Add ability to view code signing entitlements in the application binary
tonyxiao opened this issue · comments
This will help debugging issues such as the following.
Viewing application binary with a hex editor and search for text keyword like "keychain" will reveal the presence of such entitlements
Interesting, thanks, I'll check it out.
Closing, as it already displays all bundled entitlements.
@ealeksandrov I'm talking about the entitlements that you would see from running codesign -d --entitlements - YourApp.app
on your app, which can be different from embedded.entitlements
if app was incorrectly signed.
My workflow currently involves unzipping the IPA and then run the above command to display entitlements info encoded into application binary, and then compare that with entitlement info in the provisioning profile (which is what provisionQL displays). It would be super nice if these things were right there alongside each other.
Thanks for mentioning it!
+1 for this one.
The entitlements that plugin displays right now come from embedded.mobileprovision
, but the actual entitlements are usually different. We use similar command: codesign -d --entitlements - path/to/App.app
.
For us it's super important, because provisioning profile will always have keychain-access-groups
@entry like this:
<key>keychain-access-groups</key>
<array>
<string>FPBCDAABCD.*</string>
</array>
But the actual entitlements are like this:
<key>keychain-access-groups</key>
<array>
<string>FPBCDAABCD.au.com.company.app</string>
<string>FPBCDAABCD.au.com.company.shared</string>
</array>
So it would be very useful if we could look at those with the plugin instead of running shell commands each time.
See PR #16