The External Signing extension enables the workflow to verify the signing credentials and bundle everything you need to sign externally in a zip file, including a script for signing. The workflow then pauses at the signing step to let you take care of signing the app.

The signing step does not sign the app—this page describes the steps you take to download the zip file, sign the app on a local signing server, and upload the signed app before continuing to the next step.

When the app is ready for signing, the workflow status shows that the app is waiting on Signing. This status is available via the Dashboard > Deployment Workflow widget, as well as the workflow run details on App Details page. If you created a notification list when you configured the signing step, the platform sends email to those users when the app is ready for signing. 

Signing the app

When the workflow is running and gets to the signing step, it pauses after creating the signing package.

  1. On the Dashboard, the Deployment Workflow widget shows that the app is waiting on Signing. 
  2. Click Signing to go to the Deployment Status page. 
  3. Click the download button on the Signing step to download the zip file.
  4. Unzip and sign the app on a local signing server.

Using the signing bundle

 Expand for information about using the zip file and signing the app...

Signing the app on a local signing server

Signing requirements


Sign iOS apps on a Mac (macOS 10.12+) with Xcode 8.3.2+ and your code signing identity.


Sign Android apps on a macOS or Linux server with Android Studio SDK, including build-tools 29.0.2+. The signing process uses apksigner and zipalign, which are included in the build-tools.


The signing script requires you to have Python 3 installed on your signing server. If needed, download the latest Python 3 here: that macOS Catalina already has Python 3 installed. 

Build tools

You may need to confirm that the build-tools location is in your command path. On the Mac signing server, find the installation folder in Android Studio > Configure > SDK Manager. Open a Terminal window and check the path:

$ echo $PATH

Find the path to the build-tools under the installation folder, and add it to the search path, for example:

$ PATH=$PATH:/Users/jlennon/Library/Android/sdk/build-tools/29.0.3/

To sign the app using the contents of the zip file:

  • On your macOS or Linux server, extract the contents of the zip file. 
  • In the directory with the extracted files, make executable:

    $ cd exported-com.qwe.myapp 
    $ chmod +x
  • Run the script:

    $ sh

Optionally, you can specify the output filename, for iOS:

$ sh -o output_filename.ipa

For Android:

$ sh -o output_filename.apk

If you don't specify an output filename, the signing script displays the filename when complete.Note: Do not specify the input filename.

Running the signing script

When you include the External Signing with Blue Cedar step in your workflow, the platform produces a zip file with these contents:
  • The integrated app (.apk or .ipa)
  • A script ( which calls the codesign script (written in Python)
  • The script
  • A common_utils folder with a set of Python utilities

Use ./ to run the signing script, as described under Using the exported zip file.To override the signing profile details bundled with the app during integration, you can use the signing script to pass in these parameters.Android

Signing script flagDescription
-k, --keystoreThe location of the keystore ​to sign the Android app with
-a, --aliasThe alias for the provided keystore
-p, --passwordThe password for the provided keystore
-o, --outputThe output location for the signed Android app


Signing script flagDescription
-a, --appThe iOS app you would like to sign
-i, --identityThe signing identity to use for signing
-p, --profileThe provisioning profile to sign the app
-e, --entitlementsThe signing entitlements to sign the app
-o, --outputThe output location for the signed iOS app

After signing the app

  1. Back on the Deployment Status page, use the upload button on the Signing step to upload the signed app file.
  2. The workflow continues to the next step.

Related topics

Extension - External Signing