danielpaulus / app-signer Goto Github PK

Hello daniel !

I was trying to use the app-signer out of curiosity, just to check how it works as it seems to be a really nice alternative to other toolings.

While trying it with a test ipa, i always met this error during the .txt signing test phase: error="exit status 1" output="Warning: unable to build chain to self-signed root for signer \"iPhone Developer: ################## (############)\"\n/var/folders/hb/ct389svx7yv43p_3s59mm4mw0000gn/T/pattern1559172448/sign/test.txt: errSecInternalComponent\n"

For troubleshooting i tried to:

• check the permission of the .txt file
• check the permission of the temporary keychain created
• run the command as sudo
• run the signing command independently by keeping a copy of the final keychain generated
• check the content of the temporary keychain itself within the keychain access.app (seems to be always empty without any certificate inside. Not sure if it's expected)
• changed the code so that it builds and created a signing workspace outside /var
• Used it on two different mac machine running macOS 12.1, one with a M1 cpu, the other an intel one

None of the solutions worked so far so i'm probably sure i must have missed something along the way :(

Searching this error on the web, it mostly comes up when users are codesigning with the Default Keychain (login) which is password protected. It seems weird that it comes up here as we are using our own keychain.

Here is the stacktrace for reference:

INFO[0000] starting iOS appsigner                        args="[./app-signer --udid=<device_id> --p12password=<pwd> --profilespath=<path_to_folder_with_provisioning_file+p12> --ipa=<path_to_ipa> --output=<output_folder>]"
INFO[0000] cleaning workdir
INFO[0000] parsing profile '<path_to_folder_with_provisioning_file+p12>/########.mobileprovision'
INFO[0000] found 1 profiles
INFO[0000] extracting files for profile: ########
INFO[0000] extracting entitlements to: '/var/folders/hb/ct389svx7yv43p_3s59mm4mw0000gn/T/pattern1559172448/########-entitlements.plist'
INFO[0000] extracting signing certificate ############################# to: '/var/folders/hb/ct389svx7yv43p_3s59mm4mw0000gn/T/pattern1559172448/########-signingcert.p12'
INFO[0000] keychain created: /var/folders/hb/ct389svx7yv43p_3s59mm4mw0000gn/T/pattern1559172448/appsigner.keychain
INFO[0000] installing /var/folders/hb/ct389svx7yv43p_3s59mm4mw0000gn/T/pattern1559172448/########-signingcert.p12 to keychain
INFO[0000] codesign test signing failed                  cert=############################# cmd="/usr/bin/codesign -vv --keychain /var/folders/hb/ct389svx7yv43p_3s59mm4mw0000gn/T/pattern1559172448/appsigner.keychain --deep --force --sign ####################################### /var/folders/hb/ct389svx7yv43p_3s59mm4mw0000gn/T/pattern1559172448/sign/test.txt" error="exit status 1" output="Warning: unable to build chain to self-signed root for signer \"iPhone Developer: ################## (############)\"\n/var/folders/hb/ct389svx7yv43p_3s59mm4mw0000gn/T/pattern1559172448/sign/test.txt: errSecInternalComponent\n"
ERRO[0000] test signing failedexit status 1

The other question i had is more related to the code itself:
So far it seems we need to provide a reference device ID, even if our mobileprovision file was generated with multiple devices.
It seems to be related to this section at api/workspace.go:38 where we expect a folder with a list of .mobileprovision files instead of just one:

• As and output, we have a table of profiles.
• The udid is then only used as a reference to select the correct mobileprovision data here : codesign/profileparser.go:54. I'm not sure if this is the correct interpretation though.

I was wondering if it was something mandatory and if it's possible to expose another function to resign without a device id as reference ? (instead we can give the path to a single mobileprovision and p12 or maybe sign the same ipa with all the mobileprovision file available in the folder).