We're building an app for another company. They hold the signing key and would rather not share it with us.
It should be possible to separate build and sign, but how do I specify it on xcodebuild's command line?
Asked
Active
Viewed 6.4k times
75
-
Is this what you're looking for? http://cydia.saurik.com/codesign.html – QED Jun 14 '12 at 14:03
-
1After changing settings, here's how you check if the application bundle is signed or not: `codesign -dv /Applications/AppName.app` – Daniel Dec 11 '17 at 23:02
5 Answers
145
In order to skip the code signing you can perform a manual build from the console like this:
xcodebuild clean build CODE_SIGN_IDENTITY="" CODE_SIGNING_REQUIRED=NO
Additionally, use the -configuration, -target and -sdk parameters in order to define your build settings.
Refer to this Stack Overflow answer in order to get a detailed description on how to disable code-signing inside Xcode.
Peter Mortensen
- 30,738
- 21
- 105
- 131
Joern
- 1,926
- 1
- 13
- 18
-
-
6This works, but the problem is that it is not possible to generate the required Entitlements and ResourceRules files that are needed for the `codesign --entitlements ... --resource-rules ...` command. This is particular important if you intend to use iCloud. It is not trivial to generate these files by yourself. See also http://stackoverflow.com/questions/9280130/how-to-call-builtin-productpackagingutility-in-command-line. – Alexander Aug 03 '12 at 14:56
-
1
-
2doesnt work, receive /usr/bin/codesign --force --sign ... may be due to configuration type – KING May 15 '14 at 18:23
-
Why is the `clean` part in there? `xcodebuild` does the right thing when flags just change from the previous invocation. – xster Apr 11 '18 at 20:46
-
3Didn't work for me with Xcode 9.3 until CODE_SIGNING_ALLOWED="NO" was added. See Ben Flynn's answer below. – Nathanael Weiss May 04 '18 at 11:09
59
To completely prevent code signing with Xcode 7, I used all of the following options:
CODE_SIGN_IDENTITY=""
CODE_SIGNING_REQUIRED="NO"
CODE_SIGN_ENTITLEMENTS=""
CODE_SIGNING_ALLOWED="NO"
The final option, CODE_SIGNING_ALLOWED="NO" seemed to do the trick.
Ben Flynn
- 18,524
- 20
- 97
- 142
-
-
Note: I can't get adding entitlements (app-groups) to work for an archive built without them even if I run codesign with the desired entitlements file. – Ben Flynn Oct 07 '16 at 12:53
-
1Note that I would not do this hack for Archive builds. I only want to not run into a codesigning when I run/test my app in debug in simulator. Archive action usually requires codesigning to you probably should not disable it at all. – Stanislav Pankevich Oct 07 '16 at 13:25
-
Having your lines in place I am now getting: `required code signature missing for` my dynamic frameworks so I am not sure if it is now possible to run an app without codesigning. – Stanislav Pankevich Oct 07 '16 at 13:29
-
@StanislavPankevich I wouldn't expect to be able to run without codesigning. I was trying to sign / entitle the same built archive with two different provisioning profiles for two different audiences within my company. It would save time if I didn't have to rebuild -- and it's not entirely clear to me why codesigning after the fact can't work -- but for now I'm stuck building again for each profile / entitlement pair. – Ben Flynn Oct 09 '16 at 21:04
-
@BenFlynn Did you ever get this working as desired. I have to send unsigned archive to a client and app is using app groups. App resigns fine and can be installed, but can't access app groups container. the embedded.prov file in iPad shows app group entitlement. – Augie May 04 '19 at 20:32
-
1@BenFlynn. Oh snap, figured this out for app with multiple extensions, app groups and keychain entitlements. Create unsigned archive, and then for each intended IPA (QA, Prod, external client), run 'code sign --entitlements "some file" -f -s "Dist Cert" myApp.xcarchive/Products/Applications/MyApp.app. and then just export IPA as desired. I'll require my clients to do this step since they have the Dist Cert, but app groups and keychain still work with this approach, where as unsigned archive being signed at ipa creation time did not grant app group, even though it was in embedded.mobileprov – Augie May 06 '19 at 16:02
-
should I use `CODE_SIGNING_REQUIRED="NO"` or `CODE_SIGNING_REQUIRED=NO`, or doesn't matter? – João Pimentel Ferreira Jan 27 '23 at 15:27
9
Unfortunately it can be hard to build your app in release mode without code signing. You will get errors from the build system such as this:
CodeSign error: code signing is required for product type 'Application' in SDK
'iOS 5.1'
In this case, you should configure your target to use your developer/team wildcard (*) signing identity in Release mode. The app will be signed with that when you build it, and you can ship it to your customer so they can resign it. This is what most of our outsourced developers do.
You may then be able to remove the code signing information by deleting the various files in the app like _CodeSignature and using the codesign tool to remove information from the application binary. But I'm not sure how easy that is. It's not really essential though. There isn't any sensitive information in the provisioning profile or signing information.
Mike Weller
- 45,401
- 15
- 131
- 151
-
So this would then be the process for building an .ipa to ship out to a customer who is using Citrix/Zenprise to deploy the app to their employees? Can you comment on my post here?: http://stackoverflow.com/questions/16089918/citrix-receiver-xenapp-xenmobile-zenprise-ipa-provisioning-and-deploying-an – whyoz May 20 '13 at 22:30
4
In the Project Navigator, select your project and open the "Build Settings" section of your project (and not any particular target).
Under "Code Signing", find "Code Signing Identity" and for both Debug and Release modes set "Any iOS SDK" to "Don't Code Sign".
juhan_h
- 3,965
- 4
- 29
- 35
user3672430
- 106
- 1
- 5
2
Note that variables need to be put at the end of the command, or they will not have an effect:
xcodebuild <action> <arguments> CODE_SIGNING_ALLOWED=NO
Berik
- 7,816
- 2
- 32
- 40