28

We are trying to test application on iOS 15 and found that we are getting this message App needs to be updated.

Can anyone please let me know the reason behind this message? Existing users will have to delete the app and install again to get rid of this alert.

Dima
  • 420
  • 2
  • 17
Ankush Dhawan
  • 319
  • 1
  • 3
  • 5
  • 5
    We are seeing this with practically every app we've signed with our enterprise developer account. Anyone have any idea why this is happening? This forum post https://developer.apple.com/forums/thread/681792 has a string of similar occurrences but no remedy or even root cause. – MarkFromMars Jul 01 '21 at 02:16
  • Also seeing "app needs to be updated" with enterprise certificate. – Nostradamus Jul 05 '21 at 13:57
  • Still issue exist in mine – SANTOSH Oct 05 '21 at 08:48

4 Answers4

37

I went into the same issue with my enterprise apps, and fortunately I've managed to fix it.

There are actually two reasons that can cause this issue on iOS 15 if you're deploying your apps using an Enterprise account. The root key of the issue is a new signature format, that is required on iOS 15. Apps released through the App Store are automatically resigned, thus why they aren't affected by the issue.

Also, note that the main cause for this is building IPAs with older MacOS versions. If you update to latest Big Sur, you should be able to generate an IPA that is correctly signed. If you don't want to update, read the solutions below.

First reason

The first reason, documented by Apple here, is that your IPA must use the new signature format. If the IPA has been built with MacOS 10.14 or higher, it should be good. To ensure your IPA have the correct signature, use following steps:

  • Rename MyApp.ipa to MyApp.zip and unzip (you'll get a Payload folder which contains MyApp.app)
  • In Terminal, run codesign -dv /path/to/MyApp.app
  • Look in the output the value next to CodeDirectory. If you see v=20500 or v=20400, you're good. If you see a value below 20400, you need to resign your app using following command: codesign -s "Your Codesign Identity" -f --preserve-metadata /path/to/MyApp.app (ensure you do this using MacOS >= 10.14, and re-run codesign -dv /path/to/MyApp.app to ensure you now get v=20400 or v=20500)
  • Zip the Payload folder and rename it to MyApp.ipa

Try reinstalling this IPA, it should work. If it doesn't, read the second reason below.

Second reason

An other possible reason, not documented by Apple, a bit more tricky, is that you might need to re-sign your app including the DER entitlements. To check if you need to do this, do this:

  • In Terminal, run codesign -dvvvvv /path/to/MyApp.app
  • Look in the output under Page size, you should see something like this:
    -7=4ade7be00e0a7b6db853edc4843e7ece1eea646f6f13d1809f78fc50d8db461f //If this line doesn't exist or contains only 000..., you need to include DER entitlements
    -6=0000000000000000000000000000000000000000000000000000000000000000
    -5=1dfa58bd8ac3c4fb42142c1c4d28c436128b3a7460186a44526194fb690112bc
    -4=0000000000000000000000000000000000000000000000000000000000000000
    -3=ef08dbe5a7c355336e1fb571604b683ce1c54536cb59a6155a1d18387fd23f6e
    -2=5b730fa46ffd405fd88da9606d82eda9af7f460f6049047afc176163326f5a7f
  • As commented in above block, if -7 isn't existent or if it only contains 000..., then that's the reason why the IPA doesn't install properly. To fix this, follow next step
  • Run codesign -s "Your Codesign Identity" -f --preserve-metadata --generate-entitlement-der /path/to/MyApp.app to resign your app including DER entitlements. Re-run codesign -dvvvvv /path/to/MyApp.app to ensure the -7 value is now correct.
  • Zip the Payload folder and rename it to MyApp.ipa

You should be able to install the IPA now!

Iulian Onofrei
  • 9,188
  • 10
  • 67
  • 113
AnthoPak
  • 4,191
  • 3
  • 23
  • 41
  • It worked! Thanks – sfpx Sep 23 '21 at 18:29
  • 3
    This actually does work -- hats off to AnthoPak! – Michael Sep 23 '21 at 19:04
  • This is a truly stunning answer. How do you know this? – Alex Nauda Oct 06 '21 at 01:44
  • thanks, your answer save my day. regards – Denis Ramdan Oct 08 '21 at 10:47
  • Is "Signing Identity Name from Keychain" (step2) different than "Your Codesign Identity" (step1) ? Only step 1 didn't work for me, but using step2 using same value for the -s parameter of step 1 didn't work for me, resulting in "this app cannot be installed because its integrity could not be verified" For step 1 I used: security find-identity -v -p codesigning – Scognito Oct 14 '21 at 09:18
  • @Scognito Sorry it was a mistake, I've edited the answer to clarify this. You should use the same value for both, yes. Check in Keychain Access for the exact identity name you should use. Also, to be sure you're using the same as the original IPA, you can compare the output of `Authority` when running `codesign -dvvvvv /path/to/MyApp.app` before and after resigning. It should be the same value. – AnthoPak Oct 14 '21 at 13:20
  • @AnthoPak I confirmed it worked, many thanks! – Scognito Oct 15 '21 at 07:15
  • What I need give "Your Codesign Identity” here? – Sanju Oct 19 '21 at 15:14
  • @Sanju this is the name of the team you’re using to sign your app. You can check in Keychain Access the certificates you have for iOS distribution, it could give you a hint on this name. – AnthoPak Oct 19 '21 at 17:08
  • For anyone gets failed when runing "codesign -s ...", Please unlock your keychain then try again: Run `$ security unlock-keychain login.keychain` – The Anh Nguyen Nov 25 '21 at 06:39
  • Unfortunately, using 11.4 and Xcode 13.0, there is no PageSize, only "CodeDirectory v=20400 size=5813 flags=0x0(none) hashes=171+7 location=embedded Signature size=4775". Manually signing as described above does not change the situation. – ghr Dec 15 '21 at 11:38
  • "If you see v=20500 or v=20400, you're good." This is not correct if you see v=20400. I have an app signed in July and it has 20400 BUT it is missing the -7 and -6 mentioned in the Second Reason and fails to install. Also please be aware that Apple's documentation is wrong. It says to use codesign -dv. That does not show the Page size section which is vital. One must use codesign -dvvvvv to check this properly, as mentioned in the second reason to ensure all sections in the Page size mentioned are present. – ghr Dec 18 '21 at 03:35
  • I have try above solution and also try this 3 step https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0093775 also but facing same issue. Xcode 13.2 & MAC OS Big sure(11.6), checked in iPad (ios 15) Thanks in advance – Vishal Gadhiya Feb 23 '22 at 13:30
  • I have a framework I cannot install on device embedded and signed. It has code sign v=20200. I have tried to resign it many ways, but it always stays at v=20200. Any idea how to upgrade it to 20400 which all my other frameworks sign as? – Darren May 13 '22 at 15:14
4

I have fixed the issue with the following configuration: MacOS Big Sur(macOS 11.14) and Xcode 12.5.1.

  1. I rebuild the package with the configuration mentioned above.
  2. I uploaded the package to TestFlight.
  3. I tested on iOS 15 device. Everything works as expected. No popup.

As far as I understood the the reason of the failure is updated signature format. In iOS 15 the new format is mandatory while on iOS 14 it only gives a warning.

More information about the signature can be found here: https://developer.apple.com/documentation/xcode/using-the-latest-code-signature-format

Dima
  • 420
  • 2
  • 17
  • There are a few errors in this 'Answer': Big Sur is 11.x. TestFlight is not a valid test of the issue since, according to the link "For apps that you distribute through the App Store or TestFlight, App Store Connect first verifies your signature, and then re-signs the app using an Apple identity, before making the app available for download. Apps available through these channels already have the new signature format." – ghr Dec 15 '21 at 11:35
  • I am not sure which step actually fixed the signature. I saw the issue after I have updated the iOS (September 2021). I tried to download the version from the app store, but it didn't help. The version has been uploaded in April 2021. But after executing the steps above it has been fixed. – Dima Dec 16 '21 at 15:02
  • It would have been Step 1. As I said, testing in TestFlight does not prove resolution of the problem. Only if you upload to your Enterprise site and install from there can you properly test this issue. – ghr Dec 18 '21 at 03:39
1

If you're using Xcode 12.4 or 13 and MacOS 10.15.4 or above in December it should be sufficient to create a new Provisioning profile and provision with that. The provisioning profile must have the DER entitlements in it. Please see https://developer.apple.com/forums/thread/682775 for a method to check your provisioning profile has the DER entitlements.

ghr
  • 505
  • 4
  • 8
0

I have facing above same issue any try all above solution but not work. Once i change below setting than after it will work.

Build Setting

change excluded architecture "Any SDK" to "Any iOS Simulator SDK" and value arm64

enter image description here

Vishal Gadhiya
  • 450
  • 1
  • 6
  • 21