CI/CD · Integration

iOS code signing in Bitrise

Drop the hexsign-fetch-signing-material Step into a Bitrise workflow to pull certificates and provisioning profiles straight from the HexSign vault, then hand the paths to certificate-and-profile-installer and xcode-archive. No uploaded code-signing files, no committed secrets.

3 min readUpdated May 31, 2026

Bitrise Step guide View on GitHub

The hexsign-fetch-signing-material Step downloads the certificate (.p12 and password) and/or provisioning profile (.mobileprovision) stored in HexSign, places them on disk, and exposes the resulting paths as env vars for downstream Steps like certificate-and-profile-installer, xcode-archive, and fastlane. Nothing is uploaded to Bitrise's code-signing file storage.

What you need

A service credential with hexsign-api/read scope, provisioned under Settings → CLI Tokens in the HexSign dashboard. The secret is shown exactly once.
HEXSIGN_CLIENT_ID and HEXSIGN_CLIENT_SECRET configured as secret env vars in the Bitrise workflow editor.
The certificate and profile IDs you sign with (or a certificate type, bundle id, and team id if you fetch by filter).

Add it to your workflow

yaml

steps:
  - hexsign-fetch-signing-material@0:
      inputs:
        - certificate_id: $HEXSIGN_CERT_ID
        - profile_id:     $HEXSIGN_PROFILE_ID
        - client_id:      $HEXSIGN_CLIENT_ID
        - client_secret:  $HEXSIGN_CLIENT_SECRET
  - certificate-and-profile-installer@1:
      inputs:
        - certificate_url:          file://$HEXSIGN_CERTIFICATE_PATH
        - provisioning_profile_url: file://$HEXSIGN_PROFILE_PATH
        # Read the .password file in a script step and feed it in via env.
  - xcode-archive@5: {}

The Step writes the cert and profile paths into env vars that the next Steps read. On macOS you can skip certificate-and-profile-installer entirely: pass the keychain input to have the Step create a keychain and import the certificate, and install_profile to drop each .mobileprovision where Xcode finds it. If you regenerate signing material regularly, set certificate_type, bundle_id, and team_id instead of IDs so the workflow keeps working when an artefact rotates.

With vs. without

Bitrise with HexSign vs. without

The same Bitrise release workflow, before and after HexSign replaces the uploaded code-signing files and hand-rolled keychain work.

Without HexSign

With HexSign

Where signing material lives

Without HexSignUploaded to Bitrise's code-signing file storage (or committed to a fastlane match repo), accessible to anyone with project access.

With HexSignIn the encrypted HexSign vault. Fetched per run, written to disk in the build environment, never stored in Bitrise.

Pipeline setup effort

Without HexSignUpload each certificate and profile individually in the Bitrise UI, then configure certificate-and-profile-installer with the right file slugs.

With HexSignOne Step with two secret env vars. The Step outputs the file paths; downstream Steps pick them up automatically.

Certificate rotation

Without HexSignRe-upload the new .p12, delete the old one, and update any pipeline that references the file slug.

With HexSignRegenerate once in HexSign. Fetch by certificate_type and team_id so no Bitrise variable or workflow change is needed.

Auditing access

Without HexSignReconstruct who could read signing files from Bitrise project membership and log history.

With HexSignA per-call audit entry in HexSign, plus instant revocation of a leaked credential without touching Bitrise at all.

Supply-chain and checksum verification

Without HexSignThe CLI (or any install script) is pulled onto the stack machine with no hash check.

With HexSignThe Step verifies the CLI SHA-256 against the release's signed checksums.txt before executing any download command.

Keep wiring

Related integrations

GitHub Actions

Install the CLI in one step, fetch signing material before xcodebuild.

3 min readView integration

CircleCI

Fetch signing material from the HexSign orb before xcodebuild, with no secrets in your config.

3 min readView integration

fastlane

Add two actions in front of gym to pull signing material from the vault, with no match repo required.

3 min readView integration

Wiring this up and something doesn't line up? Email support@hexsign.io or browse the rest of the integrations and the CLI help center.

iOS code signing in Bitrise

3 min readUpdated May 31, 2026

What you need

A service credential with hexsign-api/read scope, provisioned under Settings → CLI Tokens in the HexSign dashboard. The secret is shown exactly once.

HEXSIGN_CLIENT_ID and HEXSIGN_CLIENT_SECRET configured as secret env vars in the Bitrise workflow editor.

The certificate and profile IDs you sign with (or a certificate type, bundle id, and team id if you fetch by filter).

Add it to your workflow

yaml

steps:
  - hexsign-fetch-signing-material@0:
      inputs:
        - certificate_id: $HEXSIGN_CERT_ID
        - profile_id:     $HEXSIGN_PROFILE_ID
        - client_id:      $HEXSIGN_CLIENT_ID
        - client_secret:  $HEXSIGN_CLIENT_SECRET
  - certificate-and-profile-installer@1:
      inputs:
        - certificate_url:          file://$HEXSIGN_CERTIFICATE_PATH
        - provisioning_profile_url: file://$HEXSIGN_PROFILE_PATH
        # Read the .password file in a script step and feed it in via env.
  - xcode-archive@5: {}

Bitrise with HexSign vs. without

The same Bitrise release workflow, before and after HexSign replaces the uploaded code-signing files and hand-rolled keychain work.

Without HexSign

With HexSign

Where signing material lives

Without HexSignUploaded to Bitrise's code-signing file storage (or committed to a fastlane match repo), accessible to anyone with project access.

With HexSignIn the encrypted HexSign vault. Fetched per run, written to disk in the build environment, never stored in Bitrise.

Pipeline setup effort

Without HexSignUpload each certificate and profile individually in the Bitrise UI, then configure certificate-and-profile-installer with the right file slugs.

With HexSignOne Step with two secret env vars. The Step outputs the file paths; downstream Steps pick them up automatically.

Certificate rotation

Without HexSignRe-upload the new .p12, delete the old one, and update any pipeline that references the file slug.

With HexSignRegenerate once in HexSign. Fetch by certificate_type and team_id so no Bitrise variable or workflow change is needed.

Auditing access

Without HexSignReconstruct who could read signing files from Bitrise project membership and log history.

With HexSignA per-call audit entry in HexSign, plus instant revocation of a leaked credential without touching Bitrise at all.

Supply-chain and checksum verification

Without HexSignThe CLI (or any install script) is pulled onto the stack machine with no hash check.

With HexSignThe Step verifies the CLI SHA-256 against the release's signed checksums.txt before executing any download command.

iOS code signing in Bitrise

What you need

Add it to your workflow

Bitrise with HexSign vs. without

Related integrations

GitHub Actions

CircleCI

fastlane

Stop committing signing material to repos.

iOS code signing in Bitrise

What you need

Add it to your workflow

Bitrise with HexSign vs. without

Related integrations

GitHub Actions

CircleCI

fastlane

Stop committing signing material to repos.