You can sign your application after it has been shielded with OneSpan Mobile Application Shielding. The application needs to be signed before being deployed to end users.
To sign your application you can use an Android App Bundle (AAB) file or an Android package (APK) file.
To use an AAB file
-
Sign the AAB file by running the following command:
jarsigner -verbose -sigalg SHA256withRSA -digestalg SHA-256 -keystore <keystore_file_path> -storepass <keystore_password> -keypass <private_key_password> <aab_file_path> <alias_name>
where:
- keystore_file_path is the path of the keystore which contains the private key used to sign your Android application.
- keystore_password is the password that protects your keystore.
- private_key_password is the password that protects your private key.
- aab_file_path is the path of the AAB file shielded with App Shielding by OneSpan.
- alias_name is the name of the alias that represents the signer's private key and certificate data within the KeyStore.
If you upload your own app signing key, it must be an RSA key with a length of 2048 bits or more.
To use an APK file
-
Align the APK file by running the following command:
<android_sdk_path>/build-tools/<build_tools_version>/zipalign -v 4 <my-apk-unsigned> <apk_file_path_final>
where:
- android_sdk_path is the path of the Android SDK (e.g. /home/user/software/android-sdk-linux).
- build_tools_version is the current version of the Android SDK build tools (e.g. 19.1.0).
- my-apk-unsigned is the unsigned APK file.
- apk_file_path_final is the path of the APK file ready to be deployed.
-
Sign the APK file by running the following command:
<android_sdk_path>/build-tools/build_tools_version/apksigner sign --verbose --ks <keystore_file_path> --ks-key-alias <alias_name> --ks-pass pass:<keystore_password> --key-pass pass:<private_key_password> <apk_file_path>
where:
- android_sdk_path is the path of the Android SDK (e.g. /home/user/software/android-sdk-linux).
- keystore_file_path is the path of the keystore which contains the private key used to sign your Android application.
- alias_name is the name of the alias that represents the signer's private key and certificate data within the KeyStore.
- keystore_password is the password that protects your keystore.
- private_key_password is the password that protects your private key.
- apk_file_path is the path of the APK file shielded with App Shielding by OneSpan.
An application that is signed with SHA-256 might not run on older devices.
You can sign your application after it has been shielded with App Shielding. The application needs to be signed before being deployed to end users.
An XCENT file is necessary to sign the application; this file is located inside the binary and can be found by exploring the content of the application folder. If this file is not part of the binary, you can create it manually.
To manually create an XCENT file
-
Open the provisioning profile and copy the dictionary (i.e. <dict>…</dict>) located below the entitlement key (i.e. <key>Entitlements</key>).
-
Create the XCENT file with the following content:
-
Header:
<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"><plist version="1.0">
- Body: Paste the content of the copied dictionary (i.e. <dict>…</dict>).
- Footer: </plist>
<?xml version="1.0"encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN""http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plistversion="1.0">
<dict>
<key>keychain-access-groups</key>
<array>
<string><bundle_seed_id>.*</string>
</array>
<key>get-task-allow</key>
<false/>
<key>application-identifier</key>
<string><bundle_seed_id>.<bundle_identifier></string>
<key>com.apple.developer.team-identifier</key>
<string><bundle_seed_id></string>
</dict>
</plist>Where:
bundle_seed_id is the bundle seed ID associated with your application (e.g. 8E549T7128).
bundle_identifier is the bundle identifier associated with your application (e.g. com.apple.AddressBook).
-
If the application needs to be tested with TestFlight, the XCENT file must contain the flag beta-reports-active, set to true.
If you need to re-sign the application, extract the APP folder from your .ipa file.
To extract the APP folder
-
Convert the .ipa file into a ZIP file.
-
Extract the contents of the ZIP file.
The APP folder is located in the Payload folder.
To sign the APP folder
When performing the steps provided below, avoid clicking into and/or navigating through the .ipa/ZIP file (using Finder)!
Clicking into/navigating through this file may cause the system to automatically create a hidden file (.DS_Store) which will result in a submission error in the app store due to a missing signing ID.
-
Re-sign the frameworks by executing the following command:
codesign --verbose --force --sign '<signing_identity>' <app_folder_path>/Frameworks/*.framework
-
Re-sign the iOS application by executing the following command:
codesign --verbose --force --sign '<signing_identity>' --entitlements <xcent_file_path><app_folder_path>
Where:
- signing_identity is the name of the certificate used to sign your iOS application, as displayed in the Keychain Access application (e.g. iPhone Developer: FirstName LastName (xxxxxxxxxx)).
- xcent_file_path is the path of the XCENT file.
- app_folder_path is the path of the APP folder shielded with App Shielding.
If issues related to the signing process arise during application execution, the following command can be used to retrieve the entitlements data used by the application:
codesign -d --entitlements :- <app_folder_path>
To recreate the IPA file
- Create a Payload folder and copy the APP folder to this directory.
- If you are re-signing a Swift binary, please add the SwiftSupportand Symbols directories (if symbols were generated during IPA generation) from your build result at the same level as the Payload folder (your zip archive should contain both the Payload and the Swift symbol at the root level).
- Compress the Payload file and add an .ipa extension.