Feather icon indicating copy to clipboard operation
Feather copied to clipboard
verified publisher icon khcrysalis

[Feature] Entitlements Modification

Open notwhoyouthink123 opened this issue 9 months ago • 7 comments

Feature Description

An option to remove some entitlements from cert when signing ipa

Start going into detail..

Hey, Thanks For great app. Is it possible for you that you can add a way by which we can remove some entitlements from our cert before signing.

notwhoyouthink123 avatar Mar 05 '25 16:03 notwhoyouthink123

Entitlements are tied to the app id for which the provisioning profile was issued, change the entitlements in the ADP console and re-issue your provisioning profile

castdrian avatar Mar 05 '25 16:03 castdrian

Yes I know they are tied to the Profile but what i meant is like get the original entitlements from cert in a xml format, remove entitlements as we want and then sign the ipa with this custom entitlements file.

notwhoyouthink123 avatar Mar 05 '25 16:03 notwhoyouthink123

I'm not sure that'd actually affect anything in the case of ad-hoc distribution, I'm not aware of it influencing already present entitlements, could you elaborate

castdrian avatar Mar 05 '25 16:03 castdrian

+1 for entitlement modifications.

Not sure if my use case is similar to OP's or not. When I want to install a duplicate copy for some apps (second copy), it is useful to modify the keychain-access-group value in the entitlement xml file so each copy of the app would be separate.

I hope you reconsider this feature request. Thank you.

gx8z avatar Mar 25 '25 12:03 gx8z

Sorry for replying so late.

One big reason to use a custom entitlements file is when sideloaded apps crash because of iCloud entitlements. Some apps have iCloud keys in their entitlements, like com.apple.developer.ubiquity-kvstore-identifier, but normal developer accounts don’t support iCloud. That can cause the app to crash right after opening.

For example, this app: https://apps.apple.com/app/id1499198946 crashes when signed with a dev cert unless you remove the iCloud entitlements. If you use a custom entitlements.xml to remove them (like in eSign), the app works fine.

Another reason is for installing duplicate apps (like two copies of the same app). Then you might want to change the keychain group or something similar, so the second app doesn’t conflict with the first one. Editing entitlements helps with that too.

So it’s not just about the provisioning profile, but also about having more control over the final signed app.

notwhoyouthink123 avatar May 05 '25 15:05 notwhoyouthink123

+1 to this. Would be great, I actually use this often but I dont want to use E-Sign anymore

binnichtaktiv avatar May 09 '25 08:05 binnichtaktiv

Planned. We just need to figure out why some issues occur with large entitlement files before releasing it. (most likely a Zsign issue, I will need to look into this extensively when I get the chance)

khcrysalis avatar May 21 '25 04:05 khcrysalis

Is there any progress on this functionality?

mlshdev avatar Dec 06 '25 00:12 mlshdev

@khcrysalis

mlshdev avatar Dec 06 '25 15:12 mlshdev

Zsign is still a hit or miss when it comes to entitlement modification, sometimes crashing when too large of entitlements are provided. Contributions are welcome though!

khcrysalis avatar Dec 06 '25 18:12 khcrysalis

Zsign is still a hit or miss when it comes to entitlement modification, sometimes crashing when too large of entitlements are provided. Contributions are welcome though!

That's right - zsign crashes when too many entitlements are set but from my experience you need A LOT of entitlements (we are talking about 80-90% of entitlements checked on apple dev website) so including it in "Experimental" section probably wont hurt anyone and in the worst case error would be shown.

mlshdev avatar Dec 06 '25 19:12 mlshdev

That's right - zsign crashes when too many entitlements are set but from my experience you need A LOT of entitlements (we are talking about 80-90% of entitlements checked on apple dev website) so including it in "Experimental" section probably wont hurt anyone and in the worst case error would be shown.

It is already available as an experiment, but it's only available via donating or manually compiling yourself https://github.com/khcrysalis/Feather/blob/main/Feather/Views/Signing/SigningView.swift#L222-L227

khcrysalis avatar Dec 13 '25 10:12 khcrysalis

That's right - zsign crashes when too many entitlements are set but from my experience you need A LOT of entitlements (we are talking about 80-90% of entitlements checked on apple dev website) so including it in "Experimental" section probably wont hurt anyone and in the worst case error would be shown.

It is already available as an experiment, but it's only available via donating or manually compiling yourself https://github.com/khcrysalis/Feather/blob/main/Feather/Views/Signing/SigningView.swift#L222-L227

Can I build it with GitHub actions?

binnichtaktiv avatar Dec 13 '25 11:12 binnichtaktiv

That's right - zsign crashes when too many entitlements are set but from my experience you need A LOT of entitlements (we are talking about 80-90% of entitlements checked on apple dev website) so including it in "Experimental" section probably wont hurt anyone and in the worst case error would be shown.

It is already available as an experiment, but it's only available via donating or manually compiling yourself https://github.com/khcrysalis/Feather/blob/main/Feather/Views/Signing/SigningView.swift#L222-L227

Can I build it with GitHub actions?

Yes, it’s the same as building via XCode CLI just use macOS runner macos-26-xlarge or macos-26 & edit actions file to match image specifications https://github.com/actions/runner-images/blob/main/images/macos/macos-26-arm64-Readme.md

mlshdev avatar Dec 16 '25 11:12 mlshdev