Signing iOS applications are required in order to install the applications on mobile devices. Many individuals sign within their development and integration platform, but some are required to sign the applications on designated computers in order to preserve the signing credentials within a trusted environment. With Appdome you can Securely Automate iOS App Signing within a CI/CD without uploading the signing certificate to Appdome’s cloud service.
This Knowledge Base article provides step-by-step instructions on how to sign your secured iOS mobile app using Appdome’s Auto-Dev private signing script.
We hope you find this knowledge base useful and enjoy using Appdome!
As an Appdome user, you can sign any Appdome-Secured app either by using Appdome’s built-in signing capabilities, Appdome’s Auto-DEV Private Signing script or using or using your own mechanism outside of Appdome. It’s your choice. However, Signing ios applications outside of Xcode is complex. a developer will need to unzip the application, sign each executable and app extension with the correct certificate and provisioning profile in a specific order, and finally zip back the files to a .ipa process that is both tedious and prone to mistakes. To Securely Automate iOS App Signing In CI/CD, use Appdome’s Auto-DEV Private Signing script. This will sign your app in seconds, correct every time.
During the Appdome app Build, Build process adapters are added to the app to achieve the desired added functionality, therefore the app’s original signature is invalidated and must be resigned to allow deploying the app on mobile devices. Appdome allows signing your Built app easily and simply by running a single script.
Appdome’s Auto-Dev Private Signing iOS Apps script allows users to sign Built apps locally without uploading the signing certificate to Appdome’s cloud service. The unsigned app is embedded in the script generated by Appdome. Running the script on your trusted environment will extract and sign the app using a certificate in your key chain.
Follow these step-by-step instructions to securely automate iOS app signing in CI/CD
Next, Click Download My Built App to download the automatic private signing script (sign.sh). Your Appdome-Built unsigned app is embedded in this script.
To run the automatic private signing script, use the following command:
./sign.sh --signer <"Signer Identity" or sha-1 hash> --output <signed_app_name>.ipa
If you need some help with finding the value to enter for the Signer Identity you can enter this command:
Note! In some environments, you may be required to grant executable permissions to the signing script (using chmod +x command):
chmod +x sign.sh
The Signer Identity is how the script identifies the certificate in the work stations Keychain Access. You can use either the certificate’s common name (marked with double quotes) or its SHA-1 fingerprint. To extract the certificate common name / SHA-1 fingerprint:
Important Note! The Codesign needs authorized access to your signing certificate in the Keychain. The password for your keychain is normally your user’s password (the one you use to log in on your computer). To ensure the automatic private signing script will run without interruptions, we recommend to ‘Always Allow’ the authorized access to the Keychain.
Now you can run the automatic private signing script with your Signer Identity value:
If you have multiple certificates with the same common name, the script will prompt you to use the SHA-1 fingerprint (which is always unique). if you enter invalid identifiers (type or non-existent certificate), the script will show an error and will print all the valid identities:
$ ./sign.sh --signer <invalid_singer> --output signed_app.ipa >>> ERROR: The identity: invalid_signer was not found in the keychain. Valid identities by name are: iPhone Distribution: iPhone Distribution: Valid identitys by sha-1 are:
The script will notify you if the Signer Identity you are trying to use doesn’t match the provisioning profile used to seal the app, and will show you the valid identities:
$ ./sign.sh --signer <mismatched_singer> --output signed_app.ipa >>> INFO: Successfully matched certificate SHA-1 fingerprint  in keychain ERROR: The input certificate doesn't match the provisioning profile. Valid certificates are: Cert: [iPhone Distribution: ], with fingerprint: 
If you have any questions, please send them our way at firstname.lastname@example.org or via the chat window on the Appdome platform.