bash script to sign iOS/tvOS Kodi

sign_kodi_darwin-embedded.sh

#!/usr/bin/env bash

# required:
# KODI_PATH - path to Kodi app that will be resigned, can be deb / ipa / app
# PROVISIONING_PROFILE - path to provisioning profile
# CODE_SIGN_IDENTITY - certificate name, e.g. 'iPhone Developer: ***'

# optional:
# OUT_DIR - where to save the resulting file
# PACKAGE_IPA - set to 1 to create .ipa file instead of plain .app

# check required variables
if [ ! -f "$KODI_PATH" -a ! -d "$KODI_PATH" ]; then
  echo "app not found at KODI_PATH $KODI_PATH"
  exit 1
fi
if [ ! -f "$PROVISIONING_PROFILE" ]; then
  echo "profile not found at PROVISIONING_PROFILE $PROVISIONING_PROFILE"
  exit 1
fi
if [ -z "$CODE_SIGN_IDENTITY" ]; then
  echo "CODE_SIGN_IDENTITY not set"
  exit 1
fi

# https://stackoverflow.com/a/13087801/1971301
function abspath {
  if [[ -d "$1" ]]
  then
    pushd "$1" >/dev/null
    pwd
    popd >/dev/null
  elif [[ -e $1 ]]
  then
    pushd "$(dirname "$1")" >/dev/null
    echo "$(pwd)/$(basename "$1")"
    popd >/dev/null
  else
    echo "$1" does not exist! >&2
    return 127
  fi
}

KODI_FULL_PATH=$(abspath "$KODI_PATH")
outDir="${OUT_DIR:-$(pwd)}"

# dir for temp files
tempDir=$(mktemp -d -t "kodi-sign")
pushd "$tempDir" >/dev/null

# extract .app from supported types
extension="${KODI_PATH##*.}"
case "$extension" in
deb)
  ar -p "$KODI_FULL_PATH" data.tar.lzma | tar -xf -
  CODESIGNING_FOLDER_PATH="$tempDir/Applications/Kodi.app"
  ;;
ipa)
  unzip -q "$KODI_FULL_PATH"
  CODESIGNING_FOLDER_PATH="$tempDir/Payload/Kodi.app"
  ;;
app)
  cp -R "$KODI_FULL_PATH" .
  CODESIGNING_FOLDER_PATH="$tempDir/$(basename "$KODI_PATH")"
  ;;
*)
  echo "$extension files aren't supported"
  popd
  rm -rf "$tempDir"
  exit 1
  ;;
esac

function getPlistValue {
  /usr/libexec/PlistBuddy -c "Print :$1" "$2"
}

# get bundle ID from provisioning profile
provisioningContents="provisioningContents.plist"
security cms -D -i "$PROVISIONING_PROFILE" > "$provisioningContents"
bundleID=$(getPlistValue Entitlements:application-identifier "$provisioningContents")
bundleID="${bundleID#*.}"

# and set it to the Info.plist
infoPlist="$CODESIGNING_FOLDER_PATH/Info.plist"
/usr/libexec/PlistBuddy -c "Set :CFBundleIdentifier $bundleID" "$infoPlist"

# fetch signing script from the Kodi repo
codesignScript=$(curl -fsSL https://raw.githubusercontent.com/xbmc/xbmc/master/tools/darwin/Support/Codesign.command)
# apply fix
codesignScript=${codesignScript/'! -f ${GEN_ENTITLEMENTS}'/''}
# execute the script
CODESIGNING_FOLDER_PATH="$CODESIGNING_FOLDER_PATH" \
  PLATFORM_NAME=$(getPlistValue DTPlatformName "$infoPlist") \
  bash -c "$codesignScript"

# copy provisioning profile to the app bundle
cp "$PROVISIONING_PROFILE" "$CODESIGNING_FOLDER_PATH/embedded.mobileprovision"

# get entitlements from provisioning profile
entitlements="Kodi.entitlements"
provisioningXML=$(security cms -D -i "$PROVISIONING_PROFILE")
/usr/libexec/PlistBuddy -x -c 'Print :Entitlements' /dev/stdin <<< $(echo "$provisioningXML") > "$entitlements"
# sign app bundle
codesign -vvvv -fs "$CODE_SIGN_IDENTITY" --entitlements "$entitlements" "$CODESIGNING_FOLDER_PATH"

# put the signed file to the output dir
mkdir -p "$outDir"
if [ "$PACKAGE_IPA" == "1" ]; then
  payloadDir="Payload"
  if [ "$extension" != "ipa" ]; then
    mkdir "$payloadDir"
    mv "$CODESIGNING_FOLDER_PATH" "$payloadDir"
  fi
  outAppPath="$outDir/$(basename "$KODI_PATH" .$extension).ipa"
  rm -f "$outAppPath"
  zip -qr "$outAppPath" "$payloadDir"
else
  outAppPath="$outDir/$(basename "$CODESIGNING_FOLDER_PATH")"
  rm -rf "$outAppPath"
  mv "$CODESIGNING_FOLDER_PATH" "$outDir"
fi

popd >/dev/null
rm -rf "$tempDir"
echo "signed app: $outAppPath"