Sign an App Signing Package

Administrators can download a signing package to sign native apps outside of the Admin Portal. For iOS and Android apps, using the signing package is an alternative to signing with the Portal. However, iOS apps with watchOS components *must *be signed with the signing package.

For more information about what signing is and why you need to do it, see About Signing.

note

When you re-sign an app that was already installed on any of your users' devices, it is important that you sign it with the same signing credentials used to previously sign it.

caution

Signing Package & App Policies

If you download the signing package for an app that has policies applied to it, VAR::COMPANYNAME App Management retains those policy settings when you sign the app; you do not need to reapply the policies after you upload the signed app. In fact, you _should not reapply policies to the app. If you do, the app will no longer function properly. If you need to modify an app's policies or apply new policies, you must first upload the original version of the app.

info

Signing Hybrid Apps

If the iOS or Android application was created when you added a hybrid app to Digital.ai App Management, you cannot edit the application to upload the signed version. Instead, you will need to add a new iOS or Android application and upload the IPA or APK that you signed using the signing package.

Note that when you add an app as a new iOS or Android application, it will not retain policies that you applied to the app before downloading the signing package. Therefore, if you apply policies to a hybrid app, you should sign it with the Admin Portal.

Download the Signing Package

Before you can sign an app with the signing package, you must download it.

To download the signing package for an app

1. On the Admin Portal nav bar, click Applications.
2. Find the app you want to sign.
3. Click Sign under the app's name. The app's Details page opens to the Signing tab.
4. Click Download Signing Package at the bottom of the page.
5. In the dialog box that opens, click Save File and save the signing package ZIP file to your computer.
6. Unzip the ZIP file into a directory. The rest of this page refers to that directory as the "working directory."

The signing package includes the app binary file and a README with a brief version of the instructions on this page. Depending on the app type, the package may also include a signing script and some other files.

Click here for a description of the signing package contents based on app type...

App Type	Content of the Signing Package
iOS	.ipa file	App binary.
	signApp.py	Signing script.
	signables_manifest.txt	A manifest file included in the signing package only if the app includes app extensions. If your app includes extensions, you may need to modify this file, as described in the Sign an iOS App procedure below.
	README file-	Instructions for using the signing script.
Android	.apk file	App binary.
	README file	Instructions for using the Jarsigner utility provided with the Android SDK.

Sign an iOS App

Before You Begin

Check that you have met all of the requirements in Signing Prerequisites.

In the procedure below, you will need to copy the required provisioning profiles to the working directory where you unzipped the signing package. If your app does not contain extensions, you need only one distribution provisioning profile. If your app contains extensions or watchOS components, you may need multiple distribution profiles. For more information, see App Extensions and Entitlements.

For instructions on creating a distribution certificate and distribution provisioning profiles, as well as information on the difference between wildcard and explicit provisioning profiles, see iOS Signing Requirements.

Sign the iOS App

To sign an iOS app using the signing package

1. Copy one or more distribution provisioning profiles to the working directory. If the app has extensions, be sure to copy all the profiles needed to sign the app.

2. Open a Terminal and change to the working directory.

3. If your app contains extensions and you are signing with distribution provisioning profiles that have bundle IDs that don't match the bundle IDs for the app and its extensions, then continue with this step. Otherwise, continue with step 4.

   When Digital.ai App Management creates the iOS signing package, it determines how many parts of your app need to be signed and lists these parts in the signables_manifest.txt file. If the App IDs in your distribution provisioning profiles do not match the bundle IDs for the app and its extensions, then you need to edit the signables_manifest.txt file to identify which profile should be used to sign each part of the app.

   Click here for instructions on editing the manifest file...

   Edit each entry in the file to provide the filename for the distribution provisioning profile that signApp should use when signing that part of the app.

   The following example shows the signables_manifest.txt file, before and after it is edited, for an app that includes several app extensions.

   

4. Type the following command to execute the signing script. The command is case-sensitive; be sure to type a capital A in the script name.

   ./signApp.py

5. Check for errors. If there are errors, refer to Troubleshooting below. If the script completes without errors, you a new version of the appname.ipa file exists in your directory. This is your newly signed app.

6. Upload the newly signed app to Digital.ai App Management. For instructions, see Edit or Update an Application.

7. Enable the app if you are ready to make it available to your users. For instructions, see Disable or Enable an Application.

Troubleshooting

If the signApp script returns an error, check for the following issues:

• The distribution certificate and private key are not installed properly in your Login Keychain. Use Keychain Access to verify that both the certificate and private key are listed in your Login Keychain.
• The app contains extensions and you are signing the app with multiple distribution provisioning profiles, but you edited the signables_manifest.txt file incorrectly or did not edit it at all. See step 3 in the procedure above.
• You have more than one distribution certificate with the same name in your Keychain. The certificate name that you specify when you execute the script must be unique across all Keychains. For example, you cannot have a certificate with the same name in both the Login and System Keychains. If you have the certificate in more than one Keychain, you should delete it from all Keychains other than the Login Keychain, but first you should make sure that there are no other apps using the certificate in the other Keychain.

Back to Top

Sign an Android App

Before You Begin

Check that you have met all of the requirements in Signing Prerequisites.

Check that the Java Development Kit (JDK) and Android Developer Tools (ADT) are installed. If you need to install these tools, you can download them from the following links:

• JDK: http://www.oracle.com/technetwork/java/javase/downloads/index.md
• ADT: https://developer.android.com/studio/index.md#command-tools

note

This procedure is based on the most recent version of Google's tools and processes.

Sign the Android App

info

If you are performing this procedure after applying policies to an application, begin with step 3.

To sign an Android app using the signing package

1. Open a Terminal and change to the working directory that contains the APK file.

2. Type the following command to remove any signature that may already be in the APK file. Replace text in square brackets "[ ]" with the name of your app.

   zip [app-name.apk] -d "META-INF/*.SF" "META-INF/*.RSA" "META-INF/*.DSA" "META-INF/*.MF"

3. Optimize the final APK file. Adapt the parameters in square brackets "[ ]" with values specific to your project:

   zipalign -p -v 4 [my_application.apk] [my_application_new_name.apk]

4. Type the following command to sign the app file using the certificate/private key pair in your Java keystore. The -verbose argument enables verbose output. Note that you will be prompted to provide the keystore and key passphrases that you defined when you created the keystore.

   apksigner sign --ks [keystore] --ks-pass pass: [keystore_pass] --key-pass pass: [key_pass] --cert [signer's_certificate_chain] app-name.apk

5. Upload the newly signed app to Digital.ai App Management. For instructions, see Edit or Update an Application.

6. Enable the app if you are ready to make it available to your users. For instructions, see Disable or Enable an Application.

Back to Top