Re-sign iOS app with different entitlements fails on 32bit devices

Question

I've got this idea whereby I want to build my app once on our build server, and distribute it to multiple environments before finally landing in the iTunes store.

One of the issues I'm running into is entitlements. If I copy the $ENVIRONMENT.plist entitlements into the app, and re-sign with it, the app will install and run as expected on a 64bit device . The issue I have is the fact that the doesn't run on a 32bit device (ARMv7 / ARMv7S), and because it was originally built for Ad-Hoc (HockeyApp), it doesn't carry the beta entitlements.

So essentially I have different plist files for different environments

dev.plist

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>application-identifier</key>
    <string>XXXXX.com.mydomain.mobile</string>
    <key>keychain-access-groups</key>
    <array>
        <string>XXXXX.com.mydomain.mobile</string>
    </array>
    <key>get-task-allow</key>
    <false/>
</dict>
</plist>

prod.plist

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>application-identifier</key>
    <string>XXXXX.com.mydomain.mobile</string>
    <key>keychain-access-groups</key>
    <array>
        <string>XXXXX.com.mydomain.mobile</string>
    </array>
    <key>get-task-allow</key>
    <false/>
    <key>beta-reports-active</key>
    <true/>
</dict>
</plist>

I then copy the plist files over during deployment, and attempt to re-sign

cp $ENVIRONMENT.plist "${APPFOLDER}/Entitlements.plist"
/usr/bin/codesign -f -v -v -s "$CERTIFICATE_NAME" --entitlements="${APPFOLDER}/entitlements.plist" "${APPFOLDER}/Payload/$APPNAME.app" 
pushd ${APPFOLDER} 
zip -qr ~/Desktop/Archive/$ENVIRONMENT_NAME/$APPNAME-$APP_VERSION.ipa Payload
popd

When I do that approach, I can launch the app on an iPhone 6+ without issue, but when I try to launch the app on an iPhone 4S or iPhone 5, I get a startup crash without any crash logs.

What is the right way to re-sign an app with different entitlements for different environments? Again, the crash only occurs on 32bit devices, 64bit runs as expected even after resigning.

EDIT:

If I just build the app using Visual Studio and don't unpack/update/resign, then the app works as expected on all platforms.

EDIT:

Here is the only error output I can get. It's from the XCode Device Console.

Jul  7 11:01:02 Company-iPhone-4S SpringBoard[48] <Error>:  SecTrustEvaluate  [leaf IssuerCommonName SubjectCommonName]
Jul  7 11:01:02 Company-iPhone-4S SpringBoard[48] <Error>:  SecTrustEvaluate  [leaf IssuerCommonName SubjectCommonName]
Jul  7 11:01:02 Company-iPhone-4S SpringBoard[48] <Error>:  SecTrustEvaluate  [leaf IssuerCommonName SubjectCommonName]
Jul  7 11:01:02 Company-iPhone-4S securityd[86] <Error>:  secTaskDiagnoseEntitlements MISSING keychain entitlements: no stored taskRef found
Jul  7 11:01:02 Company-iPhone-4S securityd[86] <Error>:  secTaskDiagnoseEntitlements MISSING keychain entitlements: no stored taskRef found
Jul  7 11:01:02 Company-iPhone-4S amfid[312] <Error>:  SecTrustEvaluate  [leaf IssuerCommonName SubjectCommonName]
Jul  7 11:01:02 Company-iPhone-4S securityd[86] <Error>:  secTaskDiagnoseEntitlements MISSING keychain entitlements: no stored taskRef found
Jul  7 11:01:02 Company-iPhone-4S securityd[86] <Error>:  secTaskDiagnoseEntitlements MISSING keychain entitlements: no stored taskRef found
Jul  7 11:01:02 Company-iPhone-4S amfid[312] <Error>:  SecTrustEvaluate  [leaf IssuerCommonName SubjectCommonName]
Jul  7 11:01:02 Company-iPhone-4S kernel[0] <Notice>: xpcproxy[359] Container: /private/var/mobile/Containers/Data/Application/877013A4-BF2A-4AC9-8CEA-1598EA2CD336 (sandbox)
Jul  7 11:01:02 Company-iPhone-4S com.apple.xpc.launchd[1] <Error>: assertion failed: 13F69: launchd + 85529 [083E000D-4C31-3B98-A2C4-6FADB4D1940F]: 0x3
Jul  7 11:01:02 Company-iPhone-4S MyCompMyAppMobileiOS[359] <Warning>: Found new TLS offset at 176
Jul  7 11:01:02 Company-iPhone-4S MyCompMyAppMobileiOS[359] <Warning>: The assembly mscorlib.dll was not found or could not be loaded.
Jul  7 11:01:02 Company-iPhone-4S MyCompMyAppMobileiOS[359] <Warning>: It should have been installed in the `/Users/builder/data/lanes/3412/3cf8aaed/source/maccore/builds/install/target7/lib/mono/2.1/mscorlib.dll' directory.
Jul  7 11:01:02 Company-iPhone-4S com.apple.xpc.launchd[1] (UIKitApplication:com.MyComp.mobile[0x3eca][359]) <Warning>: Service exited with abnormal code: 1
Jul  7 11:01:02 Company-iPhone-4S SpringBoard[48] <Warning>: Application 'UIKitApplication:com.MyComp.mobile[0x3eca]' exited voluntarily.
Jul  7 11:01:03 Company-iPhone-4S kernel[0] <Notice>: xpcproxy[360] Container: /private/var/mobile/Containers/Data/Application/877013A4-BF2A-4AC9-8CEA-1598EA2CD336 (sandbox)
Jul  7 11:01:03 Company-iPhone-4S com.apple.xpc.launchd[1] <Error>: assertion failed: 13F69: launchd + 85529 [083E000D-4C31-3B98-A2C4-6FADB4D1940F]: 0x3
Jul  7 11:01:03 Company-iPhone-4S MyCompMyAppMobileiOS[360] <Warning>: Found new TLS offset at 176
Jul  7 11:01:03 Company-iPhone-4S MyCompMyAppMobileiOS[360] <Warning>: The assembly mscorlib.dll was not found or could not be loaded.
Jul  7 11:01:03 Company-iPhone-4S MyCompMyAppMobileiOS[360] <Warning>: It should have been installed in the `/Users/builder/data/lanes/3412/3cf8aaed/source/maccore/builds/install/target7/lib/mono/2.1/mscorlib.dll' directory.
Jul  7 11:01:03 Company-iPhone-4S com.apple.xpc.launchd[1] (UIKitApplication:com.MyComp.mobile[0xc803][360]) <Warning>: Service exited with abnormal code: 1
Jul  7 11:01:03 Company-iPhone-4S SpringBoard[48] <Warning>: Application 'UIKitApplication:com.MyComp.mobile[0xc803]' exited voluntarily.

---

note: I have re-generated my distribution profile so that it has the beta stuff in it, and I'm using sigh to grab the latest copy of my provisioning profiles.

note: The reason for resigning is that I have some XML config that points the app to different servers per environment (dev, test, production), and it gets updated before resigning.

Answer 1

I'd like to make one thing clear: the codesign is just to create a signature to verify that every byte within the .app file is exactly the same as when it was signed by it's creator (specified by the signing identity). So theoretically this should have nothing to do with which platform the app is deployed on.

And I also want to understand your scenario more clearly: Do you want to test your app through TestFlight or just for ad-hoc testing via HockeyApp? Since the beta entitlement is only a requirement for beta testing through TestFlight. It also has nothing to do with your crash on 32bit platform.

Then for your issue, my suggestion is:

1) Check your app's configuration, especially its target platforms to verify whether ARMV7 is supported;

2)Test your app via Xcode to exclude any other signing/profile issues. This can verify whether your app could work correctly both on 64 bits and 32 bits in development mode.

3)Last and most important, it would be appreciated to attach the error log created both from Xcode output or from the device during the deploy. It would be of great help for the trouble shooting.