Signing apps externally on MacOS

Blue Cedar supports signing iOS apps on macOS, and signing Android apps on macOS or Linux.

To sign Android apps on Windows, see Signing apps externally on MacOS.

Exporting for external code signing

This process assumes that you have successfully applied policies to secure an app via the console and included a valid signing profile. See the policy console documentation for information about securing an app, and Using and configuring signing profiles for information about signing profiles.

When you have secured an app for external signing and included a signing profile, you export a zip file and sign the app outside the console. This zip file includes:

  • A copy of the secured app 
  • All information required to sign the app
  • A simple script (sign.sh) to run on a macOS or Linux signing server

The external signing option requires a signing profile to include with the secured app. Applying the signing profile in the policy console validates the signing parameters for use with your app, even though it does not sign the app.

If you have successfully secured the app by applying policies, the Export for Signing button becomes active. Click it to download the app with its signing information.

Using the exported zip file

Export for Signing downloads a zip file (exported-com.qwe.myapp.zip).


Signing requirements

iOS

Sign iOS apps on a Mac (macOS 10.12+) with Xcode 8.3.2+ and your code signing identity.

Android

Sign Android apps on a macOS or Linux server with Android Studio SDK, including build-tools 29.0.2+. The signing process uses apksigner and zipalign, which are included in the build-tools.

Python

The signing script requires you to have Python 3 installed on your signing server. If needed, download the latest Python 3 here: 

https://www.python.org/downloads/

Note that macOS Catalina already has Python 3 installed. 

Build tools

You may need to confirm that the build-tools location is in your command path. On the Mac signing server, find the installation folder in Android Studio > Configure > SDK Manager. Open a Terminal window and check the path:

$ echo $PATH
/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin

Find the path to the build-tools under the installation folder, and add it to the search path, for example:

$ PATH=$PATH:/Users/jlennon/Library/Android/sdk/build-tools/29.0.3/

To sign the app using the contents of the zip file:

  • On your macOS or Linux server, extract the contents of the zip file. 

  • In the directory with the extracted files, make sign.sh executable:

    $ cd exported-com.qwe.myapp 
    $ chmod +x sign.sh
  • Run the script:

    $ sh sign.sh

Optionally, you can specify the output filename, for iOS:

$ sh sign.sh -o output_filename.ipa

For Android:

$ sh sign.sh -o output_filename.apk


If you don't specify an output filename, the signing script displays the filename when complete.

Note: Do not specify the input filename.

Running the signing script

When you integrate your app and choose "Sign externally", the platform produces a zip file with these contents:

  • The integrated app (.apk or .ipa)
  • A script (sign.sh) which calls the codesign script (written in Python)
  • The codesign.py script
  • A common_utils folder with a set of Python utilities

Use ./sign.sh to run the signing script, as described under Using the exported zip file.

  • If the signing profile details (including keystore for Android and provisioning profile for iOS) were included during integration on the platform, the signing script signs the integrated app.
  • If the signing profile details were not provided on the platform, the signing script prompts for those details. The signing process requires these details to validate, align, and sign the integrated app.

To override the signing profile details bundled with the app during integration, you can use the signing script to pass in these parameters.

Android

Signing script flagDescription
-k, --keystoreThe location of the keystore ‚Äčto sign the Android app with
-a, --aliasThe alias for the provided keystore
-p, --passwordThe password for the provided keystore
-o, --outputThe output location for the signed Android app

iOS

Signing script flagDescription
-a, --appThe iOS app you would like to sign
-i, --identityThe signing identity to use for signing
-p, --profileThe provisioning profile to sign the app
-e, --entitlementsThe signing entitlements to sign the app
-o, --outputThe output location for the signed iOS app