1. Unzip the .ipa file by changing its extension with .zip
2. Go to Payload. You will find .app file
3. Right click the .app file and click Show package contents
4. Delete the _CodeSigned folder
5. Replace the embedded.mobileprovision file with the new provision profile
6. Go to KeyChain Access and make sure the certificate associated with the provisional profile is present

7. Execute the below mentioned command: /usr/bin/codesign -f -s "iPhone Distribution: Certificate Name" --resource-rules "Payload/Application.app/ResourceRules.plist" "Payload/Application.app"

8. Now zip the Payload folder again and change the .zip extension with .ipa

Hope this helpful.

For reference follow below mentioned link: http://www.modelmetrics.com/tomgersic/codesign-re-signing-an-ipa-between-apple-accounts/

I've updated Bryan's code for my Sierra iMac:

# this version was tested OK vith macOs Sierra 10.12.5 (16F73) on oct 0th, 2017
# original ipa file must be store in current working directory 

IPA="ipa-filename.ipa"
PROVISION="path-to.mobileprovision"
CERTIFICATE="hexadecimal-certificate-identifier" # must be in keychain
# identifier maybe retrieved by running: security find-identity -v -p codesigning

# unzip the ipa
unzip -q "$IPA"

# remove the signature
rm -rf Payload/*.app/_CodeSignature

# replace the provision
cp "$PROVISION" Payload/*.app/embedded.mobileprovision

# generate entitlements for current app
cd Payload/
codesign -d --entitlements - *.app > entitlements.plist
cd ..
mv Payload/entitlements.plist entitlements.plist

# sign with the new certificate and entitlements
/usr/bin/codesign -f -s "$CERTIFICATE" '--entitlements' 'entitlements.plist'  Payload/*.app

# zip it back up
zip -qr resigned.ipa Payload

Fastlane's sigh provides a fairly robust solution for resigning IPAs.

From their README:

Resign

If you generated your ipa file but want to apply a different code signing onto the ipa file, you can use sigh resign:

fastlane sigh resign

sigh will find the ipa file and the provisioning profile for you if they are located in the current folder.

You can pass more information using the command line:

fastlane sigh resign ./path/app.ipa --signing_identity "iPhone Distribution: Felix Krause" -p "my.mobileprovision"

It will even handle provisioning profiles for nested applications (eg. if you have watchkit apps)

Check iResign for an easy tool on how to do this!

[edit] after some fudling around, I found a solution to keychain-aware resigning. You can check it out at https://gist.github.com/Weptun/5406993

It's really easy to do from the command line. I had a gist of a script for doing this. It has now been incorporated into the ipa_sign script in https://github.com/RichardBronosky/ota-tools which I use daily. If you have any questions about using these tools, don't hesitate to ask.

The heart of it is this:

IPA="/path/to/file.ipa"
PROVISION="/path/to/file.mobileprovision"
CERTIFICATE="Name of certificate: To sign with" # must be in keychain
# unzip the ipa
unzip -q "$IPA"
# remove the signature
rm -rf Payload/*.app/_CodeSignature
# replace the provision
cp "$PROVISION" Payload/*.app/embedded.mobileprovision
# sign with the new certificate (--resource-rules has been deprecated OS X Yosemite (10.10), it can safely be removed)
/usr/bin/codesign -f -s "$CERTIFICATE" --resource-rules Payload/*.app/ResourceRules.plist Payload/*.app
# zip it back up
zip -qr resigned.ipa Payload

Your new signed app is called resigned.ipa

Kind of old question, but with the latest XCode, codesign is easy:

$ codesign -s my_certificate example.ipa 

$ codesign -vv example.ipa
example.ipa: valid on disk
example.ipa: satisfies its Designated Requirement