Re-signing Smart IT on Apple iOS

On Apple iOS devices you must re-sign Smart IT by using the iOS re-signing and rebranding utility (referred to as 'utility' in this topic). Make sure that you meet all the pre-requisites provided in Preparing-to-re-sign-and-rebrand-Smart-IT-on-Apple-iOS.

Re-signing by using the utility

Download or copy the iOS re-signing and rebranding utility on your Mac computer. The BMC iOS Rebranding Utility Version 21.3.00 is available from the Electronic Product Distribution (EPD) portal.

To re-sign by using the utility

Open the Resign.dmg file, and run the ResigningUtility.app application.
In the Application name field, select Smart IT, and click Next.
Select an appropriate Smart IT version, and click Next.
Create a new re-signing project, and provide the following details:
- Project Name—Give the re-signing project a name, for example, SmartITResignDemo.
- Project Location—Select a directory on your Mac computer for storing the project.
The utility creates a project file, for example SmartITResignDemo.resign, and subdirectories within the project directory.
Important
If you have previously created a re-signing project, you can use the same project file to re-sign a new .ipa file that is provided as a patch or a new build.
Complete the configurations and entitlements using Auto Generate Button:
Select the provisioning profile path to generate the configurations and entitlements:
(Optional) Re-brand Smart IT, for instructions; see Rebranding-Smart-IT-on-Apple-iOS.
Click Next.
Enter values for xcarchive, provisioningProfiles, signingCertificate that you used for your app.
Click ReSign.
An .ipa file is created in the builds subdirectory in your re-signing project directory. Provide this .ipa file to your iOS users for installing Smart IT.

For more information, see the following blog in the communities: Trending in Support: Re branding Smart IT for Apple iOS client. You can also download the required .dmg file from this blog.

Troubleshooting information

Value of keys in the entitlement files has spaces in it

iCloud configuration is not enabled for Smart IT provisioning profile

Bundle identifier is wrong

Customer is not using enterprise account

Group configuration is not enabled for Smart IT

Smart IT iOS app re-signing process and troubleshooting

Re-signing the entitlement files of Smart IT on Apple watch

Regardless of whether you use Smart IT on Apple watch, to re-sign Smart IT on iOS you must re-sign the entitlement files for SmartITWatch and SmartITWatchExtension.

In Xcode, create the SmartITWatch.entitlements and SmartITWatchExtension.entitlements file in the /path/SmartIT-ResignDir directory, and add the following lines.
SmartITWatch.Entitlements
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>application-identifier</key>
<string>XXXXXXX.com.companyName.SmartIT.watch</string>
<key>keychain-access-groups</key>
<array>
<string>XXXXXXX.com.companyName.SmartIT.watch</string>
</array>
<key>com.apple.security.application-groups</key>
<array>
<string>group.com.companyName.SmartIT</string>
</array>
</dict>
</plist>
SmartITWatchExtension.entitlements
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>application-identifier</key>
<string>XXXXXXX.com.companyName.SmartIT.watch.extension</string>
<key>com.apple.security.application-groups</key>
<array>
<string>group.com.companyName.SmartIT</string>
</array>
</dict>
</plist>

Replace the values for the given strings in the SmartITWatch.entitlements and SmartITWatchExtension.entitlements file:

Replace the value for this string	Your value
(Both files) application-identifier	Team prefix and App ID
(Both files) com.apple.security.application-groups	App Group Name
(SmartITWatch.entitlements file only) keychain access groups	Team prefix and App ID

Save the changes.

Replacing the Smart IT APNS certificate with your APNS certificate

After you re-sign, you must replace the Smart IT APNS scertificate with your APNS certificate.

If you are a BMC Helix user, you must first send the APNS certificate to BMC Support. Attach your APNS certificate to your request, and then submit it to BMC support. For more information, see BMC Helix Subscriber Information.

If you are an on-premises user, use these steps to replace the Smart IT APNS certificate:

Use DBFileSync_utility to copy the APNS certificate to the relevant folder.
Stop the Tomcat instance that executes the Smart IT server.
In the Tomcat home folder, locate and open the external-conf folder.
In the external-conf folder, create a certification subfolder.
Place the .p12 file that contains the new APNS certificate that you created in the certification subfolder.
Log in to the Oracle or Microsoft SQL database used for Smart IT.
Go to the PUSH_NOTIFICATION_CERT table, and query for records.
To change the iOS APNS certificate record:
1. In the iOS_Cert field, replace the current value (the default value is GalileoAPNsProduction.p12) with the name of the .p12 file that contains your new APNS certificate.
2. In the iOS_Password row, in plain text, replace the current password with the password of your .p12 file.
Click Save.
Start the Tomcat instance.

Any notifications to iOS devices from your server (or tenant in multitenant environments) are sent by using the new certificate.

Where to go from here

Re-signing manually

In the terminal application, enter the following commands to create a SmartIT-ResignDir folder:
mkdir /path/SmartIT-ResignDir
cd /path/SmartIT-ResignDir
For example, /User/bill/SmartIT-working/SmartIT-ResignDir.
To clear the files of the previous build, enter the following commands:
rm -rf "$(getconf DARWIN_USER_CACHE_DIR)/org.llvm.clang/ModuleCache"
rm -rf ~/Library/Developer/Xcode/DerivedData
rm -rf ~/Library/Caches/com.apple.dt.Xcode
Copy the Galileo.xcarchive file to the SmartIT-ResignDir folder.
The Galileo.xcarchive file is included with the installation files that you can download from the Electronic Product Distribution (EPD).
Create the exportOptions.plist file, and click Open to Edit.
Enter values for the provisioning profiles, signingCertificate, and teamID parameters.  You can find the values for these parameters in the Apple Developer portal.
{
   compileBitcode = 0
   method = enterprise
iCloudContainerEnvironment = Production
   provisioningProfiles = {
com.companyName.SmartIT = "TestDistSmartITDist"; //example value, replace value with profile value provided for app
com.companyName.SmartIT.watch = "TestDistSmartITWatchDist"; //example value, replace value with profile value provided for watch
com.companyName.SmartIT.watch.extension = "TestDistSmartITWatchExtensionDist"; //example value, replace value with profile value provided for watch
    }
   signingCertificate = "iPhone Distribution: BMC Software, Inc." //example value, replace value with enterprise certificate create earlier
   signingStyle = manual
   stripSwiftSymbols = 1
   teamID = "<XXXXXX>" //example value, replace value with team's ID provided for app
   thinning =

}
From the command line, run the following commands:
xcodebuild -exportArchive -archivePath Galileo.xcarchive \
-exportPath ./SmartIT.ipa \
-exportOptionsPlist exportOptions.plist
Re-sign the swift code dylibs with the following script, and replace iPhone Distribution: BMC Software, Inc. with your company certificate installed on this machine.
# Unpackaging app
unzip -q SmartIT.ipa
APP=`ls Payload | tail -1`
# Renaming original IPA
mv SmartIT.ipa SmartITOriginal.ipa
# Replacing mobile provision
echo "Deleting original embedded.mobileprovision"
rm "Payload/Galileo.app/embedded.mobileprovision"
rm "Payload/Galileo.app/Watch/Watch.app/PlugIns/Watch Extension.appex/embedded.mobileprovision"
rm "Payload/Galileo.app/Watch/Watch.app/embedded.mobileprovision"

echo "Copying embedded.mobileprovision"
cp "SmartITWatchExtension.mobileprovision" "./Payload/Galileo.app/Watch/Watch.app/PlugIns/Watch Extension.appex/embedded.mobileprovision"
cp "SmartITWatch.mobileprovision" "./Payload/Galileo.app/Watch/Watch.app/embedded.mobileprovision"
cp "SmartIT.mobileprovision" "./Payload/Galileo.app/embedded.mobileprovision"

# Resigning ipa
echo "Re-sign by iPhone Distribution: BMC Software, Inc."
# Resigning dylibs
if [ -e Payload/Galileo.app/Frameworks ]
then
for dylib in "Payload/Galileo.app/Frameworks/*"
do
codesign -f -s "iPhone Distribution: BMC Software, Inc." $dylib
done
fi
if [ -e Payload/Galileo.app/Watch/Watch.app/Frameworks ]
then
for dylib in "Payload/Galileo.app/Watch/Watch.app/Frameworks/*"
do
codesign -f -s "iPhone Distribution: BMC Software, Inc." $dylib
done
fi
if [ -e Payload/Galileo.app/Watch/Watch.app/PlugIns/Watch\ Extension.appex/Frameworks ]
then
for dylib in Payload/Galileo.app/Watch/Watch.app/PlugIns/Watch\ Extension.appex/Frameworks/*
do
codesign -f -s "iPhone Distribution: BMC Software, Inc." "$dylib"
done
fi
# Resigning app
codesign -f -s "iPhone Distribution: BMC Software, Inc." "Payload/Galileo.app/Watch/Watch.app/PlugIns/Watch Extension.appex"
codesign -f -s "iPhone Distribution: BMC Software, Inc." "Payload/Galileo.app/Watch/Watch.app"
codesign -f -s "iPhone Distribution: BMC Software, Inc." "Payload/Galileo.app"
# Cleaning output env
rm -r "SmartIT.ipa"
# Packaging ipa
echo "Packaging ipa"
zip -qr "SmartIT.ipa" Payload
echo "Re-signed ipa"
Unzip the ipa file.
unzip –q SmartIT.ipa
In Xcode, create SmartIT.entitlements file in the /path/SmartIT-ResignDir directory, and add the following lines.
You can download a copy of SmartIT.entitlements.
SmartIT.Entitlements
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>application-identifier</key>
<string>XXXXXXX.com.companyName.SmartIT</string>
<key>aps-environment</key>
<string>production</string>
<key>get-task-allow</key>
<false/>
<key>keychain-access-groups</key>
<array>
<string>XXXXXXX.com.companyName.SmartIT</string>
</array>
<key>com.apple.security.application-groups</key>
<array>
<string>group.com.companyName.SmartIT</string>
</array>
<key>com.apple.developer.icloud-container-development-container-identifiers</key>
<array>
<string>iCloud.com.companyName.SmartIT</string>
</array>
<key>com.apple.developer.icloud-container-environment</key>
<array>
<string>Development</string>
<string>Production</string>
</array>
<key>com.apple.developer.icloud-container-identifiers</key>
<array>
<string>iCloud.com.companyName.SmartIT</string>
</array>
<key>com.apple.developer.icloud-services</key>
<array>
<string>CloudDocuments</string>
</array>
<key>com.apple.developer.team-identifier</key>
<string>XXXXXX</string>
<key>com.apple.developer.ubiquity-container-identifiers</key>
<array>
<string>iCloud.com.companyName.SmartIT</string>
</array>
<key>com.apple.developer.ubiquity-kvstore-identifier</key>
<string>XXXXXX.com.companyName.SmartIT</string>
</dict>
</plist>

Replace the values for the following strings in the SmartIT.entitlements file:

Replace the value for this string	Your value
application-identifier	Team prefix and App ID
keychain access groups	Team prefix and App ID
com.apple.security.application-groups	App Group Name
com.apple.developer.icloud-container-development-container-identifiers	iCloud container name
com.apple.developer.icloud-container-identifiers	iCloud container name
com.apple.developer.team-identifier	Team prefix
com.apple.developer.ubiquity-kvstore-identifier	iCloud container name
iCloud Key-Value Store keys	Team prefix and App ID

Re-sign Smart IT on Apple watch by following the instructions at Re-signing the entitlement files of Smart IT on Apple watch.
Rebrand Smart IT on iOS by following the instructions at Rebranding-Smart-IT-on-Apple-iOS.
Replace the mobile provision file.
cp "SmartITWatchExtension.mobileprovision"
"./Payload/Galileo.app/Watch/Watch.app/PlugIns/Watch Extension.appex/embedded.mobileprovision"

cp "SmartITWatch.mobileprovision"
"./Payload/Galileo.app/Watch/Watch.app/embedded.mobileprovision"

cp "SmartIT.mobileprovision" "./Payload/Galileo.app/embedded.mobileprovision"
Remove the BMC code signature.
rm -r "./Payload/Galileo.app/Watch/Watch.app/PlugIns/Watch Extension.appex/_CodeSignature/"

rm -r "./Payload/Galileo.app/Watch/Watch.app/_CodeSignature"

rm -r "./Payload/Galileo.app/_CodeSignature"
Re-sign the IPA by using the name of your company Apple iOS Distribution certificate installed on the Mac machine in place of "iPhone Distribution: BMC Software, Inc.".
/usr/bin/codesign -f -s "iPhone Distribution: BMC Software, Inc." --entitlements
"./SmartITWatchExtension.entitlements"
"./Payload/Galileo.app/Watch/Watch.app/PlugIns/Watch Extension.appex"

/usr/bin/codesign -f -s "iPhone Distribution: BMC Software, Inc." --entitlements
"./SmartITWatch.entitlements" "./Payload/Galileo.app/Watch/Watch.app"

/usr/bin/codesign -f -s "iPhone Distribution: BMC Software, Inc." --entitlements
"./SmartIT.entitlements" "./Payload/Galileo.app"
Create the .ipa zip file.
zip -qr "SmartIT-rebranded.ipa" Payload
You must provide the new .ipa file when you deploy Smart IT to your users.