George Garside Blog

A place of many ramblings about macOS and development. If you find something useful on here, it's probably an accident.

With a jailbreak, you can add your own custom entitlements to any app you install on your device. This can give apps more access to your device that would otherwise not be possible for an app distributed on the App Store, or re-add entitlements to sideloaded apps such as access to iCloud containers.

Create an entitlements.plist

The entitlements you wish to apply to the app need to be declared in an entitlements.plist file. This is the same file that would be included in the app bundle of an app that has these entitlements officially ‘set’ in the app.

Apple provide a list of entitlements that can be applied to an iOS app officially, either granted for anyone to use (providing an App ID is set up with the entitlement) or specifically granted on request to Apple.

<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>your-entitlement-name-here</key> <true/> </dict> </plist>
Code language: HTML, XML (xml)

Resign app binary with entitlements

  1. Extract the binary from the IPA. IPAs are just ZIP archives, so you can extract it by renaming to .zip or using the command line:
    unzip -qd extracted-ipa /path/to/app.ipa
  2. Find the app’s binary. PlistBuddy can read the Info.plist file for the CFBundleExecutable:
    /usr/libexec/PlistBuddy -c "print :CFBundleExecutable" extracted-ipa/Payload/*.app/Info.plist
  3. Code sign the executable:
    codesign --force --sign "iPhone Developer" --entitlements "/path/to/entitlements.plist" extracted-ipa/Payload/*.app/"$binary"
    replacing the path to the entitlements plist and the $binary being the output from the previous command.
  4. Compress the bundle back into an IPA:
    cd && extracted-ipa && zip -qr "../output.ipa" "Payload/"

Script for multiple apps

If you need to apply entitlements to one or more apps, you can use this script. Save the script and
chmod +x script.sh
then run with
./script.sh /path/to/entitlements.plist /path/to/app1.ipa /path/to/app2.ipa

#!/usr/bin/env bash set -e entitlements="$1" shift [ -d "extracted-ipa" ] && { echo "extracted-ipa already exists"; exit 1; } for app; do ipa="$(basename "$app")" printf "%s " "$ipa" unzip -qd extracted-ipa "$app" binary="$(/usr/libexec/PlistBuddy -c "print :CFBundleExecutable" extracted-ipa/Payload/*.app/Info.plist)" printf "%s\n" "$binary" codesign --force --sign "iPhone Developer" --entitlements "$entitlements" extracted-ipa/Payload/*.app/"$binary" (cd extracted-ipa && zip -qr "../ic-$ipa" "Payload/") trash extracted-ipa echo done
Code language: Bash (bash)

Leave a Reply

0 fotidim’s avatar

I tried your method but the re-signed app while launching fine on the phone, it causes a crash when run on CarPlay. Specifically when the CarPlay extension is run it crashes Springboard. There is no concrete crash log. What I was able to find digging around is “taskgated-helper: Disallowing com.example.app because no provisioning profiles found com.apple.xpc.launchd: (com.example.app)”.

Reply
0 matk’s avatar

Thanks for sharing this. I tried to add the CarPlay entitlement (com.apple.developer.carplay-maps) with this method. Resigning worked but how to sideload the patched ipa to the (jailbroken) Phone? I get an error that the app was signed with invalid entitlements. Would be great if you have any advice. Thanks and Best regards, matk

Reply
0 fotidim’s avatar

You need to install something like AppSync Unified to allow running unsigned or fake signed apps. Then you can install the app through Xcode -> Windows -> Devices and Simulators -> “+” icon.

Reply