CI/CD · Integration

iOS code signing in CircleCI

Add the HexSign orb to your CircleCI config to install the CLI, fetch certificates and provisioning profiles from the vault, and archive with xcodebuild. No base64 secrets, no fastlane match repo.

3 min readUpdated May 31, 2026

CircleCI orb guide View on GitHub Orb Registry

The HexSign CircleCI orb installs the hexsign binary on a runner, verifies its SHA-256 against the release's signed checksums.txt, and downloads the certificate and provisioning profile you've stored in HexSign. Add hexsign: hexsign/hexsign@1.0.0 to the orbs: block, then call the ready-made hexsign/fetch job.

What you need

A service credential with hexsign-api/read scope, provisioned under Settings → CLI Tokens in the HexSign dashboard. The secret is shown exactly once.
A CircleCI context holding HEXSIGN_CLIENT_ID and HEXSIGN_CLIENT_SECRET, attached to the workflow.
The certificate and profile IDs you sign with (or a team id and bundle id if you fetch by filter).

Use the fetch job

yaml

# .circleci/config.yml
version: 2.1

orbs:
  hexsign: hexsign/hexsign@1.0.0

workflows:
  release:
    jobs:
      - hexsign/fetch:
          context: hexsign
          certificate_id: $HEXSIGN_CERT_ID
          profile_id:     $HEXSIGN_PROFILE_ID
          output_dir:     build/sign
      - archive:
          requires: [hexsign/fetch]

The fetch job installs the CLI, downloads the material, and persists it to the workspace; the archive job runs attach_workspace and finds the files under build/sign, ready for security import and xcodebuild. Prefer no extra job? Use the hexsign/install, hexsign/certificates_download, and hexsign/profiles_download commands inline instead. To survive rotation, fetch by certificate_type + team_id and bundle_id so the config never changes when an artefact is regenerated.

With vs. without

CircleCI with HexSign vs. without

The same release pipeline, before and after HexSign replaces the base64-secret-and-security-command approach.

Without HexSign

With HexSign

Where signing material lives

Without HexSignA base64-encoded .p12 in a project env var or context, or a separate fastlane match git repo holding encrypted certs.

With HexSignIn the encrypted HexSign vault. Fetched per run and written to the workspace, never committed to the repository.

Pipeline setup effort

Without HexSignHand-rolled bash in every job: decode the env var, security create-keychain, import the .p12, set-key-partition-list, copy profiles into place.

With HexSignOne hexsign/fetch job (or three orb steps), then attach_workspace in your build job. The orb handles all keychain work.

Certificate rotation

Without HexSignRe-encode the new .p12, update the env var or context secret in every project that uses it, and verify each pipeline still passes.

With HexSignRegenerate once in HexSign. Fetch by certificate_type and bundle_id so no pipeline config or variable changes are needed.

Auditing access

Without HexSignReconstruct who could read the secret from context membership history. No per-download record.

With HexSignA per-call audit entry in HexSign, plus instant revocation of a leaked credential without touching the pipeline.

Supply-chain verification

Without HexSignNo checksum check on any install script or downloaded binary that runs on the runner.

With HexSignThe orb verifies the CLI SHA-256 against the release's signed checksums.txt before every run.

Keep wiring

Related integrations

GitHub Actions

Install the CLI in one step, fetch signing material before xcodebuild.

3 min readView integration

GitLab CI/CD

One include: block fetches signing material before your GitLab build job.

3 min readView integration

Bitrise

One Bitrise Step to fetch signing material from the vault, wired straight into certificate-and-profile-installer.

3 min readView integration

Wiring this up and something doesn't line up? Email support@hexsign.io or browse the rest of the integrations and the CLI help center.

What you need

A service credential with hexsign-api/read scope, provisioned under Settings → CLI Tokens in the HexSign dashboard. The secret is shown exactly once.

A CircleCI context holding HEXSIGN_CLIENT_ID and HEXSIGN_CLIENT_SECRET, attached to the workflow.

The certificate and profile IDs you sign with (or a team id and bundle id if you fetch by filter).

Use the fetch job

yaml

# .circleci/config.yml
version: 2.1

orbs:
  hexsign: hexsign/hexsign@1.0.0

workflows:
  release:
    jobs:
      - hexsign/fetch:
          context: hexsign
          certificate_id: $HEXSIGN_CERT_ID
          profile_id:     $HEXSIGN_PROFILE_ID
          output_dir:     build/sign
      - archive:
          requires: [hexsign/fetch]

CircleCI with HexSign vs. without

The same release pipeline, before and after HexSign replaces the base64-secret-and-security-command approach.

Without HexSign

With HexSign

Where signing material lives

Without HexSignA base64-encoded .p12 in a project env var or context, or a separate fastlane match git repo holding encrypted certs.

With HexSignIn the encrypted HexSign vault. Fetched per run and written to the workspace, never committed to the repository.

Pipeline setup effort

Without HexSignHand-rolled bash in every job: decode the env var, security create-keychain, import the .p12, set-key-partition-list, copy profiles into place.

With HexSignOne hexsign/fetch job (or three orb steps), then attach_workspace in your build job. The orb handles all keychain work.

Certificate rotation

Without HexSignRe-encode the new .p12, update the env var or context secret in every project that uses it, and verify each pipeline still passes.

With HexSignRegenerate once in HexSign. Fetch by certificate_type and bundle_id so no pipeline config or variable changes are needed.

Auditing access

Without HexSignReconstruct who could read the secret from context membership history. No per-download record.

With HexSignA per-call audit entry in HexSign, plus instant revocation of a leaked credential without touching the pipeline.

Supply-chain verification

Without HexSignNo checksum check on any install script or downloaded binary that runs on the runner.

With HexSignThe orb verifies the CLI SHA-256 against the release's signed checksums.txt before every run.

iOS code signing in CircleCI

What you need

Use the fetch job

CircleCI with HexSign vs. without

Related integrations

GitHub Actions

GitLab CI/CD

Bitrise

Stop committing signing material to repos.

iOS code signing in CircleCI

What you need

Use the fetch job

CircleCI with HexSign vs. without

Related integrations

GitHub Actions

GitLab CI/CD

Bitrise

Stop committing signing material to repos.