Certificate in Provisioning Profile does not match certificate which signed app

Question

I have an .ipa which I signed using my developer certificate. I sent this .ipa to the client which they have to resign with their own certificate for their in-house distribution. They receive the following error:

FAIL: Certificate in Provisioning Profile does not match certificate which signed app. To fix, re-sign with the Production Distribution certificate named "XXX".

Should I really have to resign this? I assume the client has to resign it with a new certificate and provisioning profile but I'm not certain if this is possible. Is my assumption correct?

It seems to me I shouldn't be responsible for the distribution certificates they own and they are doing something wrong on their end. I could be wrong though and if so - should I sign the .ipa with another certificate?

Answer 1

Resigning the app is possible. And it's often used to create white lable application, when you build the app once and after you resign the build to distribute to the customers. But there are some moments you had to know. The provision profile is related with application bundle identifier. You can't use provision profile from another app. Before changing the provision profile you have to change the application identifier in Info.plist file. Provision profile is trusted by a certificate. Provision profile defines the app features/entitlements (push notifications, distribution type, debugging mode etc) So both Provision Profile and signing certificate are connected.

I used codesign utility (command line tool in macOS system).

To detect issues after signing you can use the following guide:

1. *.ipa file is zip archived folder. Do unzip it by command: $ unzip MYAPP.zip. After that appears folder Payload
2. Find embedded.mobileprovision inside the Payload\MYAPP.app folder. Open it by any plain text editor. I use TextWrangler
3. Read carefully it, you understand is ProvisionProfile valid or not
4. To get information about the code signing status use $ codesign -vv -d Payload/MYAPP.app

Reading all output helps understanding the issue. Also be friendly with Terminal.

More useful tools for signing, detecting certificates in the system at GitHub page

UPDATE (add answer from @avregi):

We fixed it by using the tool called iOS App Signer.

1: I sent the .ipa file signed with the developer certificate to the client.

2: The client creates the desired certificate and provisioning profile in the Apple developer center.

3: The client opens iOS App Signer and fills in the required fields. (In my case: the .ipa, their certificate and provisioning profile).

4: iOS App Signer creates a new resigned .ipa file.

Bonus:

5: You can validate your .ipa file by opening the .app file in finder (Show Package Contents). In this folder search for your .mobileprovision file and inspect it using Provisioning. You should see your new provisioning profile.

If you follow these steps it's possible to resign an .ipa from a developer certificate to a distribution certificate.

IMPORTANT: The app iResigner didn't resign the libswiftCore framework which caused problems for us. I wouldn't recommend this tool since it's outdated.