Skip to content

Find the expiry of a Certificate that was used to sign an .ipa App file

Extract the ipa file:
$ unzip -q App.ipa
Extract Certificates:
$ codesign -d --extract-certificates Payload/*.app
$ openssl x509 -inform DER -in codesign0 -out codesign0.pem
$ openssl x509 -inform DER -in codesign1 -out codesign1.pem
$ openssl x509 -inform DER -in codesign2 -out codesign2.pem
$ cat codesign1.pem codesign2.pem > cachain.pem

Check the validity of the certificate:

$ openssl ocsp -issuer cachain.pem -cert codesign0.pem -url `openssl x509 -in codesign0.pem -noout -ocsp_uri` -CAfile cachain.pem
Response verify OK
codesign0.pem: good
	This Update: Jan  6 02:39:29 2023 GMT
	Next Update: Jan  6 14:39:28 2023 GMT

Check the expiry date of the certificate:

$ openssl x509 -inform DER -in codesign0 -noout -nameopt -oneline -subject -serial -dates
subject= /UID=**********/CN=iPhone Distribution: ********** LLC/OU=**********/O=********** LLC/C=US
serial=647A88E251**********BB78165D586F
notBefore=Apr 27 13:05:06 2022 GMT
notAfter=Apr 26 13:05:05 2025 GMT

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.