fastlane-plugin-hexsign adds four fastlane actions (two single-id and two bulk-filter) that shell out to the hexsign CLI. If you already have a lane that builds, signs, and ships, this is the smallest possible change: drop two lines in front of gym (or build_app) and you are off the Apple Developer portal, with no match git repo involved.
Install and authenticate
Add the plugin to your project's Pluginfile, then run bundle install. The plugin shells out to the CLI, so the hexsign binary must be installed and on $PATH (run brew install hexsign locally, or install from a release tarball in CI).
gem "fastlane-plugin-hexsign"
Provision a service credential under Settings → CLI Tokens in the HexSign dashboard, then export HEXSIGN_CLIENT_ID and HEXSIGN_CLIENT_SECRET. The CLI auto-detects machine mode when both are set, so the plugin needs no extra auth configuration.
A typical lane
lane :beta do
hexsign_certificates_download(id: ENV["HEXSIGN_CERT_ID"], output_dir: "build/sign")
hexsign_profiles_download (id: ENV["HEXSIGN_PROFILE_ID"], output_dir: "build/sign")
import_certificate(
certificate_path: "build/sign/certificate.p12",
certificate_password: File.read("build/sign/certificate.password").strip,
keychain_name: "build.keychain"
)
gym(scheme: "MyApp")
endOn macOS you can pass keychain: to hexsign_certificates_download and skip import_certificate entirely: the CLI creates a dedicated keychain, imports the .p12, and authorizes it for codesign in one step. If you regenerate signing material regularly, use hexsign_certificates_download_by_type and hexsign_profiles_download_by_bundle_id so the lane keeps working after rotation without any variable changes.