Enterprise Code Signing for iOS in Xojo

There’s been a feedback report (47975) for several years asking for the ability to use enterprise code signing certificates for building our Xojo iOS applications.  So far nothing from Xojo but there is a way to create enterprise code signed iOS app for Xojo – it just takes some extra work.

Here are my steps to building an iOS enterprise app:

  • Build your app in Xojo with the Build for App Store switch turned off.
  • Build the built app into a folder named “Payload”
  • Compress that folder.  Change the name from Payload.zip to “yourappname.ipa”.
  • In your favorite text editor paste the following code.  Replace App_ID_Prefix and App_ID with the valid information for your app from the Apple Developer website:

<?xml version=”1.0″ encoding=”UTF-8″?>

<!DOCTYPE plist PUBLIC “-//Apple//DTD PLIST 1.0//EN” “http://www.apple.com/DTDs/PropertyList-1.0.dtd”>

<plist version=”1.0″>

<dict>

<key>application-identifier</key>

<string>App_ID_Prefix.App_ID</string>

<key>keychain-access-groups</key>

<array>

<string>App_ID_Prefix.App_ID</string>

</array>

</dict>

</plist>

  • Save this file as Entitlements.plist
  • Go to the Apple developer website and download your enterprise developer provisioning profile.
  • Download iReSign project from https://github.com/maciekish/iReSign (see note below)
  • Run the ReSign app
  • Drag unsigned .ipa file to the top box, or use the brown button.
  • Drag your mobileprovision file you downloaded from Apple to the second box, or use the browse button.
  • Drag your Entitlements.plist file you created earlier into the 3rd box, or use the browse button.
  • Select your name from Keychain Access List.  For example it might be, “iPhone Developer:  Firstname Lastanme (XXXXXXX) from the dropdown.
  • Click ReSign! and with.  The resigned filed will be in the same folder as the original with (Resigned) in the name.
  • Voila!  Move that resigned file into the appropriate place and remove the Resigned so it’s back to the yourappname.ipa” name.
  • Now you can deploy your enterprise code signed app to any iOS device.

Each iOS device may have to trust the certificate.  Go to Settings -> General -> Device Management.

For it to work properly in MacOS Sierra (and above) I had to recompile the ReSign app in Xcode (no code changes).

It seems like a lot of steps but once you get it working it’s not hard after that. One thing we learned the hard way is that enterprise certificates expire in a year so plan renewing the certificate and getting a new version out before it expires.

Hopefully someone will find this useful.

[Update]: My iOS Build settings for Team are set to “None”