Developer tool

HexSign in your terminal.

Manage Apple certificates, provisioning profiles, devices, and identifiers from a single binary — locally on your machine, or headlessly from CI. Same data as the dashboard, scriptable.

Download latest release View on GitHub

Install in seconds

One binary. Zero config.

Released binaries are zero-config — log in once and you're done. Pick whichever channel suits you best.

Homebrew (macOS / Linux)

terminal

brew tap hexsign/tap         
brew install hexsign
hexsign login

Pre-built binary

releases

# macOS, Linux, Windows
# https://github.com/hexsign/hexsign-cli/releases

curl -L -o hexsign \
  https://github.com/hexsign/hexsign-cli/releases/latest/download/hexsign-darwin-arm64
chmod +x hexsign && mv hexsign /usr/local/bin/

Need to verify checksums or pick a specific OS / arch? See the releases page.

Capabilities

Everything the dashboard does, scriptable.

The CLI talks to the same HexSign API as the web app, so anything you can do in the dashboard, you can do in your shell, your Makefile, or your pipeline.

Certificates

List, inspect, download, revoke, and surface expiring certificates across every connected Apple Developer account.

Provisioning profiles

List, get, download, regenerate, and delete profiles. Pull the right .mobileprovision into your build directory before xcodebuild.

Identifiers & capabilities

Create and manage bundle IDs from your shell. Scriptable for new app bootstrapping and bulk identifier hygiene.

Devices

CSRs & key vault

Generate certificate signing requests with KMS-encrypted private keys, or upload your own. Reuse CSRs without ever exporting a key.

Apple accounts

List connected Apple Developer accounts, trigger an on-demand sync, or remove an account — from CI or your laptop.

Health summary

One command (`hexsign summary`) prints health, expiring items, and account status. Drop it into a cron, Slack bot, or status page.

JSON or table output

Every command supports `-o table` (default) for humans and `-o json` for pipelines, jq, and dashboards.

Authentication

Two modes, picked automatically.

Local — OAuth + PKCE

Run hexsign login and your browser handles the rest. The refresh token is stashed in your OS keychain; the CLI silently refreshes after that.

hexsign login
hexsign whoami

CI — client credentials

Generate a service credential under Settings → CLI Tokens in the dashboard. Drop the ID and secret into your pipeline, and the CLI swaps to machine mode automatically.

github actions

env:
  HEXSIGN_CLIENT_ID:     ${{ secrets.HEXSIGN_CLIENT_ID }}
  HEXSIGN_CLIENT_SECRET: ${{ secrets.HEXSIGN_CLIENT_SECRET }}

CI / CD

Fetch signing material before xcodebuild.

No more committing certificates to a private repo, no more fastlane match incantations. Pull the exact certificate and profile you need by ID, sign, ship.

.github/workflows/release.yml

- name: Fetch signing material
  env:
    HEXSIGN_CLIENT_ID:     ${{ secrets.HEXSIGN_CLIENT_ID }}
    HEXSIGN_CLIENT_SECRET: ${{ secrets.HEXSIGN_CLIENT_SECRET }}
    PROFILE_ID:            ${{ vars.HEXSIGN_PROFILE_ID }}
    CERT_ID:               ${{ vars.HEXSIGN_CERT_ID }}
  run: |
    hexsign certificates download "$CERT_ID"   --output-dir build/sign
    hexsign profiles     download "$PROFILE_ID" --output-dir build/sign
    # then security import / xcrun / xcodebuild as usual

Cheat sheet

A taste of the command surface.

hexsign --help

hexsign login | logout | whoami
hexsign apple-accounts (list | sync <id> | delete <id>)

hexsign certificates list [--type <t>] [--status <s>]
hexsign certificates download <id> [--output-dir DIR]
hexsign certificates revoke <id>
hexsign certificates expiring

hexsign profiles list [--type <t>] [--status <s>]
hexsign profiles download <id> [--output-dir DIR]
hexsign profiles regenerate <id>
hexsign profiles expiring

hexsign identifiers (list | get | create | delete)
hexsign devices     (list | get | create)
hexsign csrs        (list | generate | upload --file | delete)

hexsign summary

# every command supports -o table | json

Security

Built to live where your secrets live.

Refresh tokens in your OS keychain

Never written to disk in plain text. macOS Keychain, Linux Secret Service, Windows Credential Manager.

Short-lived access tokens

ID and access tokens cached locally with 0600 perms. Refreshed silently on every call.

Strict file modes for downloads

Downloaded .p12 and .password files are written with 0600. Safe to store inside your repo's build directory.

Scoped CI credentials

Machine tokens are bound to read / write scopes. Routes for users, billing, and CLI tokens are blocked. Revoke instantly from the dashboard.

Ready to script it?

Get HexSign on your laptop and in your pipeline.

Free 7-day trial, no credit card. The CLI works with every plan — the dashboard's there when you want a visual.

Start free trial Open the dashboard