Most CI uses of the CLI are read-only: fetch a certificate and a profile, sign, ship. The CLI also exposes the write-side operations — regenerate, revoke, delete — for the cases where you want to script rotation, deactivation, or one-off cleanup. Treat them with care: the changes go straight to App Store Connect.
What you need
- A user session (`hexsign login`) or a service credential with `hexsign-api/write` scope.
- The ID of the entity you're acting on. Use `hexsign certificates list` or `profiles list` first if you're not sure.
- A clear answer to "what depends on this?" — the dashboard's relationship graph is the easiest way to check before a write.
Regenerate a profile
Regenerating asks Apple to re-issue the profile from scratch. It picks up any changes to the underlying bundle ID's capabilities, gets a fresh expiration date, and is signed with the certificate currently associated with the profile.
hexsign profiles regenerate <profile_id> # Then re-fetch the new .mobileprovision: hexsign profiles download <profile_id> --output-dir build/sign
Revoke a certificate
Revocation is permanent on Apple's side and immediately invalidates every dependent provisioning profile. Always issue and roll out the replacement certificate first; only then revoke. The dashboard's certificate detail page enumerates the dependents — useful to print before the script runs.
# Print dependents for the record
hexsign certificates get <cert_id> -o json \
| jq '.data.profiles[] | { id, name, status }'
# Then revoke
hexsign certificates revoke <cert_id>Delete a profile
Deleting a profile removes it from App Store Connect entirely. Useful for one-off Ad Hoc profiles you no longer need, or for cleaning up profiles created by a previous CI generation. The certificate they referenced is unaffected.
hexsign profiles delete <profile_id>
When to stay in the dashboard
- Creating a new provisioning profile from scratch — the wizard handles intent, identifier, certificate, and devices in one flow.
- Visualising blast radius before a revoke — the relationship graph lights up every dependent in one view.
- Anything you'd want a teammate to be able to review later via the audit log timeline.
Why scopes matter here
If your CI service credential only has `hexsign-api/read`, every write command above will fail with a 403. That's intentional. Issue a separate service credential for rotation jobs (named e.g. "rotation-cron — write") and don't reuse it in build pipelines.