How do I resign app with entitlements?

It helped me:

--preserve-metadata=entitlements

Saving and restoring entitlements are not needed anymore.

The answer is actually quite self evident in the question itself. The output from:

$ codesign -d --entitlements - Example.app/Example

Is actually a perfectly valid entitlements file. So you can store the output from the original .ipa exported from xCode by writing:

$ codesign -d --entitlements entitlements.xml Example.app/Example

This will store the entitlements in entitlements.xml which you can then use in an argument to sign the .ipa file yourself:

codesign --entitlements entitlements.xml   -f -s "iPhone Distribution: Company (UFAYDHAUP)" Payload/Example.app

Naturally "iPhone Distribution: Company (UFAYDHAUP)" has to be replaced with the signing identify you use and Payload/Example.app will be the path to your app which has been unzipped from the .ipa file.