Resign MacOS App

Hi,

I want to resign my app with a different certificate. Is it possible to keep the entitlements (including com.apple.application-identifier)? I want to resign the whole app including the plugins and frameworks, but I saw --deep was considered harmful.

Sorry, I'm a bit confused. Any help would be appreciated.

Answered by DTS Engineer in 791988022

It is possible to manually re-sign an app. The basic process is the same as signing the app in the first place. If you want to do this manually, see:

Is it possible to keep the entitlements … ?

That depends on whether:

  • The entitlement is restricted or not — An unrestricted entitlement doesn’t need to be authorised by a provisioning profile, and that means there are no constraints on your re-signing code that claims it. A restricted entitlement must be authorised by a profile, which complicates things. See TN3125 Inside Code Signing: Provisioning Profiles for more background on this.

  • If the entitlement is restricted, if you’re signing identity’s certificate is included in the original provisioning profile — In that case, you don’t need to create a new profile.

  • Otherwise, if you can create a new profile to authorise your claim to that entitlement — Here you’ll need to create a new profile and embed it in your app before re-signing.

including com.apple.application-identifier

That entitlements is restricted. It’s also tied to your team, so if re-signing is only possible if your signing identity’s certificate was issued by the same team as the original app.

I want to resign the whole app including the plugins and frameworks

Keep in mind that entitlements are only relevant to executables. You shouldn’t sign frameworks and traditional [1] plug-ins with entitlements. Doing so won’t do anything useful and can cause problems.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] By this I mean a plug-in whose code is a bundle or dynamic library. New style plug-ins, app extensions and system extensions, have code that’s an executable and thus can claim entitlements.

It is possible to manually re-sign an app. The basic process is the same as signing the app in the first place. If you want to do this manually, see:

Is it possible to keep the entitlements … ?

That depends on whether:

  • The entitlement is restricted or not — An unrestricted entitlement doesn’t need to be authorised by a provisioning profile, and that means there are no constraints on your re-signing code that claims it. A restricted entitlement must be authorised by a profile, which complicates things. See TN3125 Inside Code Signing: Provisioning Profiles for more background on this.

  • If the entitlement is restricted, if you’re signing identity’s certificate is included in the original provisioning profile — In that case, you don’t need to create a new profile.

  • Otherwise, if you can create a new profile to authorise your claim to that entitlement — Here you’ll need to create a new profile and embed it in your app before re-signing.

including com.apple.application-identifier

That entitlements is restricted. It’s also tied to your team, so if re-signing is only possible if your signing identity’s certificate was issued by the same team as the original app.

I want to resign the whole app including the plugins and frameworks

Keep in mind that entitlements are only relevant to executables. You shouldn’t sign frameworks and traditional [1] plug-ins with entitlements. Doing so won’t do anything useful and can cause problems.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] By this I mean a plug-in whose code is a bundle or dynamic library. New style plug-ins, app extensions and system extensions, have code that’s an executable and thus can claim entitlements.

Thanks for your reply! I first resigned all my code with --deep, and then my executable with the entitlements. Now my app can't open. The console shows: Disallowing com.myapp because no eligible provisioning profiles found.

I first resigned all my code with --deep, and then my executable with the entitlements.

Don’t use --deep. Even if you ignore the entitlement issue, it has other issues [1].

Rather, sign each code item separately, from the inside out. Creating distribution-signed code for macOS has specific advice on this topic.

The console shows …

As I mentioned above, you may need to install new provisioning profiles, depending on your entitlement use and the relationship between your new code-signing identity and the previous code-signing identity.

If you do need new profiles, install them before you start signing (because changing a profile afterwards will break the seal on the code signature).

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] Specifically, it has its own views of how a bundle should be structured, and those don’t necessarily align with the documented rules in Placing Content in a Bundle.

Thanks, I'll try that.

Resign MacOS App
 
 
Q