0

We have an enterprise app. New users get this in their console:

May 3 10:16:48 Super-iPhone installd(MobileSystemServices)[3184] <Notice>: 0x16e037000 +[MICodeSigningVerifier _validateSignatureAndCopyInfoForURL:withOptions:error:]: 147: Failed to verify code signature of /private/var/installd/Library/Caches/com.apple.mobile.installd.staging/temp.T5yQJd/extracted/Payload/myapp.app : 0xe8008015 (A valid provisioning profile for this executable was not found.) May 3 10:16:48 Super-iPhone installd(MobileSystemServices)[3184] <Notice>: 0x16e037000 -[MIInstaller performInstallationWithError:]: Verification stage failed

but users who already have the apps can still install the app (reinstalling it). Confirmed re-install by running the app, navigating to a different screen, then switching to the browser to reinstall. After re-installing (watching the progress indicator on the home screen), reopening the app starts up at the entrypoint.

If this is Certificate & provisioning related as I suspect, why can existing users re-download it?

quantumpotato
  • 9,637
  • 14
  • 70
  • 146

1 Answers1

0

It's likely that the provisioning profile embedded in the .ipa is either missing, invalid, corrupt or expired. Unzip the enterprise .ipa and open up the Payload/myapp.app/embedded.mobileprovision file (it will be binary but contain a chunk of plain text XML that most text editors will let you see). Check the application-identifier matches the app bundle ID and other fields including the the ExpirationDate are valid.

The reason the app installs over existing working ones is that the former, valid provisioning profile is likely still in place from the previous .ipa. This will be enough for a new version of the app (specifically based on the app bundle ID) to install and run. To check this you can always use Apple Configurator 2 and select the devices to look at the installed profiles. On a working device you could delete the provisioning profile and try the installation again and I suspect that would fail.

TendrilSix
  • 136
  • 3
  • The provisioning profile expiratio nfrom the .ipa download is not until this December of 2017 – quantumpotato May 04 '17 at 16:11
  • The application identifier looks right and matches the prefix (the prefix being the alphanumeric for tbefore * of the com.company.app ) – quantumpotato May 04 '17 at 16:14
  • So the next place to look will be to check the signature and the certificates used - is it possible those have changed or been revoked since the last build or the provisioning profile was generated? Useful commands to help you go looking include "security cms -D -i embedded.mobileprovision" to cleanly parse the profile and "codesign -dvvv myapp.app" (from within the unzipped Payload directory) to validate the code signatures and show the trust relationship. – TendrilSix May 05 '17 at 09:04
  • I checked on the developer portal, the provisioning profile and certificate look valid until 2018 – quantumpotato May 06 '17 at 20:51