CI/CD · Integration

iOS code signing in GitLab CI/CD

Add one include: block to .gitlab-ci.yml, point it at masked CI/CD variables, and the HexSign fetch component installs the CLI and downloads your signing certificate and provisioning profile before any build job. No secrets in the repo, no fastlane match.

3 min readUpdated May 31, 2026

GitLab component guide View on GitLab CI/CD Catalog

The HexSign GitLab CI/CD component adds a ready-made hexsign-fetch job to your pipeline with a single include: block. It installs the hexsign binary, verifies its SHA-256 against the release's signed checksums.txt, and downloads the certificate and provisioning profile you've stored in HexSign into a short-lived job artifact. A downstream job picks them up and runs xcodebuild, with no secrets in the repository.

What you need

A service credential with hexsign-api/read scope, provisioned under Settings → CLI Tokens in the HexSign dashboard. The secret is shown exactly once.
HEXSIGN_CLIENT_ID and HEXSIGN_CLIENT_SECRET configured as masked, protected CI/CD variables under Settings → CI/CD → Variables.
The certificate and profile IDs you sign with (or a team id and bundle id if you fetch by filter).

Add the fetch component

yaml

# .gitlab-ci.yml
include:
  - component: $CI_SERVER_FQDN/hexsign/hexsign-gitlab-component/fetch@~latest
    inputs:
      certificate_id: $HEXSIGN_CERT_ID
      profile_id:     $HEXSIGN_PROFILE_ID
      output_dir:     build/sign

stages:
  - signing
  - build

xcodebuild:
  stage: build
  needs: [hexsign-fetch]
  dependencies: [hexsign-fetch]
  script:
    - security import build/sign/*.p12 -P "$(cat build/sign/*.password)"
    - xcodebuild -scheme MyApp archive

The hexsign-fetch job runs in the .pre stage by default, so it completes before any named stage, and dependencies: pulls the artifact directory into your build job. To survive rotation, swap the IDs for certificate_type + team_id and bundle_id filters so the pipeline never changes when an artefact is regenerated. The fetched .p12 lives in a job artifact, so keep artifact_expire_in short.

With vs. without

GitLab CI/CD with HexSign vs. without

The same release pipeline, before and after HexSign replaces the committed-cert and hand-rolled keychain approach.

Without HexSign

With HexSign

Where signing material lives

Without HexSignA base64-encoded .p12 in a CI/CD variable, or a separate fastlane match git repo holding encrypted certs and profiles.

With HexSignIn the encrypted HexSign vault. Fetched per run into a short-lived job artifact, never committed to the repo.

Pipeline setup effort

Without HexSignHand-rolled script steps: decode the secret, security create-keychain, import, set-key-partition-list, copy the profile into place.

With HexSignOne include: block in .gitlab-ci.yml. The hexsign-fetch job handles install, verification, and download automatically.

Certificate rotation

Without HexSignRe-encode the new .p12 and update the variable in every project and environment that references it.

With HexSignRegenerate once in HexSign. Fetch by certificate type and bundle id so no pipeline or variable changes are needed.

Auditing access

Without HexSignReconstruct who read the signing secret from project membership and variable access history.

With HexSignA per-call audit entry in HexSign, plus instant revocation of a leaked service credential.

Supply-chain verification

Without HexSignTrust whatever an install script pulls onto the runner, with no checksum step.

With HexSignThe component verifies the CLI SHA-256 against the release's signed checksums.txt before running any signing commands.

Keep wiring

Related integrations

GitHub Actions

Install the CLI in one step, fetch signing material before xcodebuild.

3 min readView integration

CircleCI

Fetch signing material from the HexSign orb before xcodebuild, with no secrets in your config.

3 min readView integration

Jenkins

No plugin required: install the CLI on a macOS agent and fetch signing material in a stage.

5 min readView integration

Wiring this up and something doesn't line up? Email support@hexsign.io or browse the rest of the integrations and the CLI help center.

iOS code signing in GitLab CI/CD

3 min readUpdated May 31, 2026

What you need

A service credential with hexsign-api/read scope, provisioned under Settings → CLI Tokens in the HexSign dashboard. The secret is shown exactly once.

HEXSIGN_CLIENT_ID and HEXSIGN_CLIENT_SECRET configured as masked, protected CI/CD variables under Settings → CI/CD → Variables.

The certificate and profile IDs you sign with (or a team id and bundle id if you fetch by filter).

Add the fetch component

yaml

# .gitlab-ci.yml
include:
  - component: $CI_SERVER_FQDN/hexsign/hexsign-gitlab-component/fetch@~latest
    inputs:
      certificate_id: $HEXSIGN_CERT_ID
      profile_id:     $HEXSIGN_PROFILE_ID
      output_dir:     build/sign

stages:
  - signing
  - build

xcodebuild:
  stage: build
  needs: [hexsign-fetch]
  dependencies: [hexsign-fetch]
  script:
    - security import build/sign/*.p12 -P "$(cat build/sign/*.password)"
    - xcodebuild -scheme MyApp archive

GitLab CI/CD with HexSign vs. without

The same release pipeline, before and after HexSign replaces the committed-cert and hand-rolled keychain approach.

Without HexSign

With HexSign

Where signing material lives

Without HexSignA base64-encoded .p12 in a CI/CD variable, or a separate fastlane match git repo holding encrypted certs and profiles.

With HexSignIn the encrypted HexSign vault. Fetched per run into a short-lived job artifact, never committed to the repo.

Pipeline setup effort

Without HexSignHand-rolled script steps: decode the secret, security create-keychain, import, set-key-partition-list, copy the profile into place.

With HexSignOne include: block in .gitlab-ci.yml. The hexsign-fetch job handles install, verification, and download automatically.

Certificate rotation

Without HexSignRe-encode the new .p12 and update the variable in every project and environment that references it.

With HexSignRegenerate once in HexSign. Fetch by certificate type and bundle id so no pipeline or variable changes are needed.

Auditing access

Without HexSignReconstruct who read the signing secret from project membership and variable access history.

With HexSignA per-call audit entry in HexSign, plus instant revocation of a leaked service credential.

Supply-chain verification

Without HexSignTrust whatever an install script pulls onto the runner, with no checksum step.

With HexSignThe component verifies the CLI SHA-256 against the release's signed checksums.txt before running any signing commands.

iOS code signing in GitLab CI/CD

What you need

Add the fetch component

GitLab CI/CD with HexSign vs. without

Related integrations

GitHub Actions

CircleCI

Jenkins

Stop committing signing material to repos.

iOS code signing in GitLab CI/CD

What you need

Add the fetch component

GitLab CI/CD with HexSign vs. without

Related integrations

GitHub Actions

CircleCI

Jenkins

Stop committing signing material to repos.