Does custom entitlements works and how to use it ?

[corysus]

Maybe stupid question but is there any example of usage -e, --entitlements ?
I tried to use it like -e custom.plist, -e "key:value" but this not work ?

Thank you!

[emranovin]

Same here ✋🏻
I've tried so many times with plist& xml format for Entitlements. zsign didn't throw any error and just ignore my custom entitlement, whereas I was able to resign successfully with MacOS CODESIGN utility (used in iResign)
I even tried to convert the plist file to DER binary with:
plutil -convert binary1 entitlements.plist
still no chance 😢
My goal is to resign an app with Plugins (like NetworkExtension ro ShareExtension) or at least resign an extension-less app that has a push notification (aps-environment).
I have a question: Should Entitlements match to the ProvisioningProfile or should match the app's execution binary file?
I've extracted my entitlements.plist from provison profile.

[corysus]

I found the only way to do this is to export the IPA and manually modify the Info.plist. However, I encountered another problem, if I modify any part of the Info.plist and sign it with the command zsign -k cert.p12 -p 123 -m pr.mobileprovision -o signed.ipa Payload/Some.app, it does not work. This creates a new IPA with the name signed.ipa. But when I try to install it, it complains about invalid entitlements. To fix this, you can sign it again, but this time with the IPA file, not the .app zsign -k cert.p12 -p 123 -m pr.mobileprovision -o signed_new.ipa signed.ipa. However, this time, zsign will export the file again and perform signing and signed file will work. Finally, to fix this without re-signing the IPA file again, you need to provide the original bundle identifier of the IPA file (CFBundleIdentifier) with -b com.somebundle.id like zsign -k cert.p12 -p 123 -m pr.mobileprovision -o signed.ipa -b "com.somebundle.id" Payload/Some.app.

I'm not sure why not working when signing the exported .app file without using -b ???

[emranovin]

As far as I know Entitlements are not stored in info.plist. which parameter did you changed in info.plist?
And I guest signing with just .app extesnion is not the right thing to do, is it?

[corysus]

Ahh, you are right, entitlements are something different than Info.plist, and yes, we can use zsign to sign Some.app directly, however, we need to provide -b with the bundleId (also need to remove the _CodeSignature folder before signing) or the app will not work. After signing, zsign will pack all files inside .app into Some.ipa.

[xionghailong1205]

Hi, have you solved this problem now? I also want some examples for reference

[corysus]

Hi, have you solved this problem now? I also want some examples for reference

No, I never found or got any answer regarding this :(
If you are JB or TS, you can use ldid to sign an IPA file with entitlements.

[emranovin]

If you are JB or TS, you can use ldid to sign an IPA file with entitlements.

Pardon, what do you mean by JB or TS?

[corysus]

If you are JB or TS, you can use ldid to sign an IPA file with entitlements.

Pardon, what do you mean by JB or TS?

JB = Jailbroken
TS = Trollstore