Participating Frequently

Answered

AIR 31 iOS Enterprise App distribution broken?

Forum|Forum|7 years ago
September 26, 2018
1 reply
1355 views

Up until AIR 30 and AIR 31, I would package iOS apps for Enterprise distribution with -target ipa-app-store. I build everything via ANT on the commandline.

In the Apple Enterprise Developer portal, we have a distribution certificate and a distribution provision profile. This is not ad-hoc distribution but instead for distribution across the enterprise. For many years now, this mechanism has worked.

Now, I'm rebuilding the app for another release. The certificate expires in August 2019. The provision file expires in September 2019. It builds fine and I deploy to our internal website for deployment. When I download, it downloads fine onto the phone but it doesn't finish installing saying it can't. The exact error message is misleading in that it says the app can't be downloaded. When I've seen this before it was an issue with the provision profile or certificate or some new internal check that apple was doing.

Has building an enterprise app for distribution changed? Is the new beta-reports-active key for ipa-app-store package involved? Release notes talk about App store distribution but maybe with it being included, it is affecting Enterprise apps because they don't go through the App store?

I regenerated the provision profile with no success.

Ideas? Not ready to declare this an AIR bug until I explored more avenues. Thanks in advance?

Randy

This topic has been closed for replies.

Correct answer Amrita Gangwani

Hi,

Thank you for reporting the issue!

Please try and upload the application after re-signing it. Do ensure that you remove the beta-reports-active tag from the Entitlements.plist used to re-sign the application.

Here are the steps to re-sign the application:

Create a new entitlements.plist for your application. Below is a sample entitlements.plist file

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<dict>

<key>com.apple.developer.ubiquity-kvstore-identifier</key>

<string>$(TeamIdentifierPrefix)com.example.apple.sample</string>

<key>keychain-access-groups</key>

<array>

<string>$(AppIdentifierPrefix)com.example.apple.sample</string>

</array>

<key>com.apple.developer.ubiquity-container-identifiers</key>

<array>

<string>$(TeamIdentifierPrefix)com.example.apple.sample</string>

</array>

</dict>

</plist>

Run the following commands on Mac OSX terminal

IPA="/path/to/file.ipa" PROVISION="/path/to/file.mobileprovision" CERTIFICATE="Name of certificate: To sign with" # must be in keychain # unzip the ipa unzip -q "$IPA" # remove the signature rm -rf Payload/*.app/_CodeSignature # replace the provision cp "$PROVISION" Payload/*.app/embedded.mobileprovision # sign with the new certificate and entitlements

/usr/bin/codesign --entitlements entitlements.plist -f -s "$CERTIFICATE" Payload/*.app # zip it back up zip -qr resigned.ipa Payload

Thanks!

Amrita GangwaniCorrect answer

Adobe Employee

Hi,

Thank you for reporting the issue!

Please try and upload the application after re-signing it. Do ensure that you remove the beta-reports-active tag from the Entitlements.plist used to re-sign the application.

Here are the steps to re-sign the application:

Create a new entitlements.plist for your application. Below is a sample entitlements.plist file

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<dict>

<key>com.apple.developer.ubiquity-kvstore-identifier</key>

<string>$(TeamIdentifierPrefix)com.example.apple.sample</string>

<key>keychain-access-groups</key>

<array>

<string>$(AppIdentifierPrefix)com.example.apple.sample</string>

</array>

<key>com.apple.developer.ubiquity-container-identifiers</key>

<array>

<string>$(TeamIdentifierPrefix)com.example.apple.sample</string>

</array>

</dict>

</plist>

Run the following commands on Mac OSX terminal

IPA="/path/to/file.ipa" PROVISION="/path/to/file.mobileprovision" CERTIFICATE="Name of certificate: To sign with" # must be in keychain # unzip the ipa unzip -q "$IPA" # remove the signature rm -rf Payload/*.app/_CodeSignature # replace the provision cp "$PROVISION" Payload/*.app/embedded.mobileprovision # sign with the new certificate and entitlements

/usr/bin/codesign --entitlements entitlements.plist -f -s "$CERTIFICATE" Payload/*.app # zip it back up zip -qr resigned.ipa Payload

Thanks!

E

eckhoff_randyAuthor

Participating Frequently

Thanks Amrita! A few questions before I give this a try:

Is there a way to extract the existing entitlements.plist from the .ipa? I unzipped it and looked around but didn't see it. I've not had to deal with the entitlements.plist directly before so it would be nice to see one that is pertinent to the application I just created.
If this works, are there plans to add a new target to ADT to package the app for enterprise app distribution so that this key isn't added?
To date, other than ANEs and certificates, I've done all my development on a Windows machine using IntelliJ IDEA and ANT for all my official builds. Is there a way to do your steps on a windows machine? If this works and ADT doesn't add a new target any time soon, I would love to automate this step.

Randy

Amrita Gangwani

Adobe Employee

Answers to the queries inline:

1. Is there a way to extract the existing entitlements.plist from the .ipa? I unzipped it and looked around but didn't see it. I've not had to deal with the entitlements.plist directly before so it would be nice to see one that is pertinent to the application I just created.

The Entitlements.plist is not available directly inside the package, it is packaged inside the binary. So, it can't be read directly, however, you might try the tools such as grep to get the contents.

2. If this works, are there plans to add a new target to ADT to package the app for enterprise app distribution so that this key isn't added?

We are looking into the issue and would be providing a solution around it.

3. To date, other than ANEs and certificates, I've done all my development on a Windows machine using IntelliJ IDEA and ANT for all my official builds. Is there a way to do your steps on a windows machine? If this works and ADT doesn't add a new target any time soon, I would love to automate this step.

Since codesigning tools are not available on Windows, this could be done on Mac OSX for now.

Sign up

To post, reply, or follow discussions, please sign in with your Adobe ID.

Sign in to Adobe Community

To post, reply, or follow discussions, please sign in with your Adobe ID.

Scanning file for viruses.

This file cannot be downloaded