Practical Guide to iOS App Re‑signing Using xcodebuild

1. Introduction iOS developers are familiar with re‑signing techniques and many scripts exist, but different certificates and bundle requirements make a single tool insufficient. The author’s team observed installation failures and permission issues when using generic scripts, while packages exported via Xcode Organizer were stable.

To improve success rate, they switched to the xcodebuild command with the -exportArchive option, which significantly increased re‑signing reliability and package stability.

2. iOS Signing Mechanism The process involves generating a developer key pair (M), obtaining a certificate signed by Apple’s private key (K), embedding a provisioning profile (mobileprovision) in the IPA, and signing the bundle with the developer private key. Installation on a device performs two verifications: Apple’s public key K validates the certificate, then the developer’s public key M validates the IPA content.

3. Re‑signing Script Overview The script is divided into five main steps, with key commands highlighted below:

#!/bin/sh
set -e
# 1. Unzip the IPA, remove unnecessary files, optionally modify Info.plist and resources
unzip "ipa_path" -d "dest_path"
find -d "dest_path" -name .DS_Store -o -name __MACOSX | xargs rm -rf

# 2. Re‑sign required components
find -d "bundle_path" \
  -name "*.app" -o \
  -name "*.appex" -o \
  -name "*.framework" -o \
  -name "*.dylib" | xargs -I {} /usr/bin/codesign --continue -f -s "Certificate Name" {}

# 3. Extract Bundle IDs from appex files
find -d "bundle_path" -name "*.appex" | xargs -I {} /usr/libexec/PlistBuddy -c "Print :'CFBundleIdentifier'" {}/Info.plist

# 4. Prepare xcarchive template (copy .app, modify Info.plist and ExportOptions.plist)
# 5. Export the IPA
xcodebuild -exportArchive \
  -archivePath "xcarchive_path" \
  -exportOptionsPlist "ExportOptions.plist" \
  -exportPath "output_path"

4. Detailed Steps

Unzip and modify the IPA : Remove system files (.DS_Store, __MACOSX), edit Info.plist (Bundle ID, version, app name), and replace icons if needed.

codesign re‑signing : Unlike many scripts, this approach does not require manually copying mobileprovision to embedded.mobileprovision or providing an --entitlements argument because xcodebuild -exportArchive handles those automatically.

Read appex Bundle IDs : Appex files are app extensions (e.g., VPN, notifications) that have their own certificates and provisioning profiles; their Bundle IDs must be collected for signing.

Modify xcarchive contents : An xcarchive contains BCSymbolMaps, dSYMs, Info.plist, Products (the .app), SCMBlueprint, and SwiftSupport. The script updates the Info.plist and replaces the app in Products/Applications with the target app.

Export the IPA : After adjusting the xcarchive and ExportOptions.plist (which specifies bundle identifier, signing certificate, provisioning profile, etc.), the final command xcodebuild -exportArchive produces a re‑signed IPA ready for installation.

5. Conclusion While many open‑source re‑signing scripts exist, using Xcode’s native xcodebuild -exportArchive workflow yields the highest success rate and stability, matching the reliability of standard Xcode builds. The author also provides a ready‑to‑use Mac tool (Easy‑Signer) based on this logic.