iOS 14.5 breaks all Unreal apps made on Windows (and temporary workaround)

The recent iOS 14.5 update seems to block any Unreal app made on Windows. The issue relates to the code signing format which Apple have recently changed, and as of iOS 14.5, the legacy format will no longer install at all, with no option to override. What’s worse is that Apple have already prevented downgrading back to version prior to iOS 14.5. Thanks Apple!

I’ve submitted a bug report to Epic, and hopefully this will be fixed as it could be a major problem for some people. The issue relates to the program IPhonePackager.exe which Unreal uses to package and code sign apps for iOS. Even with a remote build, the actual final packaging is done on Windows. IPhonePackager.exe seems to date back to the days of Unreal 3, so a fix may not be trivial and we can’t assume that it will happen soon.

I’m posting this in case I can save anyone the trouble I’ve had during the last week, trying to find a workaround to whilst working on a production using a Unreal iPad/Phone app. It’s been incredibly frustrating to have Apple do this at this time. I understand that security and updates are their priority, but to not even give the option for advanced users to override locking out apps that days before worked absolutely fine is madness.

For anyone who already has an app published on the app store, in theory this should automatically be re-signed and work as usual. I would imagine this also happens if using TestFlight. For me, this isn’t an option, and I use a development profile with a UUID list of all the device I use. I have a feeling that trying to upload any new apps to the app store or test flight will now fail due to the legacy code signing (it was one of the many reasons for rejection when I tried to make test flight work).

For anyone making iOS apps in Unreal on OSX, I would guess that the code signing is not an issue (assuming you are able to run the latest OSX/xcode).

Anyway, I finally have a temporary fix that allows me to make apps made on Windows work on iOS 14.5 devices without any dodgy hacks or jailbreaking. There are 2 caveats however, a new developer certificate will need to be made, and access to a Mac is needed (or an OSX Virtual Machine).

1. Create new developer Certificate for keychain

On the Mac, go to the Keychain Access app, at the top, go to Keychain Access → Certificate Assistant → Request a Certificate → Request a Certificate from a Certificate Authority. Enter the details (and select save to disk) to generate a new signing request file.

(This is the equivalent of using IPhonePackager.exe to create a “Certificate request and key pair” when first creating a new developer profile on windows.)

Go to your Apple Developer account online and under “Certificates”, create a new developer Certificate using your new signing request file that you generated. Then, Download your new developer Certificate (needed on PC and Mac).

(Your developer account may only let you create 1 of each type of developer Certificate, so worst case you may have to delete your existing one. In my case I created a new “iOS App Development” certificate which seems to do the same job as my existing “Apple Development” certificate.)

In the “Profiles” section, edit your app Provision Profile to include the new developer certificate. Download this to the PC.

On the mac, in Keychain Access, install the new developer Certificate file to your login keychain (drag the file in). If this works correctly, you should see it appear in Keychain, and you should be able to expand it to view the private key linked to it. This is important.

In Keychain Access, right click the Developer Certificate and click “Export [your certificate name]”. Save a .p12 file, and it should ask you to give it a new password. Copy this to your PC.

2. Build Unreal Project

Now, back in Windows, go to your Unreal project, and go to iOS in Project Settings, click “Import Certificate” and add your new .p12 file and it should ask for the password. (This is instead of the usual process of selecting a .cer followed by a separate .key file.)

Click “Import Provision” and add (or update) your new Provision Profile file.

You can now package your project as an .ipa file for IOS. (currently this file will fail to install on iOS 14.5 due to the legacy code signing)

Copy the .ipa file to your Mac.

3. Re-sign the ipa with new signing format

On the Mac, install the “iOS App Signer” app from:
https://www.iosappsigner.com/

Start “iOS App Signer” and select your .ipa file as the “Input File”

Your Signing Certificate should be in the list, select it.

You can leave all other fields as default/blank.

Click “Start” and select a name/location for the new ipa file.

And that’s it, you should now have a new re-signed .ipa file that you can install to your device from either PC or Mac. On PC, open iTunes and drag the .ipa into the library area to install (I’m sure it’s something similar on Mac). Once setup, it requires minimal effort to re-sign .ipa files.

I’m sure that some of these steps can be simplified, but currently it is the only way I have found after a lot of experimenting.

Notes:


I believe that “iOS App Signer” requires XCode to be installed. XCode may need to be a fairly recent version to support the new code signing format.

The reason we need to create a new certificate is that I have not yet found a way to install the original private key (.key generated in IPhonePackager.exe on windows) in keychain on the Mac to go with the certificate (called a key pair), I would love to know if anyone knows how to make this work.

If your developer certificate originated on a Mac, you probably don’t need to make a new certificate, as long as the key pair is installed to Keychain.

In theory, it should be possible to re-sign using the terminal command “codesign”, however I couldn’t get it to make usable .ipa files. The “iOS App Signer” app might even use “codesign” behind the scenes, but with some extra parameters (i suspect something to do with entitlements).

I found a few Windows programs for re-signing ios apps. I personally didn’t have any luck with the free ones, and the rest were expensive high end software solutions. For anyone doing blueprint only development on PC with no Mac access, you might have to try and get one of these to work whilst we wait for IPhonePackager.exe to be fixed by epic.

Am not working on iOS at the moment but it always was a nightmare (for the most part) with Unreal.
Posts like this are invaluable. Thanks for taking the time to share.

Thank you very much !
I tryed it and all works good untill I build the Project. I resive an error :

IPP ERROR: Application exception: System.Security.Cryptography.CryptographicException: keyset does not exist

Hmm, I’ve not come across that issue before. My guess is that an “IPP” error is referring to iPhonePackager.exe which is the final step of build. Seems that it’s having an issue with the developer certificate.

What I do know from my troubles, is that when you import your developer certificate with the “Import Certificate” button in the iOS settings, what it actually does is adds it to your certificates in Windows (which I guess is the equivalent of Keychain access on mac).

Most likely your issue is to do with that process. If I run the program “certmgr” on Windows, I can see my certificate in Personal → Certificates. It has a small key on the icon, and under “Intended Purpose” is says “Code Signing”. Do you see that?

I think the first thing to try is reimporting the certificate in the Unreal iOS settings. It should ask you for the password you gave when exporting from Keychain Access on the Mac. (I’m assuming if you get the password wrong, it will tell you, but if it doesn’t, that could be the problem).

Out of interest, did you create a new 2nd Developer certificate on the Apple Developer site, or delete and re-create your original one?

I’ve also read that running Unreal in Administrator mode when you import the certificate can help, maybe it would even help for the build itself.

Other things to try…

Double check that your certificate and mobile provision are indeed the correct one in the iOS settings. I’ve noticed it sometimes seems to revert back to old ones.

You could try and delete your developer certificate in “certmgr” before trying to install it to unreal again. I’d recommend exporting it to a file before you delete anything, just in case…

Make sure you see a certificate called "Apple Worldwide Developer Certification " in certmgr. Open it and in the Details tab check the version, my one says V3. I believe that the developer certificate needs to have the “Apple Worldwide Developer Certification Authority” also installed in order to work. But this is normaly installed automaticaly as far as I can tell.

Hope this helps.

Thank you DJR85,

I deleted my old certificate and use just the new ios - certificate.
By my Personal → Certificates looks all good …
When I reimport the certificate I use the password and matched the certificate to the provision file it looks all good …
when I build I receive the same error :

LogPlayLevel: Error: IPP ERROR: Application exception: System.Security.Cryptography.CryptographicException:

and I this the problem is here with the IPhonePackager.exe :

Command failed (Result:1): C:\Program Files\Epic Games\UE_4.26\Engine\Binaries\DotNET\IOS\IPhonePackager.exe RepackageFromStage “Engine” -config Development -schemename UE4 -schemeconfig “Development” -targetname UE4Game -sign -stagedir “F:_VR\iosApp_360_AF\app 4.26\Saved\StagedBuilds\IOS” -project “F:_VR\iosApp_360_AF\app 4.26\AF_360er_App.u
project” -iterate -provision

I will try to make new certificate and provision.

Thank you very much DJR85.

I’ve just had a thought. When exporting the .p12 file from Keychain Access on the mac, try selecting both the certificate and the key before exporting.

I have a feeling I may have done that. It would make sense if that works as the error is implying an issue with the key.

This workaround works, many thanks.

The workflow is now really time consuming, hope there will be a real “fix” soon, maybe with a new iPhone Packager. Im pretty sure they are aware of this. They also said that Unreal Engine 5 will support iOS when it will release this year… I hope they will improve the whole pipeline.

How did you get it working?

I downloaded the iOS App Signer and signed my IPA but I still can’t drag and drop it inside iTunes.
And if I download it directly from my iPhone, it doesn’t load the ipa in the end.

Would love to hear your thoughts on that.

On Windows, plug in your iPhone/iPad via USB and make sure its unlocked. If its connected properly, then iTunes should show a rectangle icon just to the right of where it says “music” as well as a “Devices” section. If you drag just under the devices section then you should see a blue box appear.

To be fair, I’ve only tested this on an iPad so far, so only assuming that it would work for iPhone (I should be testing an iPhone 12 next week so will see what happens).

Also, I’m running the download version of iTunes rather than the Windows app store version, so not sure if that makes a difference.

On Mac, I think they’ve done away with iTunes now, so not sure how its done. There’s definitely a way. I cant seem to get a direct iPad usb connection to work on my virtual machine so can only transfer the .ipa on windows.

image784×678 38.2 KB

The workflow is now really time consuming, hope there will be a real “fix” soon, maybe with a new iPhone Packager. Im pretty sure they are aware of this. They also said that Unreal Engine 5 will support iOS when it will release this year… I hope they will improve the whole pipeline.

I’m actually finding that its not too bad, and only takes about an extra minute or so to get the .ipa resigned and installed. But of course, its still a pain compared to directly deploying from Unreal.

I’m lucky enough to have a older iPad that I’ve thankfully managed to keep pre iOS 14.5 which I am developing with, and then regularly re-signing for testing on the main iPad when I can.

I actually think it might be possible to automate all the steps needed, but I don’t know anything about changing the Unreal build process, or if its even possible without a whole Engine rebuild. In theory, with the terminal command “codesign” (with correct parameters) instead of the “iOS App Signer” app, it should be possible to transfer and resign remotely, using the same process as remote build. This could be a lot of development work, and a waste if Epic release a fix next week, but on the other hand, for all we know it could take then 2 years, they’re not exactly on best terms with Apple right now, ha!

Oh, and if anyone is still having trouble with iTunes, I should mention that IPhonePackager.exe can also install ipa files onto an iOS device. I just tested it and it works.

You can find it in your main Unreal engine folder:
\\UE_4.xx\Engine\Binaries\DotNET\IOS\IPhonePackager.exe

It runs as a GUI if you click on it, but can also be run as a command line with correct parameters for automation.

Thanks for your help here DJR85. I managed to drag and drop the IPA signed with iOS App Signer thanks to your explanation. It’s installing on my iPhone but once it’s done installing, I’m launching the app and it says “This app can’t be installed because its integrity could not be verified”.

Do you have a solution for this?

Things to try:

Make sure that the UUID of your device has definately been added to your Profile Provision as well as the new new developer certificate.

Ensure that the Certificate and Profile currently selected are the new ones in the ios settings in Unreal (importing doesn’t always automatically select the new one if you have existing profiles set).
I actually had the exact same error when I first tried, turned out that my certificate was still set to my previous one (if you loose track of which is which, look at the expiry dates).

Make sure you’re running a new enough version of macOS and xcode (the new format has supposedly been used for a few years so probably not that).

Make sure you are definitely loading the new .ipa and not the old one (I’ve done stupider things so always worth checking the basics)

Check out:
https://developer.apple.com/documentation/xcode/using-the-latest-code-signature-format

It has info on the macOS version you need, and also a terminal command to check the the new .ipa does indeed have the new signing version.

Let me know how you get on.

My UDID is well added in my Profile Provision with the developer certificate.
I have the right Certificate and Profile selected in Unreal, because I can Package the app from Unreal without any issue. It’s just that, when I upload the IPA into “Transporter” to upload the ipa to Testflight, it’s saying :

ERROR ITMS-90725: “SDK Version Issue. This app was built with the iOS 13.2 SDK. All iOS apps submitted to the App Store must be built with the iOS 14 SDK or later, included in Xcode 12 or later.”

On the side of my Mac, I’m running the version 11.3.1 (macOS Big Sur). But I’m not using Xcode. I have installed it, but I’m not using it since I can package in Unreal without any issue…
And yes I’ve repeated a lot of time the packaging export and I’m sure that I’m loading the last ipa I generated.

I’ve also tried to run terminal commands to know if my ipa have the new signing version after using iOS App Signer and it said that my App is not signed. So it’s very strange…

I’m quite lost here, I don’t know what to do…

Sounds like you’ve done everything correctly as far as I can tell.

I think to use the codesign command, you will need to rename your .ipa file as a .zip and then extract the files. You should have a folder called Payload, and inside that a file ending in .app. Point codesign to the .app. Will be interesting to see what version it says. (actualy, on Windows the .app is a folder can can be opened, but you shouldn’t need to do that).

Out of interest, are you remote building using a mac, or just doing a blueprint only project that wouldn’t normaly require a mac? It’s interesting that you are getting the iOS SDK version error.
I assume your xcode is up to date. I don’t use it either although I am remote building which I guess is using it behind the scenes.

I got Xcode 12.5 (I guess it’s the last version).
I’m in fact using a Mac through TeamViewer (a friend of mine borrows me his mac). And my project is currently using blueprint only BUT we are planning to release in the end an app using C++, that’s why I wanted to “test” the deployment directly with a Mac, so I’m aware of all of that.
Anyway, I also understood that even if you have Blueprint only or c++, you need a mac in the end to deploy it to Testflight and Appstore. Soooo that’s why I used a Mac.

I’ll take a look at what you said about renaming my ipa file, as this is the last thing I need to try.
What I’m most worried about, is that in your case, you seems to get this workaround working whereas I can’t on my side. That’s…strange

EDIT: I even tried to upgrade my project to 4.26 and specify the “Minimum iOS version” to 14.0 and it’s not working, as it’s still saying that my app is with iOS 13.2 SDK… That would be awesome if Epic could update this on their side…

It looks like Epic updated iPhonePackager 3 days ago on the 4.27 branch to address this issue. Commit here: https://github.com/EpicGames/UnrealEngine/commit/fa3b93c9ec206e8d3305c3d9acefa25ac8ca6e98

unreal engine 4.21 package out ipa use the 4.27 iPhonePakager resigned can install but crash intermittently when run it.

Yeah, it looks like there was an issue that caused it to crash on iOS versions below 14.5. There’s another commit that is supposed to fix this now (haven’t had a chance to test it myself yet)
https://github.com/EpicGames/UnrealEngine/commit/03689f3095a0e07a2aaedb3a076aee20b3bb900f

I ues the 4.21 packaged out ipa test the newest iPhonePakager ,it looks the crash has resolved. does the changed has any influence .