Code signing & build

codesign (command)

Apple's command-line tool that signs a binary or bundle, and verifies an existing signature. Lives at `/usr/bin/codesign` on macOS and is what xcodebuild calls under the hood.

/usr/bin/codesigncodesign tool

`codesign` is the macOS command-line tool that signs and verifies Apple binaries. xcodebuild calls it during the archive and export steps; fastlane gym, EAS Build, and every iOS CI plugin eventually shell out to it. Knowing what it does is the difference between staring at 'Code Signing Error' for an hour and fixing the build in two minutes.

Sign a build

bash

codesign --force --sign "Apple Distribution: Acme Corp (ABCDE12345)" \
  --entitlements MyApp.entitlements \
  --options runtime \
  --timestamp \
  MyApp.app

Verify a signature

bash

# Quick health check
codesign --verify --verbose=4 MyApp.app

# Show identity, timestamp, hardened runtime, and entitlements
codesign -dvv --entitlements :- MyApp.app

Common errors and what they mean

errSecInternalComponent: The keychain refused codesign access to the private key. Run `security set-key-partition-list -S apple-tool:,apple: -k <pw> <keychain>` after importing the .p12 on CI.
User interaction is not allowed: Same keychain partition list issue, surfaced when the keychain is locked. Unlock it with `security unlock-keychain` first.
no identity found: The certificate is not in any keychain in the search list, or the keychain is locked, or you typed the identity name wrong.
resource fork, Finder information, or similar detritus not allowed: Some file inside the bundle has extended attributes that codesign refuses to sign over. Run `xattr -cr MyApp.app` before signing.

Keep reading

Related terms

Code signing

The process of attaching a cryptographic signature to a binary so the operating system can verify who built it and that nothing has changed since. Required for every app shipped on Apple platforms.

Read definition

Keychain (macOS)

macOS's built-in encrypted store for passwords, certificates, and private keys. Xcode and codesign read signing identities from it.

Read definition

PKCS#12 / .p12 file

A password-protected file format that bundles a certificate and its matching private key together. The standard way to move an Apple signing identity between machines.

Read definition

Hardened runtime

A macOS code signing option that opts a binary into stricter runtime protections (no unsigned memory execution, library validation, no code injection) and is a prerequisite for notarization.

Read definition

Code signing certificate

Umbrella term for any Apple-issued certificate used to sign a binary, installer, or push token. Covers Apple Development, Apple Distribution, Developer ID, APNs, Pass Type ID, and Mac Installer certificates.

Read definition

Next step

Help articles on this topic

Fetch signing material before xcodebuild

A simple, repeatable CI pattern: download the right certificate and provisioning profile by ID, import them, run xcodebuild.

5 min readRead article

Fix a failed App Store Connect sync

Diagnose why a sync failed, read the error in the sync history, and know when to rotate the API key vs. retry.

5 min readRead article

Troubleshoot the HexSign CLI

Fix the most common CLI errors: missing client ID, expired refresh token, callback port conflicts, scope failures, and 401/403 responses.

5 min readRead article

Notice a definition that has drifted? Email support@hexsign.io and we'll update it. Browse the full glossary or jump to the help center.

Code signing & build

codesign (command)

Apple's command-line tool that signs a binary or bundle, and verifies an existing signature. Lives at `/usr/bin/codesign` on macOS and is what xcodebuild calls under the hood.

/usr/bin/codesigncodesign tool

Sign a build

bash

codesign --force --sign "Apple Distribution: Acme Corp (ABCDE12345)" \
  --entitlements MyApp.entitlements \
  --options runtime \
  --timestamp \
  MyApp.app

Verify a signature

bash

# Quick health check
codesign --verify --verbose=4 MyApp.app

# Show identity, timestamp, hardened runtime, and entitlements
codesign -dvv --entitlements :- MyApp.app

Common errors and what they mean

errSecInternalComponent: The keychain refused codesign access to the private key. Run `security set-key-partition-list -S apple-tool:,apple: -k <pw> <keychain>` after importing the .p12 on CI.
User interaction is not allowed: Same keychain partition list issue, surfaced when the keychain is locked. Unlock it with `security unlock-keychain` first.
no identity found: The certificate is not in any keychain in the search list, or the keychain is locked, or you typed the identity name wrong.
resource fork, Finder information, or similar detritus not allowed: Some file inside the bundle has extended attributes that codesign refuses to sign over. Run `xattr -cr MyApp.app` before signing.

Keep reading

Related terms

Code signing

The process of attaching a cryptographic signature to a binary so the operating system can verify who built it and that nothing has changed since. Required for every app shipped on Apple platforms.

Read definition

Keychain (macOS)

macOS's built-in encrypted store for passwords, certificates, and private keys. Xcode and codesign read signing identities from it.

Read definition

PKCS#12 / .p12 file

A password-protected file format that bundles a certificate and its matching private key together. The standard way to move an Apple signing identity between machines.

Read definition

Hardened runtime

A macOS code signing option that opts a binary into stricter runtime protections (no unsigned memory execution, library validation, no code injection) and is a prerequisite for notarization.

Read definition

Code signing certificate

Read definition

Next step

Help articles on this topic

Fetch signing material before xcodebuild

A simple, repeatable CI pattern: download the right certificate and provisioning profile by ID, import them, run xcodebuild.

5 min readRead article

Fix a failed App Store Connect sync

Diagnose why a sync failed, read the error in the sync history, and know when to rotate the API key vs. retry.

5 min readRead article

Troubleshoot the HexSign CLI

Fix the most common CLI errors: missing client ID, expired refresh token, callback port conflicts, scope failures, and 401/403 responses.

5 min readRead article

Notice a definition that has drifted? Email support@hexsign.io and we'll update it. Browse the full glossary or jump to the help center.