AIR 31 iOS Enterprise App distribution broken?

Report · Sep 26, 2018

Up until AIR 30 and AIR 31, I would package iOS apps for Enterprise distribution with -target ipa-app-store. I build everything via ANT on the commandline.

In the Apple Enterprise Developer portal, we have a distribution certificate and a distribution provision profile. This is not ad-hoc distribution but instead for distribution across the enterprise. For many years now, this mechanism has worked.

Now, I'm rebuilding the app for another release. The certificate expires in August 2019. The provision file expires in September 2019. It builds fine and I deploy to our internal website for deployment. When I download, it downloads fine onto the phone but it doesn't finish installing saying it can't. The exact error message is misleading in that it says the app can't be downloaded. When I've seen this before it was an issue with the provision profile or certificate or some new internal check that apple was doing.

Has building an enterprise app for distribution changed? Is the new beta-reports-active key for ipa-app-store package involved? Release notes talk about App store distribution but maybe with it being included, it is affecting Enterprise apps because they don't go through the App store?

I regenerated the provision profile with no success.

Ideas? Not ready to declare this an AIR bug until I explored more avenues. Thanks in advance?

Randy

Report · Sep 27, 2018

Hi,

Thank you for reporting the issue!

Please try and upload the application after re-signing it. Do ensure that you remove the beta-reports-active tag from the Entitlements.plist used to re-sign the application.

Here are the steps to re-sign the application:

Create a new entitlements.plist for your application. Below is a sample entitlements.plist file

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<dict>

<key>com.apple.developer.ubiquity-kvstore-identifier</key>

<string>$(TeamIdentifierPrefix)com.example.apple.sample</string>

<key>keychain-access-groups</key>

<array>

<string>$(AppIdentifierPrefix)com.example.apple.sample</string>

</array>

<key>com.apple.developer.ubiquity-container-identifiers</key>

<array>

<string>$(TeamIdentifierPrefix)com.example.apple.sample</string>

</array>

</dict>

</plist>

Run the following commands on Mac OSX terminal

IPA="/path/to/file.ipa" PROVISION="/path/to/file.mobileprovision" CERTIFICATE="Name of certificate: To sign with" # must be in keychain # unzip the ipa unzip -q "$IPA" # remove the signature rm -rf Payload/*.app/_CodeSignature # replace the provision cp "$PROVISION" Payload/*.app/embedded.mobileprovision # sign with the new certificate and entitlements

/usr/bin/codesign --entitlements entitlements.plist -f -s "$CERTIFICATE" Payload/*.app # zip it back up zip -qr resigned.ipa Payload

Thanks!

Report · Sep 27, 2018

Thanks Amrita! A few questions before I give this a try:

Is there a way to extract the existing entitlements.plist from the .ipa? I unzipped it and looked around but didn't see it. I've not had to deal with the entitlements.plist directly before so it would be nice to see one that is pertinent to the application I just created.
If this works, are there plans to add a new target to ADT to package the app for enterprise app distribution so that this key isn't added?
To date, other than ANEs and certificates, I've done all my development on a Windows machine using IntelliJ IDEA and ANT for all my official builds. Is there a way to do your steps on a windows machine? If this works and ADT doesn't add a new target any time soon, I would love to automate this step.

Randy

Report · Sep 27, 2018

Answers to the queries inline:

1. Is there a way to extract the existing entitlements.plist from the .ipa? I unzipped it and looked around but didn't see it. I've not had to deal with the entitlements.plist directly before so it would be nice to see one that is pertinent to the application I just created.

The Entitlements.plist is not available directly inside the package, it is packaged inside the binary. So, it can't be read directly, however, you might try the tools such as grep to get the contents.

2. If this works, are there plans to add a new target to ADT to package the app for enterprise app distribution so that this key isn't added?

We are looking into the issue and would be providing a solution around it.

3. To date, other than ANEs and certificates, I've done all my development on a Windows machine using IntelliJ IDEA and ANT for all my official builds. Is there a way to do your steps on a windows machine? If this works and ADT doesn't add a new target any time soon, I would love to automate this step.

Since codesigning tools are not available on Windows, this could be done on Mac OSX for now.

Report · Sep 28, 2018

fyi for others.... I found the below command to extract the entitlements.plist. I could not confirm if this was the full entitlements.plist but after running it, I edited it to remove the beta-report-active key and followed the above instructions to repackage the ipa. Hopefully others will find this helpful or confirm if there is a better way. It worked so it's hard to argue against that 🙂

I put this in a script:

IPA="$1"

unzip -q $IPA.ipa

codesign -d --entitlements :- Payload/$IPA.app > entitlements.plist

Randy

Report · Sep 27, 2018

Following Amrita's steps seemed to do the trick. beta-reports-active key seems to break enterprise app distribution.

Can ADT be updated to have a new target for ios that doesn't automatically add that key? performing the steps above can prove tedious when doing it a lot. Or some other mechanism that ADT autodetects at package time so the key is not automatically added.

Who out there is doing enterprise app distribution other than me?

Randy

Report · Sep 27, 2018

Hi,

Thank you for trying the workaround and confirming!

We are looking into the issue and would keep you posted.

AIR 31 iOS Enterprise App distribution broken?

1 Correct answer