Hello,
there is strange problem when you use -i to change values in the info.plist
you can't push the ipa, there is something wrong with the signing
and it is only when you use -i
but without -i everything is ok with ipa with dylibs or plugins

edit: when trying with normal ipa without any framworks or dylibs --info works
edit2: the problem is there is there are a *.bundle/ and in side this folder there are multi *.bundle folders some of them has an info.plist, so the command -i does it change the main info only or all of them which lead to corrupt the ipa

I resigned spa using sign it resigned but that not able push on device it gives app verification fail error I using libmoblile command ideviceinstaller to install , I also tried using iTunes but not able install ipa ,it get stuck while installing IPA . After the extracting ipa Entitlement files was missing .

mac:sign omkarzunjurke$ ideviceinstaller -i resigned.ipa
WARNING: could not locate iTunesMetadata.plist in archive!
WARNING: could not locate Payload/Mobile_diagnostic.app/SC_Info/sample.sinf in archive!
Copying 'resigned.ipa' to device... DONE.
Installing 'sample.app.'

• CreatingStagingDirectory (5%)
• ExtractingPackage (15%)
• InspectingPackage (20%)
• TakingInstallLock (20%)
• PreflightingApplication (30%)
• InstallingEmbeddedProfile (30%)
• VerifyingApplication (40%)
• Error occurred: ApplicationVerificationFailed

Please suggest solution on this ,Thank in advance .

In isign, the Entitlement.plist is hardcoded in bundle.py, but I need create Entitlement.plist from provision file. I know security cms -D -i can decode provision file on Max os, but anyone who knows how to decode provision file on linux?

Thanks.

According to @sah, the part of the code that makes an empty signature actually does work, so bring that back and add tests for it.

It‘s glad to see this project!
But i re-signed ipa can not be properly installed on non jailbroken iPhone!
Help!
Do you not need the following files to re sign the IPA?
--entitlements Entitlements.plist
--resource-rules Payload/appstore.app/ResourceRules.plist

Hi, I was so surprised that you can sign app of developer to customer device for installing, but after do it as document guidelines. I can't install it on another iOS device of customer who has not developer account. With your assumption, how I do it works.

My follow:

• Xcode 7.3
• Developer:
  • Get certificate_dev.p12
  • Gen certificate.pem, key.pem
  • Get app.mobileprovision from apple developer
  • Edit app.mobileprovision to mobdev1.mobileprovision with isign_guess_mobileprovision.sh
  • Sign file.ipa to resign_file.ipa
  • Install file resign_file.ipa (It works)
• Customer:
  • Install file resign_file.ipa (It doesn't work)

Thank you in advance.

First, thanks for creating this utility, I am looking forward to using it for automation tests on mobile. I have had some issue installing on OSX, most of which concerned opensll that I have since fixed. The remaining issue is as follows (this excerpt is from the very end of the install log):

c/_cffi_backend.c:15:10: fatal error: 'ffi.h' file not found

include <ffi.h>

     ^

1 error generated.
error: Setup script exited with error: command 'cc' failed with exit status 1

When I attempt to run isign I get the following:
Traceback (most recent call last):
File "/usr/local/bin/isign", line 4, in
import pkg_resources
File "/System/Library/Frameworks/Python.framework/Versions/2.7/Extras/lib/python/pkg_resources.py", line 2793, in
working_set.require(requires)
File "/System/Library/Frameworks/Python.framework/Versions/2.7/Extras/lib/python/pkg_resources.py", line 673, in require
needed = self.resolve(parse_requirements(requirements))
File "/System/Library/Frameworks/Python.framework/Versions/2.7/Extras/lib/python/pkg_resources.py", line 576, in resolve
raise DistributionNotFound(req)
pkg_resources.DistributionNotFound: cryptography>=0.7

Any advice?

Thanks!

At least in one case we have seen a dylib with 5 slots.

It was a dylib signed from XCode, from an IPA signed with Sauce's distribution cert. It looks like this:

Executable=/Users/neilk/projects/iresign/stage/Payload/SimpleSaucyApp.app/Frameworks/libswiftCore.dylib
Identifier=com.apple.dt.runtime.swiftCore
Format=Mach-O universal (armv7 arm64)
CodeDirectory v=20200 size=14714 flags=0x0(none) hashes=726+5 location=embedded 
Hash type=sha1 size=20
    -5=4e46ab5d4ce35be43eb18c39854a95a11968ff04
    -4=0000000000000000000000000000000000000000
    -3=0000000000000000000000000000000000000000
    -2=25f25401b4408218501f238f1b1db50350c7d9db
    -1=f65cbbe9a860db86aa0634e0df4757bc98ef5875
     0=5acdd271c485dbff08235389aa44692a85e6cd65

We haven't yet seen a case where -3 is all zeroes. Not sure what this means, but the assertion in codesig.py that dylibs always have 2 seems to be wrong.

Possibly this has something to do with signing with development certs versus distribution certs?

Any suggestions in running in Windows environment?
All the scripts are in shell script... Any other limitations?
I already got python with all modules needed.
The only way I saw in do it is in python script calling isign as show in description.

Exception: Making a signature is not fully implemented. This code wasabandoned since we think our customers will only give us signedapps. But, it almost works, so it's preserved here.

So I guess I am interested in fixing this because I hit an app with it. is there any info that will help before I dive into the code?

There (probably?) isn't anything Sauce-specific about isign, so we can transfer to some public CI server.

In python, isign succeed with empry result, and no output file created. But in command line success...why??
Need help..Thanks :-)

#!/usr/bin/env python
# coding=utf-8

from isign import isign
from OpenSSL import crypto

CERT_FILE_NAME = 'cert.pem'
KEY_FILE_NAME = 'key.pem'

def main():
    p12 = crypto.load_pkcs12(file("Certificates.p12", 'rb').read(), '123456')
    cert = crypto.dump_certificate(crypto.FILETYPE_PEM, p12.get_certificate())
    key = crypto.dump_privatekey(crypto.FILETYPE_PEM, p12.get_privatekey())

    if key != None and cert != None:

        f = file(CERT_FILE_NAME, 'wb')
        f.write(cert)
        f.close()

        f = file(KEY_FILE_NAME, 'wb')
        f.write(key)
        f.close()

        isign.resign(
            input_path = 'test.ipa', 
            output_path = 'test2.ipa',
            certificate = CERT_FILE_NAME,
            key = KEY_FILE_NAME,
            provisioning_profile = 'embedded.mobileprovision',
            apple_cert = 'applecerts.pem',
            )

if __name__ == '__main__':
    main()

# gaosen at 0x5e-MacBook.local in ~/Desktop/test [23:57:19]
→ python resign.py                                                              

# gaosen at 0x5e-MacBook.local in ~/Desktop/test [23:57:36]
→ isign -c cert.pem -k key.pem -p embedded.mobileprovision -o test2.ipa test.ipa
archived Ipa to /Users/gaosen/Desktop/test/test2.ipa

OS X 10.11.4
Python 2.7.11

install isign using git clone (README says)

and not resigned

While I use codesign to resign my extracted ipa with '--entitlements' param to use my Entitlements.plist, I get a well installed ipa package.
But with isign, the output ipa package can't be installed, and it failed on VerifyingApplication stage.
The only difference is the Entitlements.plist, I can't find the Entitlements.plist in directory extracted from codesign package, But in isign package, it's there!

Could isign offer param like '--entitlements' and realize the function in the same way of codesign???

At least for some situations the main executable is required to be executable.

For some reason, after isign resigns the executable, it may go from a mode like 755 to 644.

Also check if the mode of other signables changes.

It would be useful to use this tool to verify the signature on an OSX Application, replicating codesign -v

Self-explanatory

Currently we are just removing WatchKit, but we should have tests for that.

Hi

We have been trying to use isign to resign the .ipa flies put when we try to install they fail to do so.
Tried both from python and the common line with the same result.
The isign tool creates a new .ipa but it fails to verify:
codesign --verify -vvvv -R='anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.1] exists and (certificate leaf[field.1.2.840.113635.100.6.1.2] exists or certificate leaf[field.1.2.840.113635.100.6.1.4] exists)' Payload/Incident.iOS.app
Payload/Incident.iOS.app: invalid signature (code or signature have been modified)
In architecture: armv7

If I use codesign tool to resign the spa everything works out fine.
Commands used to resign using isign:
export OPENSSL=/usr/local/Cellar/openssl/1.0.2j/bin/openssl
isign -p MyApp_distribution.mobileprovision -o demo.ipa MyApp.ipa

OS used RHEL 7 and macOS 10.12 same behaviour on both regarding the isign tool.
On the Mac I have:
Xcode 8.1
OpenSSL 1.0.2j 26 Sep 2016
Python 2.7.12

Do you have any advice to what I do wrong?

Fredrik

At least one user has an IPA with a dylib in the main directory, e.g.

Payload/
   Some.app
      some.dylib

We only scan a few locations for dylibs. We might as well look here too.

I always get circular dependencies when trying to use isign with more than just the input + output parameter for resigning. I just had a look at what the executable 'isign' does and tried to write my
own script which does the same, because I don't want to rely on that executable.
For this, I copied the executable (python) code and tried to start the script with the same parameters, but I always get some circular dependencies caused by isign.py.

The idea is that this script will be called from a node process, that's why I am trying to do this...any ideas?

Hi @neilk it seems isign is not compatible with python3.

Apps that use WatchKit can't be signed by isign. Specifically, this creates an ".appex" structure in the app that isign doesn't know about.

We have a pull request in the works for the related issue (#15) with Frameworks, so I think this issue should fall relatively quickly too.

Bug reports would be greatly enhanced if we added a checklist to make sure the reporter would also post an IPA somewhere, or perhaps email it.

Add an App Extension to the TestApp, to test the code we merged in #31

References: https://developer.apple.com/library/ios/documentation/General/Conceptual/ExtensibilityPG/index.html#//apple_ref/doc/uid/TP40014214-CH20-SW1

Old, but possibly helpful https://www.toptal.com/ios/ios-8-app-extensions

I don't why requirements.data.BlobIndex would equals [], but there is a ipa in my company is this case and resign failed. Is there anyone knows how can I fix this?

https://github.com/saucelabs/isign/blob/master/isign/codesig.py#L119

following is error messages:

1339 Traceback (most recent call last):
1340   File "/home/harc/incoming/code/iparesign/resign/resign.py", line 142, in <module>
1341     harc_isign.resign(args.app_paths[0], **kwargs)
1342   File "/home/harc/incoming/code/iparesign/resign/rewrite_isign/harc_isign.py", line 50, in resign
1343     info_props)
1344   File "/home/harc/incoming/code/iparesign/resign/rewrite_isign/harc_archive.py", line 276, in resign
1345     bundle.resign(signer, provisioning_profile)
1346   File "/home/harc/incoming/code/iparesign/resign/rewrite_isign/harc_bundle.py", line 230, in resign
1347     super(App, self).resign(signer)
1348   File "/home/harc/incoming/code/iparesign/resign/rewrite_isign/harc_bundle.py", line 164, in resign
1349     self.sign(signer)
1350   File "/home/harc/incoming/code/iparesign/resign/rewrite_isign/harc_bundle.py", line 160, in sign
1351     executable.sign(self, signer)
1352   File "/home/harc/incoming/code/iparesign/resign/rewrite_isign/harc_signable.py", line 143, in sign
1353     offset, new_codesig_data = self._sign_arch(arch, app, signer)
1354   File "/home/harc/incoming/code/iparesign/resign/rewrite_isign/harc_signable.py", line 91, in _sign_arch
1355     arch['codesig'].resign(app, signer)
1356   File "/home/harc/virtualenv_harc/local/lib/python2.7/site-packages/isign/codesig.py", line 288, in resign
1357     self.set_requirements(signer)
1358   File "/home/harc/virtualenv_harc/local/lib/python2.7/site-packages/isign/codesig.py", line 121, in set_requirements
1359     req_blob_0 = requirements.data.BlobIndex[0].blob                                                                                  
1360 IndexError: list index out of range

I tested some IPA , They can be properly installed , But when they start , they will flash back . Some of them are cracked by Clucth, some are not , they all have Frameworks directory . I'm dealing with it , but I don't have any progress .
here is a ipa

When we're running tests on a Mac, we should use codesign --verify to check if signing has worked.

All open source projects should have a Code of Conduct. isign is a relatively small project, so we could benefit from there being a general Sauce Labs Code of Conduct.

Appium has a pull request for a Code of Conduct, but it has not been accepted yet. In any case it is expected that this will remain distinct from the Sauce Labs Code of Conduct.

If no Sauce Labs Code of Conduct is forthcoming in 2015, we should just adopt our own. Some good ones:

• Citizen Code of Conduct
• Rust's code of conduct

Observation: currently, these codes of conduct evolved from initiatives to combat harassment at conferences or trolling on IRC. This is a great starting point, and our CoC should include those, but there also could be more positive things to say about what conduct should be like, and why and how we behave with decency towards each other.

They also don't deal with negative patterns in coding communities. In particular they don't deal with the common case of covert discrimination via "lawyering". Where poor community behavior is masked by technical prowess, "raising the bar" for contributors, or manipulation of the patch-acceptance process.

Right now, we re-hash every file, every time. But, with re-signing, we only need to re-hash signables (executables, frameworks, etc). Presumably we should be able to trust hashes for data files which were already recorded in the CodeDirectory. Especially for apps with large non-executable resources, like games, the speedup should be significant.

Hello,
i have tried to duplicate apps by resigning them, i have the apps ipa but when i try it i can't not install it in my phone .. maybe there is a signing issue ?

First of all thank you for this awesome utility! I would love to resign apps on Linux :)

Unfortunately either I'm doing something wrong or there is bug since if I try to modify Info.plist and resign afterwards the sign will fail validation because of the Info.plist...

We could probably speed up hashing by parallelizing the work, to exploit multiple processors when available.

We just added new features to update Info.plist properties while resigning, or query Info.plist properties of an app. Should be easy to add some tests for these!

After signing this app I can't install it:

$ isign --verbose 56e939d.ipa.ipa -o out.ipa
got executable /usr/bin/zip for zip
got executable /usr/bin/unzip for unzip
File /private/tmp/56e939d.ipa.ipa not matched as <class 'isign.archive.AppZip'>: no app directory found
got executable /usr/bin/zip for zip
got executable /usr/bin/unzip for unzip
this is an archive, and a zipfile
found one app
is_native: True
File /private/tmp/56e939d.ipa.ipa matched as Ipa
got executable /usr/bin/unzip for unzip
working on /var/folders/tb/fhmwrwnn3fz85wcvfhdk58_m0000gn/T/isign-T_re1i/Payload/FooApp.app/Frameworks/libswiftContacts.dylib
no entitlements found
no entitlements found
no entitlements found
working on /var/folders/tb/fhmwrwnn3fz85wcvfhdk58_m0000gn/T/isign-T_re1i/Payload/FooApp.app/Frameworks/libswiftCore.dylib
no entitlements found
no entitlements found
no entitlements found
working on /var/folders/tb/fhmwrwnn3fz85wcvfhdk58_m0000gn/T/isign-T_re1i/Payload/FooApp.app/Frameworks/libswiftCoreGraphics.dylib
no entitlements found
no entitlements found
no entitlements found
working on /var/folders/tb/fhmwrwnn3fz85wcvfhdk58_m0000gn/T/isign-T_re1i/Payload/FooApp.app/Frameworks/libswiftCoreImage.dylib
no entitlements found
no entitlements found
no entitlements found
working on /var/folders/tb/fhmwrwnn3fz85wcvfhdk58_m0000gn/T/isign-T_re1i/Payload/FooApp.app/Frameworks/libswiftDarwin.dylib
no entitlements found
no entitlements found
no entitlements found
working on /var/folders/tb/fhmwrwnn3fz85wcvfhdk58_m0000gn/T/isign-T_re1i/Payload/FooApp.app/Frameworks/libswiftDispatch.dylib
no entitlements found
no entitlements found
no entitlements found
working on /var/folders/tb/fhmwrwnn3fz85wcvfhdk58_m0000gn/T/isign-T_re1i/Payload/FooApp.app/Frameworks/libswiftFoundation.dylib
no entitlements found
no entitlements found
no entitlements found
working on /var/folders/tb/fhmwrwnn3fz85wcvfhdk58_m0000gn/T/isign-T_re1i/Payload/FooApp.app/Frameworks/libswiftObjectiveC.dylib
no entitlements found
no entitlements found
no entitlements found
working on /var/folders/tb/fhmwrwnn3fz85wcvfhdk58_m0000gn/T/isign-T_re1i/Payload/FooApp.app/Frameworks/libswiftUIKit.dylib
no entitlements found
no entitlements found
no entitlements found
working on /var/folders/tb/fhmwrwnn3fz85wcvfhdk58_m0000gn/T/isign-T_re1i/Payload/FooApp.app/FooApp
Resigned bundle at </var/folders/tb/fhmwrwnn3fz85wcvfhdk58_m0000gn/T/isign-T_re1i/Payload/FooApp.app>
got executable /usr/bin/zip for zip
archived Ipa to /private/tmp/out.ipa
isign --verbose  -o out.ipa  8.07s user 0.98s system 97% cpu 9.294 total

here is the ipa

I compared the original package and the package signed by design with WinMerge. I guess the rules are wrong .
i did some fix, it works for this ipa , but i don't know if it will work for others .

there are some ipas in my company use iMessage app extension, they could be resigned successfully with isign but can not install on iOS10. (no problem install on other iOS version)

when I use isign resign a ipa and install I got following error:
codeSigningInfoByValidatingResources:performingOnlineAuthorization:ignoringCachedSigningInfo:error:]: 404: Code signing identifier (com.netease.testease.qardL63EW79PNY) does not match bundle identifier (com.netease.testease.qard)

anyone who knows how code signing identifier means and what the difference between code signing identifer and bundle identifier?

by the way: I specified -i CFBundleIdentifier=com.netease.testease.qard to isign.

thanks advance.

I resigned with -v, and met errors as following:

following are files at NtUniSdkNetEase2 sub-directory:

I think it's most possibly isign don't support the added Headers sub-directory.

We have working code, and a big old Construct data structure, but it would be nice if this were explicated a bit more, so that someone else could re-implement them just from docs. There are wrappers and offsets which we don't fully understand, but which we figured out from simple observation.

Currently the entitlements are hard-coded. While we eventually want to pull entitlements from the provisioning profile, there will also be cases where the user wants to supply their own.

So, there should be a way of supplying entitlements, which will probably look like:

• An --entitlements flag on the command line
• A entitlements argument to resign()

It seems we may need to update these soon; or at least have a method for doing so.

Our procedure for doing this was already documented in the docs/ folder.

Related issue in the fastlane project: fastlane-old/gym#100

Viz: pyca/cryptography#2350

Something like this incantation works for me:

env LDFLAGS="-L$(brew --prefix openssl)/lib" CFLAGS="-I$(brew --prefix openssl)/include" pip install -U cryptography

Also, we should check for pip >= 8

I having problem in generating the signed code...
I tried in the 2 platforms MacOS and Linux and the problem is the same.
The scenario is: two UDID codes and each single IPA have one of these codes.
I want the input IPA running in other iPhone with an output IPA by iSign.
I ran iSign in a Python code. Not by shellscript or the bin command "isign".
The data in the CodeResources is OK.
But when isign rewrites the compiled binary, something is got wrong in the verification.
I attached the binaries. If you need, I can attach the source code too...
This is a project that have only a View with an Image and Label in center.
I ran some comparing bytes commands to checkout whats is the problem in the binary code.
And I produced the first one as "bin_in". The output is "bin_out"... And as should be, "bin_ref".
To see what Apple make different in every time that sign a code, I produced the "bin_ref2".
So I attaching the hex of comparing bytes...

Have any idea what´s happening?
Anything I doing wrong?

Follow the binaries with test.

sinapse_iSign.zip

At least one app that uses AFNetworking.framework was improperly re-signed.

isign completed, but the install errored out with:

ERROR: Install failed. Got error "ApplicationVerificationFailed" with code 0xe8008015: Failed to verify code signature of <MIExecutableBundle : path = /private/var/mobile/Library/Caches/com.apple.mobile.installd.staging/temp.Wmi6rR/extracted/Payload/PayPal.app/Frameworks/AFNetworking.framework identifier = org.cocoapods.AFNetworking type = 8> : 0xe8008015 (Signer did not match any installed provisioning profile)

Re-signing with the same identity and provisioning profile, using Apple tools, produced an IPA that was successfully installed.

Following comments by @iMokhles in #43:

after i played little bit with it i got another issue which cause crash also

mapped executable file has no team identifier in its signature:
/private/var/mobile/Containers/Bundle/Application/38E97DCE-4DC0-44D2-A2A6->819E1D1844EB/APP_NAME.app/DYLIB_NAME.dylib
any suggest now ?!

@iMokhles: Can you explain how to replicate this error?

not all zips have a 0 byte entry for the .app directories

PR incoming

somewhere around version 1.4.30 onward isign seems to not install correctly via pip (Python 2.7.11):

here it is working on 1.4.30:

$ docker run -t -i --rm -v `pwd`:/data python:2.7 /bin/bash
root@c148293d5db0:/# pip2 install --upgrade isign==1.4.30
Collecting isign==1.4.30
  Downloading isign-1.4.30.tar.gz
Collecting biplist==0.9 (from isign==1.4.30)
  Downloading biplist-0.9.tar.gz
Collecting construct==2.5.2 (from isign==1.4.30)
  Downloading construct-2.5.2-py2.py3-none-any.whl (72kB)
    100% |████████████████████████████████| 73kB 2.8MB/s
Collecting memoizer==0.0.1 (from isign==1.4.30)
  Downloading memoizer-0.0.1.tar.gz
Collecting pyOpenSSL==0.15.1 (from isign==1.4.30)
  Downloading pyOpenSSL-0.15.1-py2.py3-none-any.whl (102kB)
    100% |████████████████████████████████| 106kB 2.4MB/s
Collecting six (from construct==2.5.2->isign==1.4.30)
  Downloading six-1.10.0-py2.py3-none-any.whl
Collecting cryptography>=0.7 (from pyOpenSSL==0.15.1->isign==1.4.30)
  Downloading cryptography-1.3.1.tar.gz (383kB)
    100% |████████████████████████████████| 385kB 1.4MB/s
Collecting idna>=2.0 (from cryptography>=0.7->pyOpenSSL==0.15.1->isign==1.4.30)
  Downloading idna-2.1-py2-none-any.whl (54kB)
    100% |████████████████████████████████| 57kB 7.3MB/s
Collecting pyasn1>=0.1.8 (from cryptography>=0.7->pyOpenSSL==0.15.1->isign==1.4.30)
  Downloading pyasn1-0.1.9-py2.py3-none-any.whl
Collecting setuptools>=11.3 (from cryptography>=0.7->pyOpenSSL==0.15.1->isign==1.4.30)
  Downloading setuptools-20.8.1-py2.py3-none-any.whl (508kB)
    100% |████████████████████████████████| 512kB 1.1MB/s
Collecting enum34 (from cryptography>=0.7->pyOpenSSL==0.15.1->isign==1.4.30)
  Downloading enum34-1.1.3-py2.py3-none-any.whl (61kB)
    100% |████████████████████████████████| 61kB 6.5MB/s
Collecting ipaddress (from cryptography>=0.7->pyOpenSSL==0.15.1->isign==1.4.30)
  Downloading ipaddress-1.0.16-py27-none-any.whl
Collecting cffi>=1.4.1 (from cryptography>=0.7->pyOpenSSL==0.15.1->isign==1.4.30)
  Downloading cffi-1.5.2.tar.gz (388kB)
    100% |████████████████████████████████| 389kB 1.2MB/s
Collecting pycparser (from cffi>=1.4.1->cryptography>=0.7->pyOpenSSL==0.15.1->isign==1.4.30)
  Downloading pycparser-2.14.tar.gz (223kB)
    100% |████████████████████████████████| 225kB 2.5MB/s
Building wheels for collected packages: isign, biplist, memoizer, cryptography, cffi, pycparser
  Running setup.py bdist_wheel for isign ... done
  Stored in directory: /root/.cache/pip/wheels/02/75/6a/c11eba8eac035b80d7cf74cc1834da84225ac6451afe614c00
  Running setup.py bdist_wheel for biplist ... done
  Stored in directory: /root/.cache/pip/wheels/f9/d0/e8/a0daa50510fdcc43517f4a0e0419450df0ad672b921888ae2e
  Running setup.py bdist_wheel for memoizer ... done
  Stored in directory: /root/.cache/pip/wheels/dc/71/f0/d7c0f74fac3d8d9713065802b6434b3be1043e3f4943dc1c2b
  Running setup.py bdist_wheel for cryptography ... done
  Stored in directory: /root/.cache/pip/wheels/13/2d/2d/ac35fe11203b317592879853657f6f547826b78660f61e74bb
  Running setup.py bdist_wheel for cffi ... done
  Stored in directory: /root/.cache/pip/wheels/27/94/68/1a8c5c1e8492c8a853e5c96e29fef5a62d00230cefa1389eb5
  Running setup.py bdist_wheel for pycparser ... done
  Stored in directory: /root/.cache/pip/wheels/c7/28/31/bac6d0b118c0bdcbf57f9219afdf2e624379c07efa6c769dbc
Successfully built isign biplist memoizer cryptography cffi pycparser
Installing collected packages: biplist, six, construct, memoizer, idna, pyasn1, setuptools, enum34, ipaddress, pycparser, cffi, cryptography, pyOpenSSL, isign
  Found existing installation: setuptools 20.2.2
    Uninstalling setuptools-20.2.2:
      Successfully uninstalled setuptools-20.2.2
Successfully installed biplist-0.9 cffi-1.5.2 construct-2.5.2 cryptography-1.3.1 enum34-1.1.3 idna-2.1 ipaddress-1.0.16 isign-1.4.30 memoizer-0.0.1 pyOpenSSL-0.15.1 pyasn1-0.1.9 pycparser-2.14 setuptools-20.8.1 six-1.10.0
You are using pip version 8.0.3, however version 8.1.1 is available.
You should consider upgrading via the 'pip install --upgrade pip' command.
root@c148293d5db0:/# isign
usage: isign [-h] [-p <your.mobileprovision path>] [-a <apple cert>]
             [-k <key path>] [-c <certificate path>] [-o <output path>] [-v]
             <app path>
isign: error: too few arguments
root@c148293d5db0:/# python
Python 2.7.11 (default, Mar  3 2016, 10:57:12)
[GCC 4.9.2] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import isign

Here again on the latest (1.5.6)

$ docker run -t -i --rm -v `pwd`:/data python:2.7 /bin/bash
root@bda331ee5b22:/# pip2 install isign
Collecting isign
  Downloading isign-1.5.6.tar.gz
Collecting biplist==0.9 (from isign)
  Downloading biplist-0.9.tar.gz
Collecting construct==2.5.2 (from isign)
  Downloading construct-2.5.2-py2.py3-none-any.whl (72kB)
    100% |████████████████████████████████| 73kB 3.9MB/s
Collecting memoizer==0.0.1 (from isign)
  Downloading memoizer-0.0.1.tar.gz
Collecting pyOpenSSL==0.15.1 (from isign)
  Downloading pyOpenSSL-0.15.1-py2.py3-none-any.whl (102kB)
    100% |████████████████████████████████| 106kB 3.1MB/s
Collecting six (from construct==2.5.2->isign)
  Downloading six-1.10.0-py2.py3-none-any.whl
Collecting cryptography>=0.7 (from pyOpenSSL==0.15.1->isign)
  Downloading cryptography-1.3.1.tar.gz (383kB)
    100% |████████████████████████████████| 385kB 1.3MB/s
Collecting idna>=2.0 (from cryptography>=0.7->pyOpenSSL==0.15.1->isign)
  Downloading idna-2.1-py2-none-any.whl (54kB)
    100% |████████████████████████████████| 57kB 6.5MB/s
Collecting pyasn1>=0.1.8 (from cryptography>=0.7->pyOpenSSL==0.15.1->isign)
  Downloading pyasn1-0.1.9-py2.py3-none-any.whl
Requirement already satisfied (use --upgrade to upgrade): setuptools>=11.3 in /usr/local/lib/python2.7/site-packages (from cryptography>=0.7->pyOpenSSL==0.15.1->isign)
Collecting enum34 (from cryptography>=0.7->pyOpenSSL==0.15.1->isign)
  Downloading enum34-1.1.3-py2.py3-none-any.whl (61kB)
    100% |████████████████████████████████| 61kB 5.3MB/s
Collecting ipaddress (from cryptography>=0.7->pyOpenSSL==0.15.1->isign)
  Downloading ipaddress-1.0.16-py27-none-any.whl
Collecting cffi>=1.4.1 (from cryptography>=0.7->pyOpenSSL==0.15.1->isign)
  Downloading cffi-1.5.2.tar.gz (388kB)
    100% |████████████████████████████████| 389kB 1.3MB/s
Collecting pycparser (from cffi>=1.4.1->cryptography>=0.7->pyOpenSSL==0.15.1->isign)
  Downloading pycparser-2.14.tar.gz (223kB)
    100% |████████████████████████████████| 225kB 2.4MB/s
Building wheels for collected packages: isign, biplist, memoizer, cryptography, cffi, pycparser
  Running setup.py bdist_wheel for isign ... done
  Stored in directory: /root/.cache/pip/wheels/ec/03/9f/cd29088b9da3c4bcca6f22b1adc17751b283037b84b3a62b32
  Running setup.py bdist_wheel for biplist ... done
  Stored in directory: /root/.cache/pip/wheels/f9/d0/e8/a0daa50510fdcc43517f4a0e0419450df0ad672b921888ae2e
  Running setup.py bdist_wheel for memoizer ... done
  Stored in directory: /root/.cache/pip/wheels/dc/71/f0/d7c0f74fac3d8d9713065802b6434b3be1043e3f4943dc1c2b
  Running setup.py bdist_wheel for cryptography ... \done
  Stored in directory: /root/.cache/pip/wheels/13/2d/2d/ac35fe11203b317592879853657f6f547826b78660f61e74bb
  Running setup.py bdist_wheel for cffi ...done
  Stored in directory: /root/.cache/pip/wheels/27/94/68/1a8c5c1e8492c8a853e5c96e29fef5a62d00230cefa1389eb5
  Running setup.py bdist_wheel for pycparser ... done
  Stored in directory: /root/.cache/pip/wheels/c7/28/31/bac6d0b118c0bdcbf57f9219afdf2e624379c07efa6c769dbc
Successfully built isign biplist memoizer cryptography cffi pycparser
Installing collected packages: biplist, six, construct, memoizer, idna, pyasn1, enum34, ipaddress, pycparser, cffi, cryptography, pyOpenSSL, isign
Successfully installed biplist-0.9 cffi-1.5.2 construct-2.5.2 cryptography-1.3.1 enum34-1.1.3 idna-2.1 ipaddress-1.0.16 isign-1.5.6 memoizer-0.0.1 pyOpenSSL-0.15.1 pyasn1-0.1.9 pycparser-2.14 six-1.10.0
You are using pip version 8.0.3, however version 8.1.1 is available.
You should consider upgrading via the 'pip install --upgrade pip' command.
root@bda331ee5b22:/# python
Python 2.7.11 (default, Mar  3 2016, 10:57:12)
[GCC 4.9.2] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import isign
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
ImportError: No module named isign
>>>
root@bda331ee5b22:/# isign
Traceback (most recent call last):
  File "/usr/local/bin/isign", line 4, in <module>
    from isign import isign
ImportError: No module named isign

Is there any way to specify a list of files to sign in addition to the main binary?

For example, Kodi for iOS (and tvOS) has quite a few additional binaries not found by the normal search mechanism which are located in the Resources directory.

It would be nice to have the ability to sign individual binaries and create the seal for the app bundle manually rather than have it all be automatic.

There's a bit of a mess because inside Sauce Labs, we use ~/isign-credentials, but we're recommending the rest of the world use ~/.isign because it's more like unix conventions.

@classam suggests moving the Sauce-specific config to a separate saucelabs_resign(). Alternatively we could just fix prod :)

https://github.com/saucelabs/isign/blob/master/isign/isign.py#L10-25