the same as the .ipa except with the .app extension.

   security cms -Di Payload/Foobar.app/embedded.mobileprovision

In the output of the above command, the certificate(s) are embedded in the array data elements associated with the key "DeveloperCertificates" as a base64 string. 3. Copy the certificate(s) (do not include the xml tags and make sure there is no extra whitespace) and save them to a convenient location as text. In this example I will call it "cert_from_foobar.txt"

4. Base64 encode the known certificate and save the output to a file.

   base64 barfoo.cer > barfoo.txt

5. Compare the known certificate to the embedded one(s) you saved. cmp cert_from_foobar.txt barfoo.txt || echo 'These files are NOT the same.'

If they are the same you will not see any message.

Answer 3

I've been able to successfully test using the following process.

1. Install original .ipa onto device.
2. Go to Settings->General->Profiles (see old provisioning profile)
3. Delete app and old profile from device
4. Resign app.
5. Install re-signed app on device
6. Go to Settings->General->Profiles (see new provisioning profile)

This seems to be a bullet-proof way to confirm the provisioning profile was updated and since the profile only has the 1 signing certificate in it... then we must be signed with the new cert.

(but I still want to find a better way)

Answer 4

Provisioning Profiles have a UUID that can be seen using the Terminal command:

security cms -D -i (path_to_your_provisioning_profile)

See the UUID section of the command output like:

<key>UUID</key> <string>A008C022-7B82-4E40-8B37-172763E1E3CC</string>

Xcode inserts the provisioning profile used to sign the application within the .app bundle. To find it, rename your .ipa to .zip, uncompress it with Finder, find the .app file in /Payload. "Show Package Contents" on the .app file and find the provisioning profile with the name embedded.mobileprovision.

Dump its entitlements using the above command and compare that with the UUID found within your profiles in your Xcode Organizer > Devices tab > Provisioning Profile section under "Library". You can use "Show in Finder" on those to reveal their location on disk.

Answer 5

Based on Bobjt's answer, I used IPCU to get the details of the profile:

1. Rename your .ipa to .zip
2. Uncompress it with Finder
3. Find the .app file in /Payload.

4. "Show Package Contents" on the .app file and find the provisioning profile with the name embedded.mobileprovision.

5. Drag the mobileprovisioning file into iPhone Configuration Utility

IPCU shows the Name/Expiration Date etc of the profile.

Answer 6

Late to the party....

But this tool saves me some time: nomad/shenzhen

$ ipa info /path/to/app.ipa

+-----------------------------+----------------------------------------------------------+
| ApplicationIdentifierPrefix | DJ73OPSO53                                               |
| CreationDate                | 2014-03-26T02:53:00+00:00                                |
| Entitlements                | application-identifier: DJ73OPSO53.com.nomad.shenzhen    |
|                             | aps-environment: production                              |
|                             | get-task-allow: false                                    |
|                             | keychain-access-groups: ["DJ73OPSO53.*"]                 |
| CreationDate                | 2017-03-26T02:53:00+00:00                                |
| Name                        | Shenzhen                                                 |
| TeamIdentifier              | S6ZYP4L6TY                                               |
| TimeToLive                  | 172                                                      |
| UUID                        | P7602NR3-4D34-441N-B6C9-R79395PN1OO3                     |
| Version                     | 1                                                        |
+-----------------------------+----------------------------------------------------------+

2020: Update from the maintainer

https://github.com/nomad/shenzhen/blob/master/README.md

Note: shenzhen uses the Xcode 6 build API, which has been deprecated for almost 3 years now. This causes problems if your app makes use of Swift 3, watchOS and other app targets.

A maintained alternative to build your iOS apps is gym which uses the latest Xcode API. To distribute builds, you can use fastlane. More information on how to get started is available on the iOS Beta deployment guide.