✒ A self-hosted, cross-platform service to sign iOS apps using any CI as a builder

Overview

iOS Signer Service

A self-hosted, cross-platform service to sign iOS apps using any CI as a builder

Introduction

There are many reasons to install apps outside the App Store. Unfortunately, this process is severely hindered by Apple and unrealistic for the average user. You need a better way to get things done.

Introducing ios-signer-service - a self-hosted, cross-platform service to sign iOS apps and install them on your device, all without a computer.

The setup consists of two parts:

  • This web service, which runs on a server with any operating system/architecture, and exposes a website where you can upload apps for signing. The website is the only place a user interacts with.
  • A macOS builder server, which the web service uses to perform the actual signing. The builder requirements are minimal, so any API-enabled Continuous Integration (CI) service, such as GitHub Actions, can be used.

More information and examples can be found in the installation section.

Disclaimer

This project is self-hosted; there is no public service. It does not provide any alternative catalog of apps. It does not give you free signing certificates, or circumvent any protective measures - you must have a valid signing certificate and provisioning profile. This project does not provide, promote, or support any form of piracy. This project is aimed solely at people who want to install homebrew apps on their device, much like the popular AltStore.

Features

  • No jailbreak required
  • All iOS versions supported
  • No computer required (apart from server to host the service)
  • Works with most CI providers, even for free
  • Minimalistic, mobile-friendly web interface
  • Upload unsigned apps, download signed apps
  • Install signed apps from the website straight to your iOS device via OTA
  • Choose from multiple signing profiles
  • Configure various properties of the signing process
  • Periodic old file cleanup

Screenshots

Mobile Desktop

Installation

Requirements

  • Web service server
    • All major operating systems and architectures are supported
    • Tested on a Raspberry Pi
  • Builder server, such as a CI like GitHub Actions, that:
    • Runs macOS
    • Supports workflow triggers via API
  • Valid code signing profile:
    • Certificate with key (.p12 file)
    • Provisioning profile (.mobileprovision file)

Builder

ios-signer-service offloads the signing process to a dedicated macOS builder. This step is necessary because signing is only officially supported on a macOS system. While third-party cross-platform alternatives exist, they are not as stable or quick to update as the official solution.

However, you don't need to own a Mac! In fact, you don't even need to pay anything. GitHub Actions, Semaphore CI, and some other CI providers give you free monthly allowance to use a macOS VM and build your projects. In this case, you will be using them to sign your apps.

An implementation for GitHub Actions and Semaphore CI can be found at ios-signer-ci. To host it, simply fork the repo and follow its README.

You can always use another CI provider, or even your own machine, given it supports remote workflow triggers over API. You will see the requirements in the configuration section below.

Web Service

ios-signer-service (this project) is a web service that you install on any server. The service exposes a web interface which allows the user to upload unsigned app files and have them signed using any of the configured signing profiles.

The easiest way to get the service is by downloading the pre-compiled binaries from the releases.

You can also use the official Docker image, but make sure to configure it properly:

  • Mount the configuration file to your host, so you can edit it after it's generated. The file's location in the container is just under the root directory: /signer-cfg.yml.
  • Mount the directory that you will use for the app's data. By default, the location in the container is: /data. You can set this path using the save_dir property in the configuration file.

The default port used by the service is 8080. You can override this by running the service with an argument -port 1234, where "1234" is your desired port. You can see a description of these arguments and more via -help.

ios-signer-service is not designed to run by itself - it does not offer encryption (HTTPS) or global authentication. This is a huge security issue, and OTA installations will not work! Instead, you have two options:

  • Reverse proxy (recommended)

    Run a reverse proxy like nginx, which wraps the service with HTTPS and authentication. You will need a valid HTTPS certificate (self-signed won't work with OTA due to Apple restriction), which means that you will also need a domain. While this setup is more involved, it is the industry-standard way to deploy any web application. It is also the most unrestricted, reliable and secure method by far.

    You must leave a few endpoints non-authenticated, as they are used by OTA and the builder. Don't worry, they are secured by long ids and/or the workflow key:

    /apps/:id/
    /jobs
    /jobs/:id
    

    (where :id is a wildcard parameter)

  • ngrok

    If you are just testing or can't afford the option above, you can also use ngrok. It offers a free plan that allows you to create a publicly accessible tunnel to your service, conveniently wrapped in ngrok's valid HTTPS certificate. Note that the free plan has a limit of 40 connections per minute, and the URLs change every time you restart ngrok, so you will have to remember to update them.

    To use ngrok, install the program, then just run the following command:

    ngrok http -inspect=false 8080

    You will get two URLs - make sure to always use the HTTPS one, both when configuring and when using the service. Also, make sure to enable basic_auth in the configuration below, or anybody could access your service.

When you run the service for the first time, it will exit immediately and generate a configuration file, signer-cfg.yml. Take your time to read through it and set it appropriately - the default's won't work!

An explanation of the settings:

# the builder's signing workflow
workflow:
  # an API endpoint that will trigger a run of the signing workflow
  trigger:
    # your builder's trigger url
    url: https://api.github.com/repos/foo/bar/actions/workflows/sign.yml/dispatches
    # data to send with the trigger request
    body: '{"ref":"master"}'
    # headers to send with the trigger request
    headers:
      # usually you'll add the CI's token here
      Authorization: Token MY_TOKEN
      # either json or form
      Content-Type: application/json
    # whether to attempt http2 or stick to http1
    # set to false if using Semaphore CI
    attempt_http2: true
  # a url that will be open when you click on "Status" in the website while a sign job is running
  status_url: https://github.com/foo/bar/actions/workflows/sign.yml
  # a key that you make up, which will be used by the builder to communicate with the service
  # make sure it is long and secure!
  key: MY_SUPER_LONG_SECRET_KEY
# the public address of your server, used to build URLs for the website and builder
# must be valid HTTPS or OTA won't work!
server_url: https://mywebsite.com
# where to save data like apps and signing profiles
save_dir: data
# apps older than this time will be deleted when a cleanup job is run
cleanup_mins: 10080
# how often does the cleanup job run
cleanup_interval_mins: 30
# protects the web ui with a username and password
# this does not overlap with the "workflow.key" protection
basic_auth:
  enable: false
  username: ""
  password: ""

Depending on your builder provider, the workflow section will vary. Here are examples of the most popular CI providers:

GitHub Actions

workflow:
  trigger:
    url: https://api.github.com/repos/YOUR_PROFILE/ios-signer-ci/actions/workflows/sign.yml/dispatches
    body: '{"ref":"master"}'
    headers:
      Authorization: Token YOUR_TOKEN
      Content-Type: application/json
    attempt_http2: true
  status_url: https://github.com/YOUR_PROFILE/ios-signer-ci/actions/workflows/sign.yml

Semaphore CI

workflow:
  trigger:
    url: https://YOUR_PROFILE.semaphoreci.com/api/v1alpha/plumber-workflows
    body: project_id=YOUR_PROJECT_ID&reference=refs/heads/master
    headers:
      Authorization: Token YOUR_TOKEN
      Content-Type: application/x-www-form-urlencoded
    attempt_http2: false
  status_url: https://YOUR_PROFILE.semaphoreci.com/projects/ios-signer-ci

Inside the save_dir directory from your configuration ("data" by default), you need to add at least one code signing profile. The structure is as follows:

data
|____profiles
| |____PROFILE_ID              # any unique string that you want
| | |____cert.p12              # the signing certificate
| | |____pass.txt              # the signing certificate's password
| | |____name.txt              # a name to show in the web interface
| | |____prov.mobileprovision  # the signing provisioning profile
| |____OTHER_PROFILE_ID
| | |____...

When an app is uploaded to the service for signing, a signing job is generated and stored in memory. The service then triggers the builder using the configured workflow trigger API. The builder will query the available jobs from the service using the /jobs endpoint, and download the most recent job's data. This data is a simple TAR file which contains all the necessary signing files. When the builder is finished, it will upload the signed file to the service using a "return id" found within the archive.

Frequently Asked Questions (F.A.Q.)

  • How do you export the certificate and key?

    On your Mac, open the Keychain app. There you will find your certificate (1) and private key (2). Select them by holding Command, then right-click (3) and select Export 2 items... (4). This will export you the .p12 file you need.

  • How can I debug a failing builder?

    Edit the sign.sh file in your builder's repo and remove the output suppression from the failing line. Usually this will be the xresign.sh call, so:

    ./xresign.sh ...  >/dev/null 2>&1

    Becomes:

    ./xresign.sh ...

    Next time you run a build, the logs will give you full details that you can use to resolve your issue. The reason that the output suppression is there in the first place is to prevent leaks of potentially sensitive information about your certificates and apps.

  • What kind of certificates/provisioning profiles are supported?

    Technically, everything is supported as long as your iOS device trusts it. This includes free signing profiles, but of course, they expire after a week. The only major difference between signing profiles is based on the provisioning profile's application-identifier. There are two types:

    • Wildcard, with app id = TEAM_ID.*

      • Can properly sign any app (TEAM_ID.app1, TEAM_ID.app2, ...)
      • Can't use special entitlements such as app groups (Apple restriction)
    • Explicit, with app id = TEAM_ID.app1

      • Can properly sign only one app (TEAM_ID.app1)
      • Can use any entitlement as long as it's in the provisioning profile
      • If you properly sign multiple apps with the same profile, only one of the apps can be installed on your device at a time. This is because their bundle ids will be identical and the apps will replace each other.
      • It is possible to improperly sign apps with an explicit profile by keeping their original bundle ids even if they don't match the profile's app id. For an example, with an app id TEAM_ID.app1, you could sign the apps TEAM_ID.app2 and TEAM_ID.app3. This way, you can have multiple apps installed at the same time, and they will run, but all of their entitlements will be broken, including file importing.
  • App runs, but malfunctions due to invalid signing/entitlements

    First, make sure you are signing the app correctly and not breaking the entitlements. Read the section just above.

    If that doesn't help, you need to figure out what entitlements the app requires. unc0ver 6.0.2 and DolphiniOS emulator need the app debugging (get-task-allow) entitlement. Make sure you are using a signing profile with get-task-allow=true in its provisioning profile. Also, when you upload such an app to this service, make sure to tick the Enable app debugging option. Since this is a potential security issue, it will be disabled by default unless you tick the box.

  • "This app cannot be installed because its integrity could not be verified."

    This error means that the signing process went terribly wrong. To debug the problem, install libimobiledevice (for Windows: imobiledevice-net). Download the problematic signed app from your service to your computer, and then attempt to install it on your iOS device:

    ideviceinstaller -i app.ipa

    You can also use -u YOUR_UDID -n to run this command over the network. When the installation finishes, you should see a more detailed error. Please create an issue here on GitHub and upload the unsigned app along with the detailed error from above so this can be fixed.

License

This project and all of its unlicensed dependencies under the SignTools organization are licensed under AGPL-3.0. A copy of the license can be found here. Raise an issue if you are interested in exclusive licensing.

Comments
  • GitHub Actions CI troubleshooting

    GitHub Actions CI troubleshooting

    Hi again. I have another issue where GitHub Actions cannot sign my .iPA file. It says

    /Users/runner/work/_temp/39df6836-3324-44f5-8d3f-c6d7d3fbe509.sh: line 1: ./sign.sh: No such file or directory
    Error: Process completed with exit code 1."
    

    Here's the screenshot: Screenshot 2021-03-03 at 21 17 17 Also, sorry for asking too much help. I love your project.

    opened by sourcelocation 21
  • iSH killed by iOS due to high CPU usage when installing app

    iSH killed by iOS due to high CPU usage when installing app

    This only happens sometimes, likely with bigger files, and it could be attributed to either an out of memory error, or failure to emulate an instruction on ISH's side. More debugging is required.

    bug help wanted 
    opened by ViRb3 12
  • Archiving app fails every time

    Archiving app fails every time

    I tried basic troubleshooting first

    Describe the bug

    Signing job errors out when archiving.

    Expected behavior

    Signing job successfully finishes.

    Logs

    Signing
    Obtaining provisioning profile...
    Archiving app...
    xcode_archive errored, retrying
    xcode_archive errored, retrying
    xcode_archive errored, retrying
    Traceback (most recent call last):
      File "/Users/runner/work/SignTools-CI/SignTools-CI/util.py", line 27, in run_process
        result = subprocess.run(cmd, capture_output=capture, check=check, env=env, cwd=cwd, timeout=timeout)
      File "/usr/local/Cellar/[email protected]/3.9.13_1/Frameworks/Python.framework/Versions/3.9/lib/python3.9/subprocess.py", line 528, in run
        raise CalledProcessError(retcode, process.args,
    subprocess.CalledProcessError: Command '('xcodebuild', '-allowProvisioningUpdates', '-project', '/private/var/folders/24/8k48jl6d249_n_qfxwsl6xvm0000gn/T/tmpac__o323/SimpleApp/SimpleApp.xcodeproj', '-scheme', 'SimpleApp', 'clean', 'archive', '-archivePath', '/private/var/folders/24/8k48jl6d249_n_qfxwsl6xvm0000gn/T/tmpac__o323/SimpleApp/archive.xcarchive')' returned non-zero exit status 65.
    
    The above exception was the direct cause of the following exception:
    
    Traceback (most recent call last):
      File "/Users/runner/work/SignTools-CI/SignTools-CI/sign.py", line 388, in <module>
        run()
      File "/Users/runner/work/SignTools-CI/SignTools-CI/sign.py", line 337, in run
        Signer(
      File "/Users/runner/work/SignTools-CI/SignTools-CI/xsign.py", line 620, in sign
        jobs[component] = self.__sign_primary(component, tmpdir, data)
      File "/Users/runner/work/SignTools-CI/SignTools-CI/xsign.py", line 284, in __sign_primary
        xcode_archive(simple_app_proj, "SimpleApp", archive)
      File "/Users/runner/work/SignTools-CI/SignTools-CI/xsign.py", line 68, in xcode_archive
        return exec_retry("xcode_archive", lambda: _xcode_archive(project_dir, scheme_name, archive))
      File "/Users/runner/work/SignTools-CI/SignTools-CI/xsign.py", line 61, in exec_retry
        raise last_error
      File "/Users/runner/work/SignTools-CI/SignTools-CI/xsign.py", line 53, in exec_retry
        return func()
      File "/Users/runner/work/SignTools-CI/SignTools-CI/xsign.py", line 68, in <lambda>
        return exec_retry("xcode_archive", lambda: _xcode_archive(project_dir, scheme_name, archive))
      File "/Users/runner/work/SignTools-CI/SignTools-CI/xsign.py", line 74, in _xcode_archive
        return run_process(
      File "/Users/runner/work/SignTools-CI/SignTools-CI/util.py", line 29, in run_process
        raise (
    Exception: {'stdout': 'Command line invocation:\n    /Applications/Xcode_12.5.1.app/Contents/Developer/usr/bin/xcodebuild -allowProvisioningUpdates -project /private/var/folders/24/8k48jl6d249_n_qfxwsl6xvm0000gn/T/tmpac__o323/SimpleApp/SimpleApp.xcodeproj -scheme SimpleApp clean archive -archivePath /private/var/folders/24/8k48jl6d249_n_qfxwsl6xvm0000gn/T/tmpac__o323/SimpleApp/archive.xcarchive\n\nUser defaults from command line:\n    IDEArchivePathOverride = /private/var/folders/24/8k48jl6d249_n_qfxwsl6xvm0000gn/T/tmpac__o323/SimpleApp/archive.xcarchive\n    IDEPackageSupportUseBuiltinSCM = YES\n\nnote: Using new build system\nnote: Building targets in parallel\nnote: Build preparation complete\n\n** CLEAN SUCCEEDED **\n\nnote: Using new build system\nnote: Building targets in parallel\nnote: Planning build\nnote: Analyzing workspace\nnote: Constructing build description\nnote: Build preparation complete\nerror: No account for team "9FS5C6BF2T". Add a new account in the Accounts preference pane or verify that your accounts have valid credentials. (in target \'SimpleApp\' from project \'SimpleApp\')\nerror: No profiles for \'mv8.pb5v6x3.bf5o8bzx.ShareExtension\' were found: Xcode couldn\'t find any iOS App Development provisioning profiles matching \'mv8.pb5v6x3.bf5o8bzx.ShareExtension\'. (in target \'SimpleApp\' from project \'SimpleApp\')', 'stderr': '2022-06-02 14:27:27.751 xcodebuild[3128:18335] CFURLRequestSetHTTPCookieStorageAcceptPolicy_block_invoke: no longer implemented and should not be called\n** ARCHIVE FAILED **'}
    ==============================================
    Uploading screenshot...
      % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                     Dload  Upload   Total   Spent    Left  Speed
    
      0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
      0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
    100 1170k    0   133  100 1170k    117  1033k  0:00:01  0:00:01 --:--:-- 1036k
    
    100 1170k    0   133  100 1170k    117  1033k  0:00:01  0:00:01 --:--:-- 1036k
    =========================
    
    Uploaded 1 file, 1 198 934 bytes
    
    wget https://bashupload.com/7DL8Z/test.jpg
    
    =========================
    
    ==============================================
    Cleaning up...
    Error: Process completed with exit code 1.
    

    System configuration

    • SignTools version: 2.5.16
    • Installation type: server
    • Builder type: SignTools-CI
    • Builder version: Commit https://github.com/SignTools/SignTools-CI/commit/2f3ffe4d8c4f2602af31de063081f1e2c2874193

    Additional context

    I feel like I'm doing something wrong but I don't know what. The error log mentions a team/missing account.

    bug 
    opened by btglr 11
  • Error: Process completed with exit code 1

    Error: Process completed with exit code 1

    Hello, i have an dev accout but i cant sign my apps

    What is the problem?

    Run ./sign.sh Obtaining files... Creating keychain... Importing certificate... 1.2.840.113635.100.1.61 Signing... Usage: xresign.sh -i APP_PATH -c CERT_NAME [-epbdas ...]

    -i path to input app to sign -c Common Name of signing certificate in Keychain -e new entitlements to use for app (Optional) -p path to mobile provisioning file (Optional) -b new bundle id (Optional) -d enable app debugging (get-task-allow) (Optional) -a force enable support for all devices (Optional) -s force enable file sharing through iTunes (Optional) -n set bundle id to mobile provisioning app id (Optional) -w write bundle id to file (Optional) Error: Process completed with exit code 1.

    bug 
    opened by isibizi 11
  • Install not work with reverse proxy (nginx)

    Install not work with reverse proxy (nginx)

    I tried basic troubleshooting first

    Describe the bug

    ios 16, trying to sign app and install, signed succesfully through github ci, after clicking on install on the web through iphone, "installation starting, expect a pop up prompt" page comes up, but then a pop up comes up: "open this site in "itunes" ?" (cancel/open) and after that nothing happens.

    To reproduce

    Steps to reproduce the behavior:

    see above

    Expected behavior

    installation pop up if the ipa should be installed - but does not show.

    System configuration

    • SignTools version: [e.g. 2.1.1] 2.6.0
    • Installation type: [heroku, computer, phone; nginx, ngrok, cloudflared] phone, nginx
    • Builder type: [SignTools-CI, SignTools-Builder] signtools-ci
    • Builder version: [e.g. 1.0.0 for SignTools-Builder; the latest commi t hash of your repo for SignTools-CI, e.g. 03e0ed9] newest, freshly built.
    bug 
    opened by xanthos84 9
  • How do you use an Apple developer Distribution certificate?

    How do you use an Apple developer Distribution certificate?

    Hi, I hope you can help me. I set up the ios-signer-service on Heroku as per instructions. Under PROFILE_CERT_BASE64 I pasted the base64 for my Apple developer Distribution certificate (as I want to enable various entitlements such as push notifications) and pasted the cert password in PROFILE_CERT_PASS. Is this the correct way to use my Apple Distribution certificate?

    When I try to sign an IPA I get this error: error: Revoke certificate: Your account already has an Apple Development signing certificate for this machine, but its private key is not installed in your keychain. Xcode can create a new one after revoking your existing certificate. (in target 'SimpleApp' from project 'SimpleApp')\nerror: No signing certificate "iOS Development" found: No "iOS Development" signing certificate matching team ID "SOMETEAMID" with a private key was found.

    Any idea what I might be doing wrong?

    Thank you!

    opened by 42ism 9
  • Error 500 - no profile with id <name of ID>

    Error 500 - no profile with id

    Hi,

    I'm trying to upload an IPA into the web interface, after a couple of seconds, the web interface redirects to /apps and displays {"message":"Internal Server Error"}.

    My docker log is: {"time":"2021-03-04T07:18:15.894553187Z","id":"","remote_ip":"123.123.123.123","host":"https://mywebsite.ld","method":"POST","uri":"/apps","user_agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 11_2_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.192 Safari/537.36","status":500,"error":"no profile with id 123","latency":371580849,"latency_human":"371.580849ms","bytes_in":58524658,"bytes_out":36}.

    Any better way to debug this ?

    Best regards.

    opened by kevin-ta 9
  • A successfully built/signed ipa won't install

    A successfully built/signed ipa won't install

    Hi,

    I followed the instructions and currently running the web service on a Windows 10 machine with Github Actions as the builder with a developer account (provision + certificate). The build completed successfully and the file is made available for install/download.

    image

    But when I click the Install button nothing happens. No prompt, no install, nothing new on the iPhone's homepage. The browsers I tried were Safari and Chrome, both the same result.

    This is what I see in the web service console every time I press the Install button: {"time":"2021-04-07T08:51:21.8639162-04:00","id":"","remote_ip":"xx.xx.xx.xx","host":"my-private-url.trycloudflare.com","method":"GET","uri":"/apps/1df97ec4-9f61-4a58-acb9-bd4cb8293fab/manifest","user_agent":"com.apple.appstored/1.0 iOS/14.4.2 model/iPhone13,1 hwp/t8101 build/18D70 (6; dt:228) AMS/1","status":200,"error":"","latency":1394200,"latency_human":"1.3942ms","bytes_in":0,"bytes_out":1238}

    Any idea why it wouldn't install?

    Thank you!

    BTW I didn't mean to add the "bug" label. This could very well be a setup/user issue :) and not a "bug".

    bug 
    opened by 42ism 7
  • Github SignTools-CI error in signing process.

    Github SignTools-CI error in signing process.

    I tried basic troubleshooting first

    Bug description

    An error "connect ETIMEDOUT 152.X.X.X:443" (X for privacy) occurs during the signing process of the GitHub action. I'm using a docker container of SignTools and a nginx reverse proxy to expose the container on a custom subdomain (https://sign.example.com). I'm able to access the web server to upload and rename the IPAs. Since I also have other web servers on this machine the proxy to the container is only accessible through the domain. Trying to access the web server directly via the IP address will not work and the server will not respond. The server_url on my signer-cfg.yml if correct (https://sign.example.com). Is it possible that ./sign.py tries to access the web server directly via the IP address?

    Logs

    SignTools-CI GitHub action:

    sudo xcode-select -s /Applications/Xcode_13.2.1.app ./sign.py shell: /bin/bash -e {0} env: SECRET_URL: *** SECRET_KEY: ***

    connect ETIMEDOUT 152.X.X.X:443 Initializing dependencies... Traceback (most recent call last): File "/Users/runner/work/SignTools-CI/SignTools-CI/./sign.py", line 42, in run_process Downloading job files... result = subprocess.run(cmd, capture_output=capture, check=check, env=env, cwd=cwd, timeout=timeout) File "/usr/local/Cellar/[email protected]/3.10.6_1/Frameworks/Python.framework/Versions/3.10/lib/python3.10/subprocess.py", line 524, in run raise CalledProcessError(retcode, process.args, subprocess.CalledProcessError: Command '('node', 'node-utils/download.js', '***/jobs', '***', 'job.tar')' returned non-zero exit status 3.

    The above exception was the direct cause of the following exception:

    Traceback (most recent call last): File "/Users/runner/work/SignTools-CI/SignTools-CI/./sign.py", line 1155, in node_download(secret_url + "/jobs", job_archive, capture=False) File "/Users/runner/work/SignTools-CI/SignTools-CI/./sign.py", line 131, in node_download return run_process( File "/Users/runner/work/SignTools-CI/SignTools-CI/./sign.py", line 44, in run_process raise ( Exception: {'stdout': '', 'stderr': ''} Error: Process completed with exit code 1.

    System configuration

    • SignTools version: Docker latest
    • Installation type: docker, nginx
    • Builder type: SignTools-CI,
    • Builder version: SignTools-CI 4550595
    bug 
    opened by GioBar00 6
  • Invalid or unsupported format for signature

    Invalid or unsupported format for signature

    I tried basic troubleshooting first

    Describe the bug

    Can't sign Rocket for Instagram due to an invalid format.

    Logs

    Initializing dependencies...
    Obtaining files...
    Download finished!
    Creating keychain...
    Using distribution certificate
    Using developer account
    Logging in (1/2)...
    Logging in (2/2)...
    If you receive a two-factor authentication (2FA) code, please submit it to the web service.
    Logged in!
    Extracting app...
    Signing...
    Using encoded original bundle id
    Preparing component /var/folders/24/8k48jl6d249_n_qfxwsl6xvm0000gn/T/tmpo6n8fcra/Payload/Instagram.app/Frameworks/Rocket.dylib
    Preparing component /var/folders/24/8k48jl6d249_n_qfxwsl6xvm0000gn/T/tmpo6n8fcra/Payload/Instagram.app/Frameworks/RIPass.dylib
    Preparing component /var/folders/24/8k48jl6d249_n_qfxwsl6xvm0000gn/T/tmpo6n8fcra/Payload/Instagram.app/Frameworks/Hackogram.dylib
    Preparing component /var/folders/24/8k48jl6d249_n_qfxwsl6xvm0000gn/T/tmpo6n8fcra/Payload/Instagram.app/libsubstrate.dylib
    Preparing component /var/folders/24/8k48jl6d249_n_qfxwsl6xvm0000gn/T/tmpo6n8fcra/Payload/Instagram.app/Frameworks/FBSharedFramework.framework
    Preparing component /var/folders/24/8k48jl6d249_n_qfxwsl6xvm0000gn/T/tmpo6n8fcra/Payload/Instagram.app/Frameworks/CydiaSubstrate.framework
    Preparing component /var/folders/24/8k48jl6d249_n_qfxwsl6xvm0000gn/T/tmpo6n8fcra/Payload/Instagram.app/Frameworks/IGPyTorchFramework.framework
    Preparing component /var/folders/24/8k48jl6d249_n_qfxwsl6xvm0000gn/T/tmpo6n8fcra/Payload/Instagram.app
    Original entitlements:
    {
        "application-identifier": "CLX8X3P664.com.fab.lighthouse",
        "aps-environment": "production",
        "com.apple.developer.icloud-container-development-container-identifiers": [
            "iCloud.com.fab.lighthouse"
        ],
        "com.apple.developer.icloud-container-environment": [
            "Production",
            "Development"
        ],
        "com.apple.developer.icloud-container-identifiers": [
            "iCloud.com.fab.lighthouse"
        ],
        "com.apple.developer.icloud-services": "*",
        "com.apple.developer.team-identifier": "CLX8X3P664",
        "com.apple.developer.ubiquity-container-identifiers": [
            "iCloud.com.fab.lighthouse"
        ],
        "com.apple.developer.ubiquity-kvstore-identifier": "CLX8X3P664.*",
        "get-task-allow": false,
        "keychain-access-groups": [
            "CLX8X3P664.*",
            "com.apple.token"
        ]
    }
    ID mappings:
    {
        "CLX8X3P664": "2P5L2S79SV",
        "iCloud.com.fab.lighthouse": "iCloud.s0j.2dg.atgsizuuji"
    }
    Removed entitlements:
    [
        "application-identifier",
        "com.apple.developer.team-identifier"
    ]
    Processing component /var/folders/24/8k48jl6d249_n_qfxwsl6xvm0000gn/T/tmpo6n8fcra/Payload/Instagram.app/Frameworks/Rocket.dylib
    Applying patches...
    Patching /var/folders/24/8k48jl6d249_n_qfxwsl6xvm0000gn/T/tmpo6n8fcra/Payload/Instagram.app/Frameworks/Rocket.dylib
    Patching /var/folders/24/8k48jl6d249_n_qfxwsl6xvm0000gn/T/tmpo6n8fcra/Payload/Instagram.app/Frameworks/Rocket.dylib
    Signing
    Signing with original entitlements
    Processing component /var/folders/24/8k48jl6d249_n_qfxwsl6xvm0000gn/T/tmpo6n8fcra/Payload/Instagram.app/Frameworks/RIPass.dylib
    Applying patches...
    Patching /var/folders/24/8k48jl6d249_n_qfxwsl6xvm0000gn/T/tmpo6n8fcra/Payload/Instagram.app/Frameworks/RIPass.dylib
    Patching /var/folders/24/8k48jl6d249_n_qfxwsl6xvm0000gn/T/tmpo6n8fcra/Payload/Instagram.app/Frameworks/RIPass.dylib
    Signing
    Signing with original entitlements
    Processing component /var/folders/24/8k48jl6d249_n_qfxwsl6xvm0000gn/T/tmpo6n8fcra/Payload/Instagram.app/Frameworks/Hackogram.dylib
    Applying patches...
    Patching /var/folders/24/8k48jl6d249_n_qfxwsl6xvm0000gn/T/tmpo6n8fcra/Payload/Instagram.app/Frameworks/Hackogram.dylib
    Patching /var/folders/24/8k48jl6d249_n_qfxwsl6xvm0000gn/T/tmpo6n8fcra/Payload/Instagram.app/Frameworks/Hackogram.dylib
    Signing
    Signing with original entitlements
    Processing component /var/folders/24/8k48jl6d249_n_qfxwsl6xvm0000gn/T/tmpo6n8fcra/Payload/Instagram.app/libsubstrate.dylib
    Applying patches...
    Patching /var/folders/24/8k48jl6d249_n_qfxwsl6xvm0000gn/T/tmpo6n8fcra/Payload/Instagram.app/libsubstrate.dylib
    Patching /var/folders/24/8k48jl6d249_n_qfxwsl6xvm0000gn/T/tmpo6n8fcra/Payload/Instagram.app/libsubstrate.dylib
    Signing
    Signing with original entitlements
    Processing component /var/folders/24/8k48jl6d249_n_qfxwsl6xvm0000gn/T/tmpo6n8fcra/Payload/Instagram.app/Frameworks/FBSharedFramework.framework
    Applying patches...
    Patching /var/folders/24/8k48jl6d249_n_qfxwsl6xvm0000gn/T/tmpo6n8fcra/Payload/Instagram.app/Frameworks/FBSharedFramework.framework/FBSharedFramework
    Patching /var/folders/24/8k48jl6d249_n_qfxwsl6xvm0000gn/T/tmpo6n8fcra/Payload/Instagram.app/Frameworks/FBSharedFramework.framework/FBSharedFramework
    Signing
    Signing with original entitlements
    Processing component /var/folders/24/8k48jl6d249_n_qfxwsl6xvm0000gn/T/tmpo6n8fcra/Payload/Instagram.app/Frameworks/CydiaSubstrate.framework
    Applying patches...
    Patching /var/folders/24/8k48jl6d249_n_qfxwsl6xvm0000gn/T/tmpo6n8fcra/Payload/Instagram.app/Frameworks/CydiaSubstrate.framework/CydiaSubstrate
    Patching /var/folders/24/8k48jl6d249_n_qfxwsl6xvm0000gn/T/tmpo6n8fcra/Payload/Instagram.app/Frameworks/CydiaSubstrate.framework/CydiaSubstrate
    Signing
    Signing with original entitlements
    Processing component /var/folders/24/8k48jl6d249_n_qfxwsl6xvm0000gn/T/tmpo6n8fcra/Payload/Instagram.app/Frameworks/IGPyTorchFramework.framework
    Applying patches...
    Patching /var/folders/24/8k48jl6d249_n_qfxwsl6xvm0000gn/T/tmpo6n8fcra/Payload/Instagram.app/Frameworks/IGPyTorchFramework.framework/IGPyTorchFramework
    Patching /var/folders/24/8k48jl6d249_n_qfxwsl6xvm0000gn/T/tmpo6n8fcra/Payload/Instagram.app/Frameworks/IGPyTorchFramework.framework/IGPyTorchFramework
    Signing
    Signing with original entitlements
    Processing component /var/folders/24/8k48jl6d249_n_qfxwsl6xvm0000gn/T/tmpo6n8fcra/Payload/Instagram.app
    Traceback (most recent call last):
      File "/Users/runner/work/SignTools-CI/SignTools-CI/sign.py", line 388, in <module>
        run()
      File "/Users/runner/work/SignTools-CI/SignTools-CI/sign.py", line 337, in run
        Signer(
      File "/Users/runner/work/SignTools-CI/SignTools-CI/xsign.py", line 588, in sign
        popen_check(pipe)
      File "/Users/runner/work/SignTools-CI/SignTools-CI/xsign.py", line 134, in popen_check
        raise Exception(data)
    Exception: {'message': "['/usr/bin/codesign', '--continue', '-f', '--no-strict', '-s', 'Apple Distribution', '/var/folders/24/8k48jl6d249_n_qfxwsl6xvm0000gn/T/tmpo6n8fcra/Payload/Instagram.app/Frameworks/Rocket.dylib'] failed with status code 1", 'stdout': '', 'stderr': '/var/folders/24/8k48jl6d249_n_qfxwsl6xvm0000gn/T/tmpo6n8fcra/Payload/Instagram.app/Frameworks/Rocket.dylib: invalid or unsupported format for signature'}
    ==============================================
    Uploading screenshot...
      % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                     Dload  Upload   Total   Spent    Left  Speed
    
      0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
     16 1171k    0     0   16  192k      0   333k  0:00:03 --:--:--  0:00:03  335k
    
    100 1171k    0   133  100 1171k    119  1054k  0:00:01  0:00:01 --:--:-- 1057k
    =========================
    
    Uploaded 1 file, 1 199 173 bytes
    
    wget https://bashupload.com/CFhVA/test.jpg
    
    =========================
    
    ==============================================
    Cleaning up...
    Error: Process completed with exit code 1.
    

    System configuration

    • SignTools version: latest
    • Installation type: computer
    • Builder type: SignTools-CI
    • Builder version: latest commit

    Additional context

    I'm able to sign other apps, it's just this one that doesn't work. I'm trying to resign it to enable push notifications on Rocket. Do you know if this is strictly because of the app or if it's a bug?

    bug 
    opened by Keagel 6
  • Ngrok error

    Ngrok error

    When I run the ./start-signer command I get the following Starting service... ngrok by @inconshreveable (Ctl+C to qu it) ngrok does not support a dynamic, color terminal UI on solaris. Access the web interface for connection and tunne l status. Version 2.3.35 Region United States (us) Web Interface http://127.0.0.1:4040

    opened by saleem202 6
  • Option to specify the apple account and password in the web UI.

    Option to specify the apple account and password in the web UI.

    When opting to use a developer account, it appears that we have to specify both the email and password in a text file:

    data
    |____profiles
    | |____my_profile                # Or what you named your profile
    | | |____cert.p12                # the signing certificate archive
    | | |____cert_pass.txt           # the signing certificate archive's password
    | | |____name.txt                # a name to show in the web interface
    | | |____account_name.txt        # the developer account's name (email)
    | | |____account_pass.txt        # the developer account's password
    | |____my_other_profile
    | | |____...
    

    It's not really a good practice to store these in plaintext, even if we are running SignTools in a private server.

    I suggest a feature to have an option to leave these empty and prompt the user for the email and password in the web UI.

    enhancement 
    opened by jpdasma 2
  • Heroku is phasing out their free tier dynos. Alternative one-click deploy options?

    Heroku is phasing out their free tier dynos. Alternative one-click deploy options?

    As stated in this blog post from Heroku, They are phasing out the free-tier offerings of their, among other things, Dynos, which SignTools is currently using as one of the ways to deploy the web service, by the end of this November. the Dynos deployed will be automatically deleted if users do not act to switch to a paid plan.

    I think a lot of people who use SignTools are deploying their web services on Heroku. With this kind of breaking changes(plus not a good track of security practices), I suggest migration to other cloud apps platforms to deploy the web services on. Below I listed several deployment services that are similar to Heroku. I have not checked pricings or capabilities of them.

    1. Railway App
    2. Okteto
    good first issue help wanted 
    opened by yohaoquan 1
Releases(v2.6.0)
Owner
Signing tools for your greatest iOS desires
null
Build Go applications for IOS

go-build-for-ios Build Go applications for IOS This repository contains a PoC that lets you build any Go application for IOS platform. Cross-compilati

Marcin Tojek 20 Jul 18, 2022
Design, compile and deploy your own Endlesss soundpacks with rapid iteration in Studio and iOS

Squonker is a tool for building and installing your own custom Endlesss instruments.

Unbundlesss 6 Dec 28, 2021
Get and summarize iOS app reviews.

ceraxus Get and summarize iOS app reviews. Docker Version > docker --version Docker version 20.10.8, build 3967b7d > docker-compose --version docker-

tokizo 0 May 3, 2022
sign Apple’s mobileconfig file to solve the ‘unsigned’ problem

amcs(apple mobile config signature) sign Apple’s mobileconfig file to solve the ‘unsigned’ problem the project rely openssl https://github.com/openssl

null 9 Sep 14, 2022
A produtivity tool built in go for cross platform use

This application is meant to implement some productivity tools in a way that could be easily used in a bunch of different environments. It will be easy to use and allow the user to easily hack it and modify it for their own use.

Vera Worri 0 Nov 20, 2021
A compact, cross-platform scanner that scans ports and recognizes fingerprints.

portscan A compact, cross-platform scanner that scans ports and recognizes fingerprints. Usage: Usage of ./portscan: -H headers request headers

Leon 4 Apr 4, 2022
Purpose-built security agent for hosted runners

Step Security Agent Purpose-built security agent for hosted runners To pilot it, add the following code to your GitHub Actions workflow file as the fi

Step Security 15 Sep 22, 2022
Bhojpur Consulting 0 Jan 1, 2022
Build awesome Golang desktop apps and beautiful interfaces with Vue.js, React.js, Framework 7, and more...

Guark Guark allows you to build beautiful user interfaces using modern web technologies such as Vue.js, React.js..., while your app logic handled and

Guark. 614 Sep 17, 2022
A fully self-contained Nmap like parallel port scanning module in pure Golang that supports SYN-ACK (Silent Scans)

gomap What is gomap? Gomap is a fully self-contained nmap like module for Golang. Unlike other projects which provide nmap C bindings or rely on other

jtimperio 74 Aug 28, 2022
Product Analytics, Business Intelligence, and Product Management in a fully self-contained box

Engauge Concept It's not pretty but it's functional. Track user interactions in your apps and products in real-time and see the corresponding stats in

Engauge 93 Nov 17, 2021
Generate self-signed, trusted certificates for local development.

Development Certificates Generator devcert takes away the pain of creating self-signed certificates for development manually. Usage $ devcert my-proje

Primal Skill 2 Jul 23, 2022
Implementations of the Coconut signing scheme, cross-compatible between Rust and Go.

Coconut Coconut [paper] is a distributed cryptographic signing scheme providing a high degree of privacy for its users. You can find an overview of ho

Nym 20 Jul 24, 2022
Automatic HTTPS for any Go program: fully-managed TLS certificate issuance and renewal

Easy and Powerful TLS Automation The same library used by the Caddy Web Server Caddy's automagic TLS features—now for your own Go programs—in one powe

Caddy 4.2k Sep 16, 2022
"I do" stops interactive command if there is any potential risky pattern

Description ido (I do) executes your shell command provided as its input, but it may wait for you to confirm when there is some potential risky patter

Ky-Anh Huynh 3 Mar 30, 2022
Gryffin is a large scale web security scanning platform.

Gryffin (beta) Gryffin is a large scale web security scanning platform. It is not yet another scanner. It was written to solve two specific problems w

Yahoo 2.1k Sep 23, 2022
Package for controlling the Windows firewall (aka Windows Filtering Platform, WFP)

wf What This is a package for controlling the Windows Filtering Platform (WFP), also known as the Windows firewall. See its docs: https://godoc.org/in

inet.af 46 Aug 15, 2022
A web-based testing platform for WAF (Web Application Firewall)'s correctness

WAFLab ?? WAFLab is a web-based platform for testing WAFs. Live Demo https://waflab.org/ Architecture WAFLab contains 2 parts: Name Description Langua

Microsoft 24 Aug 13, 2022