Exporting for external code signing
When you have secured an app for external signing and included a signing profile, you export a zip file and sign the app outside the console. This zip file includes:
- A copy of the secured app
- All information required to sign the app
- A simple script (sign.sh) to run on a macOS or Linux signing server
The external signing option requires a signing profile to include with the secured app. Applying the signing profile in the policy console validates the signing parameters for use with your app, even though it does not sign the app.
If you have successfully secured the app by applying policies, the Export for Signing button becomes active. Click it to download the app with its signing information.
Using the exported zip file
Export for Signing downloads a zip file (exported-com.qwe.myapp.zip).
Sign iOS apps on a Mac (macOS 10.12+) with Xcode 8.3.2+ and your code signing identity.
Sign Android apps on a macOS or Linux server with Android Studio SDK, including build-tools 29.0.2+. The signing process uses apksigner and zipalign, which are included in the build-tools.
The signing script requires you to have Python 3 installed on your signing server. If needed, download the latest Python 3 here:
Note that macOS Catalina already has Python 3 installed.
You may need to confirm that the build-tools location is in your command path. On the Mac signing server, find the installation folder in Android Studio > Configure > SDK Manager. Open a Terminal window and check the path:
Find the path to the build-tools under the installation folder, and add it to the search path, for example:
To sign the app using the contents of the zip file:
On your macOS or Linux server, extract the contents of the zip file.
In the directory with the extracted files, make sign.sh executable:
Run the script:
Optionally, you can specify the output filename, for iOS:
If you don't specify an output filename, the signing script displays the filename when complete.
Note: Do not specify the input filename.
Running the signing script
When you integrate your app and choose "Sign externally", the platform produces a zip file with these contents:
- The integrated app (.apk or .ipa)
- A script (sign.sh) which calls the codesign script (written in Python)
- The codesign.py script
- A common_utils folder with a set of Python utilities
Use ./sign.sh to run the signing script, as described under Using the exported zip file.
- If the signing profile details (including keystore for Android and provisioning profile for iOS) were included during integration on the platform, the signing script signs the integrated app.
- If the signing profile details were not provided on the platform, the signing script prompts for those details. The signing process requires these details to validate, align, and sign the integrated app.
To override the signing profile details bundled with the app during integration, you can use the signing script to pass in these parameters.
|Signing script flag||Description|
|-k, --keystore||The location of the keystore to sign the Android app with|
|-a, --alias||The alias for the provided keystore|
|-p, --password||The password for the provided keystore|
|-o, --output||The output location for the signed Android app|
|Signing script flag||Description|
|-a, --app||The iOS app you would like to sign|
|-i, --identity||The signing identity to use for signing|
|-p, --profile||The provisioning profile to sign the app|
|-e, --entitlements||The signing entitlements to sign the app|
|-o, --output||The output location for the signed iOS app|