How to Automate Secure iOS App Code Signing in DevOps CI/CD
Signing iOS applications are required in order to install the applications on mobile devices. Many individuals sign within their development and integration platform, but some are required to sign the applications on designated computers in order to preserve the signing credentials within a trusted environment. With Appdome you can Securely Automate iOS App Signing within a CI/CD without uploading the signing certificate to Appdome’s cloud service.
This Knowledge Base article provides step-by-step instructions on how to sign your secured iOS mobile app using Appdome’s Auto-Dev private signing script.
We hope you find this knowledge base useful and enjoy using Appdome!
How to Securely Automate iOS App Signing In CI/CD
As an Appdome user, you can sign any Appdome-Secured app either by using Appdome’s built-in signing capabilities, Appdome’s Auto-DEV Private Signing script or using or using your own mechanism outside of Appdome. It’s your choice. However, Signing ios applications outside of Xcode is complex. a developer will need to unzip the application, sign each executable and app extension with the correct certificate and provisioning profile in a specific order, and finally zip back the files to a .ipa process that is both tedious and prone to mistakes. To Securely Automate iOS App Signing In CI/CD, use Appdome’s Auto-DEV Private Signing script. This will sign your app in seconds, correct every time.
During the Appdome app Build, Build process adapters are added to the app to achieve the desired added functionality, therefore the app’s original signature is invalidated and must be resigned to allow deploying the app on mobile devices. Appdome allows signing your Built app easily and simply by running a single script.
Appdome’s Auto-Dev Private Signing iOS Apps script allows users to sign Built apps locally without uploading the signing certificate to Appdome’s cloud service. The unsigned app is embedded in the script generated by Appdome. Running the script on your trusted environment will extract and sign the app using a certificate in your key chain.
3 Easy Steps to Securely Automate iOS App Signing In CI/CD
Follow these step-by-step instructions to securely automate iOS app signing in CI/CD
- From within the Sign tab, select the signing method: Auto-DEV Private Signing.
- Upload the Provisioning Profile that matches your signing certificate and wait for Appdome to verify the signing parameters, then click on Auto-DEV sign Privately button.
- (optional): Toggle-ON Using Manual Entitlements Matching if you want to set an entitlement plist file to use when signing an app on Appdome.
- When this feature is OFF, Appdome will create an entitlements file based on the entitlements used to signed the non-protected app.
For more information and a detailed manual on how to obtain the entitlement file for your app, please read this knowledge base article.
- Click Next as the Signing Script Generation is Complete
Next, Click Download My Built App to download the automatic private signing script (sign.sh). Your Appdome-Built unsigned app is embedded in this script.
Prerequisites for Using Appdome’s Auto-DEV Private Signing Script
- Appdome account – IDEAL or Higher.
- Appdome-DEV access
- iOS Mobile App
- Signing Credentials (e.g., signing certificates and provisioning profile) – verify the certificate (with private key) was added to your local Keychain (to add it just ‘double click’ on the certificate).
- Mac OS X computer with:
- Python software (version 2.7 or higher)
- Codesign – Apple utility that adds the signature directly to the executable file (Xcode version 10.1 or higher)
How to Run Auto-DEV Private Script:
To run the automatic private signing script, use the following command:
./sign.sh --signer <"Signer Identity" or sha-1 hash> --output <signed_app_name>.ipa
If you need some help with finding the value to enter for the Signer Identity you can enter this command:
Note! In some environments, you may be required to grant executable permissions to the signing script (using chmod +x command):
chmod +x sign.sh
The Signer Identity is how the script identifies the certificate in the work stations Keychain Access. You can use either the certificate’s common name (marked with double quotes) or its SHA-1 fingerprint. To extract the certificate common name / SHA-1 fingerprint:
- On your computer open the Keychain Access app.
- Choose the certificate you wish to add and open the options menu (left-click).
- Choose ‘Get info’.
- Get the certificate common name / SHA-1 fingerprint
Important Note! The Codesign needs authorized access to your signing certificate in the Keychain. The password for your keychain is normally your user’s password (the one you use to log in on your computer). To ensure the automatic private signing script will run without interruptions, we recommend to ‘Always Allow’ the authorized access to the Keychain.
Now you can run the automatic private signing script with your Signer Identity value:
If you have multiple certificates with the same common name, the script will prompt you to use the SHA-1 fingerprint (which is always unique). if you enter invalid identifiers (type or non-existent certificate), the script will show an error and will print all the valid identities:
$ ./sign.sh --signer <invalid_singer> --output signed_app.ipa >>> ERROR: The identity: invalid_signer was not found in the keychain. Valid identities by name are: iPhone Distribution: iPhone Distribution: Valid identitys by sha-1 are:
The script will notify you if the Signer Identity you are trying to use doesn’t match the provisioning profile used to seal the app, and will show you the valid identities:
$ ./sign.sh --signer <mismatched_singer> --output signed_app.ipa >>> INFO: Successfully matched certificate SHA-1 fingerprint  in keychain ERROR: The input certificate doesn't match the provisioning profile. Valid certificates are: Cert: [iPhone Distribution: ], with fingerprint: 
How Do I Learn More?
If you have any questions, please send them our way at email@example.com or via the chat window on the Appdome platform.