Get in touch

HexSign manages certificates (development, distribution, Developer ID, Mac Installer, Pass Type ID, Apple Push, and more), provisioning profiles (App Store, Ad Hoc, Development, Enterprise), bundle IDs with capabilities, CSRs, and registered devices across iOS, macOS, tvOS, and watchOS.

You provide an App Store Connect API key (Issuer ID, Key ID, and .p8 private key). HexSign uses Apple's official API to sync your data. Your .p8 is written to AWS Secrets Manager bound to a HexSign-owned KMS key, fetched just-in-time when we sync your account, and never returned to the browser.

Yes. Depending on your plan you can connect from one to an unlimited number of Apple Developer team accounts. Each account syncs independently with its own status and error reporting, and all data is visible from a single dashboard.

HexSign sends expiration alerts to email, Slack, Microsoft Teams, Jira, PagerDuty, Jira Service Management, and incident.io. You configure the thresholds (e.g., 7, 14, 30, 60, 90 days before expiry), and you can send a test alert before enabling delivery.

Yes. You can create new provisioning profiles through a guided wizard, update them, regenerate them when they expire or become invalid, and download the .mobileprovision file, all from the HexSign dashboard.

Yes. HexSign can generate certificate signing requests (with the private key encrypted via AWS KMS), upload existing CSRs, request new certificates from Apple, download them as PKCS#12 files, and revoke certificates that are no longer needed.

The relationship graph is an interactive visualization that shows how your certificates, provisioning profiles, bundle IDs, and devices are connected. Nodes are color-coded by health status and you can click to explore dependencies and understand the blast radius of any change.

HexSign supports per-organization users with Owner, Admin, and Member roles. Authentication is backed by AWS Cognito with required, phishing-resistant MFA - passkeys (Touch ID, Face ID, Windows Hello, FIDO2 security keys with PIN) and TOTP authenticator apps. SMS MFA is intentionally not offered. Every sign-in is recorded in a per-user auth activity log. SSO (SAML / OIDC) is available on higher plans.

Yes. Apple API keys live in AWS Secrets Manager bound to a HexSign-owned KMS key, CSR private keys are encrypted with a dedicated KMS key using per-tenant encryption context, and the database runs in a private VPC with TLS-required connections and encryption at rest. AWS WAF, GuardDuty, and a multi-region CloudTrail sit in front of the API, and every privileged action is recorded in an immutable audit log. All access is scoped per organization with role-based access control and MFA-protected sign-in. Full detail at https://hexsign.io/security.

Only when you explicitly ask. Creating or revoking certificates, creating, updating, regenerating, or deleting profiles, registering or enabling devices, and managing identifiers are all triggered by you from the dashboard or wizard. HexSign never makes changes on your behalf in the background; the scheduled job is read-only and just syncs state.

Yes. Every release archive and the checksums file are signed with cosign in keyless mode and recorded in the public Rekor transparency log. Run `cosign verify-blob --certificate <artifact>.pem --signature <artifact>.sig --certificate-identity-regexp 'https://github.com/hexsign/hexsign-cli/.+' --certificate-oidc-issuer https://token.actions.githubusercontent.com <artifact>` to confirm a download came from our release workflow before letting CI execute it.

Every paid plan starts with a 14-day free trial, no credit card required up front. Billing runs through Stripe, and you can manage your subscription (upgrade, downgrade, change payment method, or download invoices) from a self-service customer portal inside HexSign. A free plan is also available for solo developers.