Failed to Install after signing the application

[rcM0D]

Hi, I've experience an error while installing the application after I signed it.

applesign -m embedded.mobileprovision -i F65C7C7C47767CE97C0FFEFC351726AED5BFB7B0 -I frida-gadget-12.9.7-ios-universal.dylib -c -a Sample.ipa

then when I try to install it using ideviceinstaller. This is the error:
Install: VerifyingApplication (40%)ERROR: Install failed. Got error "ApplicationVerificationFailed" with code 0xe8008001: Failed to verify code signature of /var/installd/Library/Caches/com.apple.mobile.installd.staging/temp.BtoW52/extracted/Payload/Sample.app : 0xe8008001 (An unknown error has occurred.)

Been trying this for days can someone help me please. Thank you!

[dki]

Moving discussion here from #113 (comment)

Hi @dki Different errors occur still when installing the resigned IPA.

"Install: PreflightingApplication (30%)ERROR: Install failed. Got error "AppexBundleIDNotPrefixed" with code 0x00000000: Appex bundle at "/var/installd/Library/Caches/com.apple.mobile.installd.staging/temp.xMsKhk/extracted/Payload/Sample.app/PlugIns/OneSignalNotificationServiceExtension.appex" with identifier "com.sample.OneSignalNotificationServiceExtension" does not have expected identifier prefix "com.PT.sample-."

It looks like the app you are resigning contains app extensions. Just to make sure you can get past the inital resigning issue, try stripping the extensions with the -p option and see if it will successfully install:

applesign -p -m embedded.mobileprovision -b [bundle identifier] -i F65C7C7C47767CE97C0FFEFC351726AED5BFB7B0 -I frida-gadget-12.9.7-ios-universal.dylib -c -a Sample.ipa

[rcM0D]

Moving discussion here from #113 (comment)

Hi @dki Different errors occur still when installing the resigned IPA.
"Install: PreflightingApplication (30%)ERROR: Install failed. Got error "AppexBundleIDNotPrefixed" with code 0x00000000: Appex bundle at "/var/installd/Library/Caches/com.apple.mobile.installd.staging/temp.xMsKhk/extracted/Payload/Sample.app/PlugIns/OneSignalNotificationServiceExtension.appex" with identifier "com.sample.OneSignalNotificationServiceExtension" does not have expected identifier prefix "com.PT.sample-."

It looks like the app you are resigning contains app extensions. Just to make sure you can get past the inital resigning issue, try stripping the extensions with the -p option and see if it will successfully install:

applesign -p -m embedded.mobileprovision -b [bundle identifier] -i F65C7C7C47767CE97C0FFEFC351726AED5BFB7B0 -I frida-gadget-12.9.7-ios-universal.dylib -c -a Sample.ipa

Hello, still having issues even with the parameter -p, Not sure what I'm missing here, but it worked when I tried the IOS app signer, the repatch using applesign.

ideviceinstaller -i Sample-resigned.ipa
WARNING: could not locate iTunesMetadata.plist in archive!
WARNING: could not locate Payload/Sample.app/SC_Info/Sample.sinf in archive!
Copying 'Sample-resigned.ipa' to device... DONE.
Installing 'com.sample.llc'
Install: CreatingStagingDirectory (5%)
Install: ExtractingPackage (15%)
Install: InspectingPackage (20%)
Install: TakingInstallLock (20%)
Install: PreflightingApplication (30%)
Install: InstallingEmbeddedProfile (30%)
Install: VerifyingApplication (40%)ERROR: Install failed. Got error "ApplicationVerificationFailed" with code 0xe8008001: Failed to verify code signature of /var/installd/Library/Caches/com.apple.mobile.installd.staging/temp.fSkskH/extracted/Payload/Sample.app : 0xe8008001 (An unknown error has occurred.)

[dki]

@kaleb-g can you watch the device syslog while trying to install to see if there are any interesting error messages that might help?

Can you also provide the iOS version and applesign version you are using? Assuming this is happening for any app you try to resign, I'll try to reproduce on one of my devices.

[rcM0D]

HI @dki sorry for the late response.

Here is my iOS version:14.5.1
Applesign:3.8.0

And here is the syslog.
Sep 14 10:37:01 securityd[115] : trustd[109]/1#12 LF=0 copy_parent_certificates Error Domain=NSOSStatusErrorDomain Code=-34018 "Client has neither application-identifier nor keychain-access-groups entitlements" UserInfo={numberOfErrorsDeep=0, NSDescription=Client has neither application-identifier nor keychain-access-groups entitlements}
Sep 14 10:37:01 securityd[115] : trustd[109]/1#12 LF=0 copy_parent_certificates Error Domain=NSOSStatusErrorDomain Code=-34018 "Client has neither application-identifier nor keychain-access-groups entitlements" UserInfo={numberOfErrorsDeep=0, NSDescription=Client has neither application-identifier nor keychain-access-groups entitlements}
Sep 14 10:37:02 cloudd(libboringssl.dylib)[143] : boringssl_context_evaluate_trust_async_external(1532) [C1180.1:4][0x11c37f3e0] Asyncing for external verify block
Sep 14 10:37:02 cloudd(CFNetwork)[143] : Connection 1180: asked to evaluate TLS Trust
Sep 14 10:37:02 cloudd(CFNetwork)[143] : Task <0508DCE1-716B-4130-9091-7610025FF3B7>.<280> auth completion disp=1 cred=0x0
Sep 14 10:37:02 installd(libmis.dylib)[195] : Local Profile '' has non-matching application-identifier.
Sep 14 10:37:02 installd(libmis.dylib)[195] : entitlement '' has value not permitted by provisioning profile ''
Sep 14 10:37:02 trustd[109] : cert[0]: LeafMarkersProdAndQA =(leaf)[force]> 0
Sep 14 10:37:02 trustd[109] : cert[0]: LeafMarkersProdAndQA =(leaf)[force]> 0
Sep 14 10:37:02 installd(MobileSystemServices)[195] : 0x16daf7000 +[MICodeSigningVerifier _validateSignatureAndCopyInfoForURL:withOptions:error:]: 77: Failed to verify code signature of /var/installd/Library/Caches/com.apple.mobile.installd.staging/temp.ZCXLUd/extracted/Payload/Sample.app : 0xe8008016 (The executable was signed with invalid entitlements.)
Sep 14 10:37:02 installd(MobileSystemServices)[195] : 0x16daf7000 -[MIInstaller performInstallationWithError:]: Verification stage failed
Sep 14 10:37:02 runningboardd(RunningBoard)[32] : Invalidating assertion 32-195-1748 (target:system) from originator [daemon<com.apple.mobile.installd>:195]

P.S. I'm using a free developer account.

Thank you!

[dki]

@kaleb-g My turn to say sorry for the late response! I may have a solution for you. This line stands out for me:

Sep 14 10:37:02 installd(libmis.dylib)[195] : Local Profile '' has non-matching application-identifier.

Can you try this: for the mobileprovision file that you are using, figure out what the bundle ID was of the application it originally came from. Then sign using the following:

applesign -p -m embedded.mobileprovision -b [bundle identifier from the mobileprovision] -i F65C7C7C47767CE97C0FFEFC351726AED5BFB7B0 -I frida-gadget-12.9.7-ios-universal.dylib -c -a Sample.ipa

Based on some testing, it looks like when you use a free Apple ID you have to make sure the bundle ID from the mobileprovision file matches the bundle ID you set in the final ipa file.

[rcM0D]

Hey @dki Happy New Year!

Sorry for the late response again, this worked for me , I guess there's really an issue when using a free Apple ID.

applesign -p -m embedded.mobileprovision -b [bundle identifier from the mobileprovision] -i F65C7C7C47767CE97C0FFEFC351726AED5BFB7B0 -I frida-gadget-12.9.7-ios-universal.dylib -c -a Sample.ipa

Thanks for your help as always, awesome tool! also we were former colleagues hehe, Risker team days! Stay safe!

[trufae]

As a side note there's now the -D flag which takes the first device connected and the associated mobileprovisioning from the cache. So you dont need to pass -m and -i :D