Integrations
HexSign plugs into the tools you already ship with.
Ship certificates and profiles straight from the HexSign vault to any CI (a GitHub Action, a fastlane plugin, a Bitrise Step, a GitLab CI/CD component, a CircleCI orb, or your own shell) without storing secrets in git. Route expiration alerts to email, Slack, Microsoft Teams, Jira, PagerDuty, or incident.io so a forgotten certificate is the system's problem, not yours.
CI / CD
Wire signing into your pipeline.
Each integration is a thin wrapper around the same hexsignCLI, so you keep one mental model whether you're on GitHub Actions today and Bitrise tomorrow. Certificates stay in the encrypted vault instead of fastlane match or a shared git repo.
GitHub Actions
Install the CLI on a runner in one step
The Setup HexSign CLI action installs the binary, verifies its SHA-256 checksum, and (optionally) flips into machine mode using your service credential, so the next steps can `hexsign certificates download` before xcodebuild.
GitLab CI/CD
One include: block in your .gitlab-ci.yml
The HexSign CI/CD component installs the CLI and downloads signing material before your build job. `setup` puts the verified binary on a runner; `fetch` pulls the right `.p12` and `.mobileprovision` straight into a job artifact for xcodebuild. By id or by filter, the same as every other integration.
fastlane
Drop two actions into your lane
`fastlane-plugin-hexsign` adds `hexsign_certificates_download` and `hexsign_profiles_download`. Pull the right `.p12` and `.mobileprovision` by ID, hand them to `import_certificate` and `gym`, ship.
Bitrise
A single Step before xcode-archive
`hexsign-fetch-signing-material` downloads the certificate, the profile, or both, exposing paths as env vars for `certificate-and-profile-installer`, `xcode-archive`, or `fastlane`. Service credentials live in workflow secrets.
CircleCI
Commands and a one-shot job for your config
The HexSign orb adds `hexsign/install` plus `hexsign/certificates_download` and `hexsign/profiles_download` commands, and a `hexsign/fetch` job that pulls signing material into the workspace for a downstream xcodebuild job. Service credentials live in a CircleCI context.
Jenkins
No plugin needed, just the CLI on a macOS agent
Install the `hexsign` binary in a pipeline stage, bind your service credential from the Jenkins credentials store, and fetch the certificate and profile before xcodebuild. Works in declarative and freestyle jobs alike.
Xcode Cloud
Migrate to a CI you control
Moving off Xcode Cloud's managed signing? Put your certificates and profiles in the vault and fetch them with the CLI from any CI, so the same signing identity works everywhere, not just inside Apple's runners.
HexSign CLI
The binary behind every integration
Every integration above shells out to the `hexsign` CLI. If your CI is none of the above (Buildkite, TeamCity, Azure Pipelines, self-hosted), install the binary and the same `download` commands work the same way.
Alerts
Get notified before something expires.
Configure thresholds at 90, 60, 30, 14, and 7 days and route them to any mix of channels: an inbox, a chat message, a ticket, or a page. Send a test alert before enabling delivery.
Address lists, no user account required
Send threshold alerts to any address, including distribution lists like `ios-releases@your-team.com`. Recipients don't need a HexSign account. Test each threshold before flipping it live.
Slack
Incoming webhook into the channel of your choice
Add the Incoming Webhooks app to your workspace, paste the URL into HexSign, send a test alert to confirm wiring. Post to `#releases`, `#ios-on-call`, or wherever the right humans live.
Microsoft Teams
Workflow connector into a channel
Create a Workflow webhook on a Teams channel, paste the URL into HexSign. Same threshold logic as email and Slack, with a per-channel test alert before you enable delivery.
Jira
Open an issue when something's expiring
Point HexSign at a Jira Cloud project with an API token. Each threshold opens an issue in the project and issue type you choose, so a renewal lands in the same backlog as the rest of your work.
PagerDuty
Trigger an incident via Events API v2
Paste an Events API v2 routing key. HexSign triggers a PagerDuty incident at each threshold, with severity scaled to how close the expiry is, so the right responder is paged before a build breaks.
Jira Service Management
Raise an alert in JSM Operations
Add a Jira Service Management Operations API key and HexSign raises a priority-scaled alert (P1–P5) on each threshold. JSM is Atlassian's replacement for the now-retired Opsgenie.
incident.io
Send an alert event to an HTTP source
Create an HTTP alert source in incident.io, paste its URL and token into HexSign. Every threshold sends an alert event that incident.io can group, route, or escalate into an incident.
Need an integration that isn't here yet? The CLI can drive anything HexSign does, so you can wire it into Jenkins, Buildkite, TeamCity, or anything else that runs a shell. Tell us what you'd like to see. That's how the GitHub Action, fastlane plugin, Bitrise Step, GitLab component, and CircleCI orb got built.