The [`hexsign-fetch-signing-material`](https://github.com/HexSign/bitrise-step-hexsign) Step downloads the certificate (`.p12` + password) and/or provisioning profile (`.mobileprovision`) you've stored in HexSign, places them on disk, and exposes the resulting paths as env vars for downstream Steps like `certificate-and-profile-installer`, `xcode-archive`, and `fastlane`.

What you need

A service credential with `hexsign-api/read` scope. Provision it under **Settings → CLI Tokens** in the [HexSign dashboard](https://dashboard.hexsign.net); the secret is shown exactly once.
`HEXSIGN_CLIENT_ID` and `HEXSIGN_CLIENT_SECRET` configured as **secret env vars** in the Bitrise workflow editor — never paste them into `bitrise.yml`.
The certificate ID, the profile ID, or both. Either can be omitted; the Step handles fetch-cert-only, fetch-profile-only, and fetch-both flows in a single configuration.

Add it to your workflow

yaml

steps:
  - hexsign-fetch-signing-material@0:
      inputs:
        - certificate_id: $HEXSIGN_CERT_ID
        - profile_id:     $HEXSIGN_PROFILE_ID
        - client_id:      $HEXSIGN_CLIENT_ID
        - client_secret:  $HEXSIGN_CLIENT_SECRET
  - certificate-and-profile-installer@1:
      inputs:
        - certificate_url:         file://$HEXSIGN_CERTIFICATE_PATH
        - provisioning_profile_url: file://$HEXSIGN_PROFILE_PATH
        # Read the .password file in a script step and feed it in via env.
  - xcode-archive@5: {}

Inputs

certificate_id / profile_id: At least one is required. HexSign IDs (visible on each detail page in the dashboard). Omit either to skip its download.
client_id / client_secret: Required. Defaults to `$HEXSIGN_CLIENT_ID` and `$HEXSIGN_CLIENT_SECRET` so a typical setup needs no input override.
scopes: Optional. Space-separated OAuth scopes. Leave empty to use the CLI default.
output_dir: Where to write downloaded files. Defaults to `$BITRISE_DEPLOY_DIR` so artefacts are picked up by the deploy Step automatically.
cli_version: `hexsign-cli` release tag (e.g. `v0.4.2`) or `latest`. Pin to a tag for hermetic builds; the Step verifies SHA-256 against the release's signed `checksums.txt` either way.

Outputs

HEXSIGN_CERTIFICATE_PATH: Absolute path to the `.p12`. Empty when no certificate was fetched.
HEXSIGN_CERTIFICATE_PASSWORD_PATH: Absolute path to the `.password` file that sits next to the `.p12`. Read it in a script step before handing it to `certificate-and-profile-installer`.
HEXSIGN_PROFILE_PATH: Absolute path to the `.mobileprovision`. Empty when no profile was fetched.

How auth works

The Step exports `HEXSIGN_CLIENT_ID` and `HEXSIGN_CLIENT_SECRET` into the CLI's environment, which puts the binary in machine mode. The CLI exchanges them for an access token against `identity.hexsign.net/oauth2/token` and uses it for the download requests. Both env vars are masked in Bitrise logs because they're declared as secrets.

What you need

A service credential with `hexsign-api/read` scope. Provision it under **Settings → CLI Tokens** in the [HexSign dashboard](https://dashboard.hexsign.net); the secret is shown exactly once.

`HEXSIGN_CLIENT_ID` and `HEXSIGN_CLIENT_SECRET` configured as **secret env vars** in the Bitrise workflow editor — never paste them into `bitrise.yml`.

The certificate ID, the profile ID, or both. Either can be omitted; the Step handles fetch-cert-only, fetch-profile-only, and fetch-both flows in a single configuration.

Add it to your workflow

yaml

steps:
  - hexsign-fetch-signing-material@0:
      inputs:
        - certificate_id: $HEXSIGN_CERT_ID
        - profile_id:     $HEXSIGN_PROFILE_ID
        - client_id:      $HEXSIGN_CLIENT_ID
        - client_secret:  $HEXSIGN_CLIENT_SECRET
  - certificate-and-profile-installer@1:
      inputs:
        - certificate_url:         file://$HEXSIGN_CERTIFICATE_PATH
        - provisioning_profile_url: file://$HEXSIGN_PROFILE_PATH
        # Read the .password file in a script step and feed it in via env.
  - xcode-archive@5: {}

Inputs

certificate_id / profile_id

At least one is required. HexSign IDs (visible on each detail page in the dashboard). Omit either to skip its download.

client_id / client_secret

Required. Defaults to `$HEXSIGN_CLIENT_ID` and `$HEXSIGN_CLIENT_SECRET` so a typical setup needs no input override.

scopes

Optional. Space-separated OAuth scopes. Leave empty to use the CLI default.

output_dir

Where to write downloaded files. Defaults to `$BITRISE_DEPLOY_DIR` so artefacts are picked up by the deploy Step automatically.

cli_version

`hexsign-cli` release tag (e.g. `v0.4.2`) or `latest`. Pin to a tag for hermetic builds; the Step verifies SHA-256 against the release's signed `checksums.txt` either way.

Outputs

HEXSIGN_CERTIFICATE_PATH

Absolute path to the `.p12`. Empty when no certificate was fetched.

HEXSIGN_CERTIFICATE_PASSWORD_PATH

Absolute path to the `.password` file that sits next to the `.p12`. Read it in a script step before handing it to `certificate-and-profile-installer`.

HEXSIGN_PROFILE_PATH

Absolute path to the `.mobileprovision`. Empty when no profile was fetched.

How auth works

Use the HexSign Fetch Signing Material Bitrise Step

What you need

Add it to your workflow

Inputs

Outputs

How auth works

Related articles

Install the HexSign CLI

Run the CLI in CI with machine credentials

Fetch signing material before xcodebuild

Take control of your Apple Developer assets.

Use the HexSign Fetch Signing Material Bitrise Step

What you need

Add it to your workflow

Inputs

Outputs

How auth works

Related articles

Install the HexSign CLI

Run the CLI in CI with machine credentials

Fetch signing material before xcodebuild

Take control of your Apple Developer assets.