How to tell what profile/signing certificate was used to sign .ipa?

I have a bunch of .ipa files and I've used a script to resign them.

So how can check the provisioning profile/signing certificate to conform they are using the correct information?

Ideally, I'd like to be able to take any .ipa file and tell which provisioning profile/signing certificate was used to sign it.

Backstory: Our enterprise distribution certificate is expiring and I want to re-sign our stuff. It's a simple take for all the stuff we've made and archived in Xcode, but for 3rd party vendor made distributables I can't do that. I want to avoid asking for a re-signed .ipa file because a new .ipa might include unknown changes and introduce issues and they'd probably charge us too... but I'm more worried about the first issue.

Since both our old and new distribution certificates are still valid (you get a 6month overlap) I need to be able to confirm the new one is used otherwise I'd look really silly when the old one expires and the "resigning" script didn't actually do the job.

Provisioning Profiles have a UUID that can be seen using the Terminal command:

> security cms -D -i (path_to_your_provisioning_profile)

See the UUID section of the command output like:

<key>UUID</key> <string>A008C022-7B82-4E40-8B37-172763E1E3CC</string>

Xcode inserts the provisioning profile used to sign the application within the .app bundle. To find it, rename your .ipa to .zip, uncompress it with Finder, find the .app file in /Payload. "Show Package Contents" on the .app file and find the provisioning profile with the name embedded.mobileprovision.

Dump its entitlements using the above command and compare that with the UUID found within your profiles in your Xcode Organizer > Devices tab > Provisioning Profile section under "Library". You can use "Show in Finder" on those to reveal their location on disk.

Late to the party....

But this tool saves me some time: nomad/shenzhen

$ ipa info /path/to/app.ipa

+-----------------------------+----------------------------------------------------------+
| ApplicationIdentifierPrefix | DJ73OPSO53                                               |
| CreationDate                | 2014-03-26T02:53:00+00:00                                |
| Entitlements                | application-identifier: DJ73OPSO53.com.nomad.shenzhen    |
|                             | aps-environment: production                              |
|                             | get-task-allow: false                                    |
|                             | keychain-access-groups: ["DJ73OPSO53.*"]                 |
| CreationDate                | 2017-03-26T02:53:00+00:00                                |
| Name                        | Shenzhen                                                 |
| TeamIdentifier              | S6ZYP4L6TY                                               |
| TimeToLive                  | 172                                                      |
| UUID                        | P7602NR3-4D34-441N-B6C9-R79395PN1OO3                     |
| Version                     | 1                                                        |
+-----------------------------+----------------------------------------------------------+

2020: Update from the maintainer

https://github.com/nomad/shenzhen/blob/master/README.md

> Note: shenzhen uses the Xcode 6 build API, which has been deprecated for almost 3 years now. This causes problems if your app makes use of Swift 3, watchOS and other app targets.

> A maintained alternative to build your iOS apps is gym which uses the latest Xcode API. To distribute builds, you can use fastlane. More information on how to get started is available on the iOS Beta deployment guide.

Based on Bobjt's answer, I used IPCU to get the details of the profile:

1. Rename your .ipa to .zip

2. Uncompress it with Finder

3. Find the .app file in /Payload.

4. "Show Package Contents" on the .app file and find the provisioning profile with the name embedded.mobileprovision.

5. Drag the mobileprovisioning file into iPhone Configuration Utility

IPCU shows the Name/Expiration Date etc of the profile.

I ended up using a mixture of Bobjt and HaemEternal solutions proposals.

1. Find archive.
2. Show package content.
3. Copy .app file out
4. Show package content of the .app file.
5. Copy embedded.mobileprovision file out.
6. Run "security cms -D -i (path_to_your_provisioning_profile)"
7. Find the UUID number from the outcome of the of call in step 6.
8. Open Iphone Configuration Utility and look at the profiles to find the one that has the same UUID number.

I've been able to successfully test using the following process.

1. Install original .ipa onto device.
2. Go to Settings->General->Profiles (see old provisioning profile)
3. Delete app and old profile from device
4. Resign app.
5. Install re-signed app on device
6. Go to Settings->General->Profiles (see new provisioning profile)

This seems to be a bullet-proof way to confirm the provisioning profile was updated and since the profile only has the 1 signing certificate in it... then we must be signed with the new cert.

(but I still want to find a better way)

If you are trying to determine if a specific certificate was used to sign an .ipa, you can do the following:

If you are comfortable with python, you can use this script that I created to compare the certificate(s) embedded in the .ipa to one that you have.

https://gist.github.com/ronsims2/1b7a8b9e15898f9406788988106b2f78

python ipa_cert_checker.py /Users/janedoe/Dcouments/Foobar.ipa /Users/janedoe/Dcouments/barfoo.cer

Alternatively, you can do what the script does manually from the command line of your Mac.

1. Unzip the IPA archive. It will produce a folder called "Payload".

   unzip Foobar.ipa

2. Read the embedded provisioning information. Note the package/folder inside of the Payload directory is named the same as the .ipa except with the .app extension.

   security cms -Di Payload/Foobar.app/embedded.mobileprovision

In the output of the above command, the certificate(s) are embedded in the array data elements associated with the key "DeveloperCertificates" as a base64 string. 3. Copy the certificate(s) (do not include the xml tags and make sure there is no extra whitespace) and save them to a convenient location as text. In this example I will call it "cert_from_foobar.txt"

4. Base64 encode the known certificate and save the output to a file.

   base64 barfoo.cer > barfoo.txt

5. Compare the known certificate to the embedded one(s) you saved. cmp cert_from_foobar.txt barfoo.txt || echo 'These files are NOT the same.'

If they are the same you will not see any message.

As far as I could tell, none of the above was actually able to tell me right away if a certain distribution certificate was used, or not.

The following is what worked for me.

First, open the Keychain Access, filter on Certificates, and find the iPhone distribution certificate.

Right-click the distribution certificate and choose Get Info. A new window appears.

Convert this decimal serial number to hexadecimal, for example by selecting and copying it, then paste it into the Calculator app (switch to programmer mode via menu View -> Programmer):

And then switch the segmented control to "16" in the top-right:

With this knowledge, open a terminal and unzip the IPA, then change into the Payload directory:

$ unzip MyApp.ipa
$ cd Payload

Extract the certificates:

$ codesign -d --extract-certificates MyApp.app

Show the serial of the first certificate:

$ openssl x509 -inform DER -in codesign0 -noout -nameopt -oneline -serial
serial=20DE00FFA05EED03

In this case, the hexadecimal serial matches the above certificate.