CI/CD · Integration

iOS code signing in GitHub Actions

Install the HexSign CLI on a runner with one step, then fetch your signing certificate and provisioning profile straight from the vault before xcodebuild. No base64 secrets, no fastlane match repo.

3 min readUpdated May 31, 2026

Setup HexSign CLI guide View on GitHub Marketplace

The Setup HexSign CLI action installs the hexsign binary on a runner, verifies its SHA-256 against the release's signed checksums.txt, and (when you pass a client ID and secret) flips the CLI into machine mode for the rest of the job. The next steps fetch your certificate and profile before xcodebuild, so signing material never lives in your repository.

What you need

A service credential with hexsign-api/read scope, created under Settings → CLI Tokens in the HexSign dashboard. The secret is shown exactly once.
HEXSIGN_CLIENT_ID and HEXSIGN_CLIENT_SECRET stored as repository or environment secrets.
The certificate and profile IDs you sign with, stored as repository variables.

The release workflow

yaml

# .github/workflows/release.yml
name: Release
on:
  push:
    tags: ["v*"]

jobs:
  build:
    runs-on: macos-latest
    steps:
      - uses: actions/checkout@v4

      - name: Setup HexSign CLI
        uses: hexsign/hexsign-cli@v1
        with:
          version: latest
          client-id:     ${{ secrets.HEXSIGN_CLIENT_ID }}
          client-secret: ${{ secrets.HEXSIGN_CLIENT_SECRET }}

      - name: Fetch signing material
        env:
          CERT_ID:    ${{ vars.HEXSIGN_CERT_ID }}
          PROFILE_ID: ${{ vars.HEXSIGN_PROFILE_ID }}
        run: |
          hexsign certificates download "$CERT_ID" --output-dir build/sign \
            --keychain "$RUNNER_TEMP/signing.keychain-db"
          hexsign profiles download "$PROFILE_ID" --output-dir build/sign --install

      - name: Archive
        run: |
          xcrun xcodebuild archive \
            -workspace MyApp.xcworkspace \
            -scheme MyApp \
            -archivePath build/MyApp.xcarchive

--keychain creates a dedicated keychain, imports the .p12, and runs the set-key-partition-list authorization codesign needs, replacing the four or five security commands every CI guide used to copy-paste. --install drops the profile where Xcode finds it. If you regenerate signing material regularly, swap the IDs for --type DISTRIBUTION --team-id and --bundle-id --team-id filters and the workflow keeps working when a certificate rotates, with nothing to update.

With vs. without

GitHub Actions with HexSign vs. without

The same release workflow, before and after HexSign replaces the base64-secret-and-keychain dance.

Without HexSign

With HexSign

Where signing material lives

Without HexSignA base64-encoded .p12 in a repository secret, or a separate fastlane match git repo holding encrypted certs.

With HexSignIn the encrypted HexSign vault. Fetched per run, written to a run-scoped keychain, never committed.

Workflow setup

Without HexSignHand-rolled bash: decode the secret, security create-keychain, import, set-key-partition-list, copy the profile into place.

With HexSignOne Setup HexSign CLI step, then two download commands with --keychain and --install doing the keychain work.

Rotating a certificate

Without HexSignRe-encode the new .p12 and update the secret in every repo and environment that uses it.

With HexSignRegenerate once in HexSign. Fetch by type and bundle id so no workflow or variable changes.

Auditing access

Without HexSignReconstruct who could read the secret from repo and org membership history.

With HexSignA per-call audit entry in HexSign, plus instant revocation of a leaked credential.

Supply chain

Without HexSignTrust whatever an install script pulls onto the runner.

With HexSignThe action verifies the CLI SHA-256 against the release's signed checksums.txt before it runs.

Keep wiring

Related integrations

fastlane

Add two actions in front of gym to pull signing material from the vault, with no match repo required.

3 min readView integration

CircleCI

Fetch signing material from the HexSign orb before xcodebuild, with no secrets in your config.

3 min readView integration

GitLab CI/CD

One include: block fetches signing material before your GitLab build job.

3 min readView integration

Wiring this up and something doesn't line up? Email support@hexsign.io or browse the rest of the integrations and the CLI help center.

What you need

A service credential with hexsign-api/read scope, created under Settings → CLI Tokens in the HexSign dashboard. The secret is shown exactly once.

HEXSIGN_CLIENT_ID and HEXSIGN_CLIENT_SECRET stored as repository or environment secrets.

The certificate and profile IDs you sign with, stored as repository variables.

The release workflow

yaml

# .github/workflows/release.yml
name: Release
on:
  push:
    tags: ["v*"]

jobs:
  build:
    runs-on: macos-latest
    steps:
      - uses: actions/checkout@v4

      - name: Setup HexSign CLI
        uses: hexsign/hexsign-cli@v1
        with:
          version: latest
          client-id:     ${{ secrets.HEXSIGN_CLIENT_ID }}
          client-secret: ${{ secrets.HEXSIGN_CLIENT_SECRET }}

      - name: Fetch signing material
        env:
          CERT_ID:    ${{ vars.HEXSIGN_CERT_ID }}
          PROFILE_ID: ${{ vars.HEXSIGN_PROFILE_ID }}
        run: |
          hexsign certificates download "$CERT_ID" --output-dir build/sign \
            --keychain "$RUNNER_TEMP/signing.keychain-db"
          hexsign profiles download "$PROFILE_ID" --output-dir build/sign --install

      - name: Archive
        run: |
          xcrun xcodebuild archive \
            -workspace MyApp.xcworkspace \
            -scheme MyApp \
            -archivePath build/MyApp.xcarchive

GitHub Actions with HexSign vs. without

The same release workflow, before and after HexSign replaces the base64-secret-and-keychain dance.

Without HexSign

With HexSign

Where signing material lives

Without HexSignA base64-encoded .p12 in a repository secret, or a separate fastlane match git repo holding encrypted certs.

With HexSignIn the encrypted HexSign vault. Fetched per run, written to a run-scoped keychain, never committed.

Workflow setup

Without HexSignHand-rolled bash: decode the secret, security create-keychain, import, set-key-partition-list, copy the profile into place.

With HexSignOne Setup HexSign CLI step, then two download commands with --keychain and --install doing the keychain work.

Rotating a certificate

Without HexSignRe-encode the new .p12 and update the secret in every repo and environment that uses it.

With HexSignRegenerate once in HexSign. Fetch by type and bundle id so no workflow or variable changes.

Auditing access

Without HexSignReconstruct who could read the secret from repo and org membership history.

With HexSignA per-call audit entry in HexSign, plus instant revocation of a leaked credential.

Supply chain

Without HexSignTrust whatever an install script pulls onto the runner.

With HexSignThe action verifies the CLI SHA-256 against the release's signed checksums.txt before it runs.

iOS code signing in GitHub Actions

What you need

The release workflow

GitHub Actions with HexSign vs. without

Related integrations

fastlane

CircleCI

GitLab CI/CD

Stop committing signing material to repos.

iOS code signing in GitHub Actions

What you need

The release workflow

GitHub Actions with HexSign vs. without

Related integrations

fastlane

CircleCI

GitLab CI/CD

Stop committing signing material to repos.