[`fastlane-plugin-hexsign`](https://github.com/HexSign/fastlane-plugin-hexsign) adds two fastlane actions, `hexsign_certificates_download` and `hexsign_profiles_download`, that shell out to the `hexsign` CLI. If you already have a fastlane lane that builds, signs, and ships, this is the smallest possible change: drop two lines in front of `gym` (or `build_app`) and you're off the Apple Developer portal.

Install

Add the plugin to your project's `Pluginfile`:

ruby

gem "fastlane-plugin-hexsign"

bash

bundle install

The plugin shells out to the CLI rather than re-implementing the API, so the `hexsign` binary must be installed and on `$PATH`. On a developer laptop, `brew install hexsign`. In CI, use the [Setup HexSign CLI GitHub Action](/help/cli/setup-hexsign-cli-github-action) or install from a release tarball.

Authentication

The CLI auto-detects machine mode when these env vars are set, so the plugin needs no separate auth configuration:

bash

export HEXSIGN_CLIENT_ID=…
export HEXSIGN_CLIENT_SECRET=…

Provision a service credential under **Settings → CLI Tokens** in the [HexSign dashboard](https://dashboard.hexsign.net). The secret is shown exactly once — store it as a CI secret immediately.

Actions

hexsign_certificates_download: Downloads a signing certificate (`.p12` + a sibling `.password` file, both `0600`). Required option: `id`. Optional: `output_dir`, `filename`.
hexsign_profiles_download: Downloads a provisioning profile (`.mobileprovision`). Required option: `id`. Optional: `output_dir`, `filename`.

A typical lane

ruby

lane :beta do
  hexsign_certificates_download(id: ENV["HEXSIGN_CERT_ID"],    output_dir: "build/sign")
  hexsign_profiles_download    (id: ENV["HEXSIGN_PROFILE_ID"], output_dir: "build/sign")

  import_certificate(
    certificate_path:     "build/sign/certificate.p12",
    certificate_password: File.read("build/sign/certificate.password").strip,
    keychain_name:        "build.keychain"
  )

  gym(scheme: "MyApp")
end

Common gotchas

`hexsign: command not found` — the `hexsign` CLI isn't installed on the runner. Add a step that installs it before `bundle exec fastlane`.
`401 invalid_client` — service credentials are wrong or revoked. Re-provision in the dashboard and update the CI secret.
`403 insufficient scope` — the credential lacks `hexsign-api/read`. Recreate it with the right scope set; HexSign does not edit scopes on existing credentials.

Install

Add the plugin to your project's `Pluginfile`:

ruby

gem "fastlane-plugin-hexsign"

bash

bundle install

Authentication

The CLI auto-detects machine mode when these env vars are set, so the plugin needs no separate auth configuration:

bash

export HEXSIGN_CLIENT_ID=…
export HEXSIGN_CLIENT_SECRET=…

Provision a service credential under **Settings → CLI Tokens** in the [HexSign dashboard](https://dashboard.hexsign.net). The secret is shown exactly once — store it as a CI secret immediately.

Actions

hexsign_certificates_download

Downloads a signing certificate (`.p12` + a sibling `.password` file, both `0600`). Required option: `id`. Optional: `output_dir`, `filename`.

hexsign_profiles_download

Downloads a provisioning profile (`.mobileprovision`). Required option: `id`. Optional: `output_dir`, `filename`.

A typical lane

ruby

lane :beta do
  hexsign_certificates_download(id: ENV["HEXSIGN_CERT_ID"],    output_dir: "build/sign")
  hexsign_profiles_download    (id: ENV["HEXSIGN_PROFILE_ID"], output_dir: "build/sign")

  import_certificate(
    certificate_path:     "build/sign/certificate.p12",
    certificate_password: File.read("build/sign/certificate.password").strip,
    keychain_name:        "build.keychain"
  )

  gym(scheme: "MyApp")
end

Common gotchas

`hexsign: command not found` — the `hexsign` CLI isn't installed on the runner. Add a step that installs it before `bundle exec fastlane`.

`401 invalid_client` — service credentials are wrong or revoked. Re-provision in the dashboard and update the CI secret.

`403 insufficient scope` — the credential lacks `hexsign-api/read`. Recreate it with the right scope set; HexSign does not edit scopes on existing credentials.

Use the HexSign fastlane plugin

Install

Authentication

Actions

A typical lane

Common gotchas

Related articles

Install the HexSign CLI

Run the CLI in CI with machine credentials

Fetch signing material before xcodebuild

Take control of your Apple Developer assets.

Use the HexSign fastlane plugin

Install

Authentication

Actions

A typical lane

Common gotchas

Related articles

Install the HexSign CLI

Run the CLI in CI with machine credentials

Fetch signing material before xcodebuild

Take control of your Apple Developer assets.