The secure vault and dashboard for Apple code signing.

HexSign automatically renews your Apple certificates and provisioning profiles before they expire. The rest lives in one place too: an encrypted vault instead of git, a dashboard for every profile and expiration, and a CLI for any CI. No more expired-cert fire drills.

Get Started Explore product features

iOS · macOS · tvOS · watchOS

hexsign · dashboard

Health

100%

Certificates

Apple Distribution

expires 5/20/2027

Apple Push Services

expires 12/31/2026

Mac Installer Dist

expires 9/12/2026

3 profiles linked to expiring certView certificate relationship graph

Ships signing assets to any CI. Bring your own pipeline.

See it in action

HexSign in 60 seconds

A walkthrough of the dashboard, certificate relationships, and the provisioning profile wizard. Open the watch page →

One source of truth for Apple code signing.

An encrypted vault for certificates, a dashboard for every profile and expiration, and a CLI that ships signing assets to any CI. Synced with App Store Connect.

Auto-renewal

Distribution certs and provisioning profiles reissue themselves 30 days before expiry. The new cert keeps your existing key; profiles rebuild against the renewed cert in the same run.

Auto-renewal timeline

Relationship graph

See how certificates, profiles, and bundle IDs connect. Understand the blast radius before revoking.

Apple Distribution

Distribution

154d left

Apple Development

Development

Expired 47d ago

Apple Push Services

232d left

Mac Installer Dist

Mac Installer Distribution

Expired 96d ago

MyApp App Store

App Store

154d left

MyApp Development

Development

98d left

MyApp Ad Hoc

Ad Hoc

Expired 47d ago

PushService Prod

App Store

215d left

MacApp Installer

Mac Installer

Expired 96d ago

MyApp

com.company.myapp

iOS

PushService

com.company.pushservice

iOS

MacApp

com.company.macapp

macOS

Expiration alerts

Email, Slack, Teams, Jira, PagerDuty, and incident.io, with configurable thresholds and test runs. Fire only when auto-renewal can't act.

Alert routing rules

Profile wizard

A guided flow that picks the right identifier, certificate, and devices and generates the profile through Apple's API.

Profile creation wizard

Apple's Developer Portal wasn't built for teams. Neither was your git repo.

Certificates live in git or shared drives. Profiles break in CI. Nobody knows which app is affected until a release fails at 5pm on a Friday. If any of the following sound familiar, HexSign is for you.

Certificates and .p12 files live in git, Dropbox, or a shared 1Password vault

fastlane match works, but committing encrypted secrets still feels wrong

CI pipelines fetch signing material from a dozen ad-hoc places

Certificates and profiles expire mid-release and someone has to rotate them by hand

No visibility into profile-certificate dependencies

developer.apple.com makes it hard to find issues across multiple Apple accounts

How it works

From Apple account to vault, dashboard, and CI.

Connect your Apple Developer account

Add your App Store Connect API key (Issuer ID, Key ID, and private key). HexSign authenticates securely using Apple's official API.

Auto-sync certificates & profiles

HexSign pulls all your certificates, provisioning profiles, bundle IDs, and devices. Changes are detected on each sync.

Explore the relationship graph

See how everything connects in an interactive visual graph. Color-coded by status so problems jump out instantly.

Set up alerts and stay ahead

Configure alerts to email, Slack, Microsoft Teams, or your incident tooling with custom thresholds. Get notified days before anything expires.

Enterprise-ready from day one

Multi-account management, audit logs, sync history, RBAC, and encrypted API key storage. Built for teams that take security seriously.

Security & enterprise features

Bring your own CI. Fetch signing assets from the vault.

The HexSign CLI pulls certificates and profiles straight from the encrypted vault into any pipeline: GitHub Actions, GitLab, Bitrise, Codemagic, fastlane, or your own shell. No certs in git, no fastlane match repo, no shared Apple ID. Explore the CLI →

Is HexSign right for you?

HexSign is a great fit if you:

Store Apple certificates in git, fastlane match, or shared drives and want a managed vault instead

Run CI/CD that depends on code signing and want a CLI that works across GitHub Actions, GitLab, Bitrise, or any shell

Manage iOS or macOS apps in production

Work across multiple Apple Developer accounts

Need to track certificate expirations before they break a release

Want to understand cert-profile-app relationships at a glance

See how we compare

HexSign vs the alternatives

Open-source CLI

HexSign vs Fastlane Match

Read HexSign vs Fastlane Match

Apple's first-party portal

HexSign vs Apple Developer Portal

Read HexSign vs Apple Developer Portal

CI/CD with managed signing

HexSign vs Codemagic

Read HexSign vs Codemagic

Mobile DevOps platform

HexSign vs Bitrise

Read HexSign vs Bitrise

Apple's managed CI/CD with automatic signing

HexSign vs Xcode Cloud

Read HexSign vs Xcode Cloud

The secure vault and dashboard for Apple code signing.

iOS · macOS · tvOS · watchOS

One source of truth for Apple code signing.

An encrypted vault for certificates, a dashboard for every profile and expiration, and a CLI that ships signing assets to any CI. Synced with App Store Connect.