Introduction

The following is some information on a potential problem, impact and remediation for customers using iOS for BlueWorx (and potentially other enterprise applications, related to iOS version 15+.  In the following we have brought together some relevant information, it falls to customer or their partner to investigate and remediate as they control enterprise app creation and distribution. 

The Problem

With iOS 15 Apple has mandated the use of a new Code Signature Format. Applications built with the prior Code Signature Format will not run on iOS 15. Those apps that fail to comply will receive a message similar to this when trying to launch the application:

Whose Impacted? 

This problem has the potential to occur:

• On update of an iOS device to version 15.
• For applications built with the prior Code Signature Format using the Apple Developer Enterprise Program. This includes most of the deployed versions of the Neptune Mobile Client for iOS which BlueWorx is accessed from

If you have built your Neptune Mobile Client using a Apple mac machine running macOS Big Sur operating system then it appears unlikely that you will have this issue. If you have distributed your Neptune (BlueWorx) Mobile Client via the Apple Business Manager program then it is also very unlikely that this issue will affect your app.

Customers with devices under their control should generally limit the applications of updates until their enterprise apps have been tested on newer releases, but this is not always the case for unmanaged devices. Customers using Neptune for other than BlueWorx purposes that falls within the criteria above will also be impacted, as will their deployment of any internally built iOS enterprise applications - i.e. this is not limited to BlueWorx/ Neptune.

Remediation

Detailed information and remediation steps are in the Apple article at https://developer.apple.com/documentation/xcode/using-the-latest-code-signature-format

The remediation can be summarised as re-sign your application on a mac running macOS Big Sur (macOS version 11). Once re-signed you'll need to re-distribute the application.  You may need to build a new version of your application incrementing the version number to enable distribution, and make support call resolution easier. 

The BlueWorx Product Development Team have successfully built Neptune Mobile Clients using macOS Big Sur and can run these on iOS 15. 

Please note that using the 'codesign' command line tool under macOS Catalina to re-sign the app as suggested in the article above is not valid as it's countered by the following information:

We have concluded that the only option to produce application builds for iOS is to use a mac running macOS Big Sur.

I'll share a couple of the things we found out while checking an iOS application "ipa" file to see whether it had an iOS 15 compatible signature.  The Apple article is missing a couple of bits of information.

The article says to run codesign in the terminal to check the .app file.  To get to the .app file unzip the .ipa file.  The easiest way to do this is to change the .ipa file extension to .zip. 

In the screenshot above I renamed mobile_layout_6.0.18.3.ipa to mobile_layout_6.0.18.3.zip and unzipped. The Payload folder was created by the unzip, and that folder contained our .app file.

I could then run the codesign command on the .app file as per the article.

codesign -dv PD1\ Dev.app

The key part of the output is the CodeDirectory v value

CodeDirectory v=20400 size=11769 flags=0x0(none) hashes=359+5 location=embedded

A value of under 20400 means that your app won't run on iOS 15 and a value of 20400 means that you have to do a further check (as outlined in the Apple article).  To do that check run the following codesign command on your .app file.

codesign --display --verbose=5 PD1\ Dev.app 

Check the values under the Page size=4096 to determine whether the signing is iOS 15 compliant.  If you have rows that start with -5, -4, -3, -2 as per the Apple article then the signing is not compliant and you need to resign on a Mac running macOS Big Sur.

Some of these commands weren't clear in the article.

iOS Device Testing

We've done some additional testing and can confirm the following:

There is no requirement to install a new build of your mobile application on older devices, only those with iOS 15+.

Note: Our test build was with an iOS Deployment Target of version 11.0.  This is the default with from version 6 of the cordova-ios platfrom plugin.  The application not running on iOS releases lower than 11 is consistent with the iOS Deployment Target.