Before you begin, it is recommended to understand exactly how this project works. Knowing what is happening at each point will help you troubleshoot any issues far better. Check out the How does this all work? page.
You can create a builder in one of two ways:
-
Use a Continuous Integration (CI) service such as GitHub Actions or Semaphore CI. This method is the easiest, fastest, and most recommended way to make a builder. Head over to SignTools-CI and follow the instructions.
-
Use your own Mac machine. This method is only recommended if you already have a server Mac, you are somewhat experienced in server management, and you would like to host your truly own builder. Go to SignTools-Builder for instructions.
Only one builder is necessary, but you can have more if needed. Once done, proceed below.
It's easier if you use your personal computer for the initial configuration. This guide assumes you are doing that.
You need to create a configuration file which links the web service to your builder.
- Download the correct binary release for your computer
- Run it once — it will exit immediately, saying that it has generated a configuration file
- In the same folder as the binary, you will find a new file
signer-cfg.yml— open it with your favorite text editor and configure the settings using the explanations below. The lines that start with a hashtag#are comments, you do not need to touch them.
⚠️ Don't forget to set "enable: true" on the builder that you are configuring!
# configure the builder(s) you created in the previous section
builder:
# GitHub Actions
github:
enable: false
# the name you gave your builder repository
repo_name: SignTools-CI
# your GitHub profile/organization name
org_name: YOUR_ORG_NAME
workflow_file_name: sign.yml
# your GitHub personal access token that you created with the builder
token: YOUR_GITHUB_TOKEN
ref: master
# Semaphore CI
semaphore:
enable: false
# the name you gave to your Semaphore CI project
project_name: YOUR_PROJECT_NAME
# your Semaphore CI profile/organization name
org_name: YOUR_ORG_NAME
# your Semaphore CI token that you got when creating the builder
token: YOUR_SEMAPHORE_TOKEN
ref: refs/heads/master
secret_name: ios-signer
# your own self-hosted Mac builder
selfhosted:
enable: false
# the url of your builder
url: http://192.168.1.133:8090
# the auth key you used when you started the builder
key: SOME_SECRET_KEY
# the base url used by the builder to reach this server
# leave empty if using a tunnel provider, it will set this automatically
server_url: https://mywebsite.com
# whether to redirect all http requests to https
redirect_https: false
# where to save data like apps and signing profiles
save_dir: data
# how often does the cleanup job run
cleanup_interval_mins: 1
# apps that have been processing for more than this time will be marked as failed
sign_timeout_mins: 15
# this protects the web ui with a username and password
# definitely enable it if you are using a tunnel provider
basic_auth:
enable: false
username: "admin"
# don't forget to change the password
password: "admin"You need a signing profile to be able to sign apps. A signing profile is simply a collection of files and credentials that Apple provides to developers so they can sign apps.
There are two types of signing profiles:
-
Developer account
This method works for both free and paid developer accounts. You only need your Apple account's name and password. You will likely be prompted for a 6-digit code every time you sign an app, which you can submit on the service's web page. This method will be able to use most entitlements, resulting in working app extensions and iCloud synchronization. There are no restrictions if you have a paid account. If you have a free account, make sure you read and understand the limitations in the FAQ page.
-
Custom provisioning profile
If you have a provisioning profile with a
.mobileprovisionextension, you can use this method as well. There is no 6-digit code, so signing will be faster than a developer account. However, based on the type of your provisioning profile, different entitlements and features may not work on your signed apps. For the differences, check the FAQ page.
Additionally, you will also need a certificate archive with a .p12 extension. It must contain at least one certificate and at least one private key. If you need development entitlements, add an Apple Development certificate and its key. If you need distribution entitlements, add both an Apple Development and Apple Distribution certificate, along with their keys. For the differences, check the FAQ page.
If you are using a custom provisioning profile, you likely received a certificate archive along with it — use that. If you have a developer account, you can create one from the developer portal. Otherwise, follow the instructions below:
-
macOS
Install Xcode and open the
Account Preferences(A). Sign into your account using the plus button. Select your account and click onManage Certificates.... In the new window (B), click the plus button and thenApple Development. ClickDone. Now open theKeychainapp (C). There you will find your certificate and private key. Select them by holdingCommand, then right-click and selectExport 2 items.... This will export you the.p12file you need.A B C 
-
Windows
There is no official way to do this. However, you can use altserver-cert-dumper with AltStore as a workaround. Note that you are doing so at your own risk.
Once you have your signing profile, you need to create the correct folders for the service to read it:
- Create a new folder named
data(if you changedsave_dirin the config above, use that) - Create another folder named
profilesinside of it - Create a new folder named
my_profileinside ofprofiles. You can use any profile name here, this will be the ID of your signing profile - Put the signing related files inside here. Read ahead to see what they should be named
- Repeat the steps above for each signing profile that you want to add
⚠️ You need to match the files names exactly as they are shown below. For an example, your certificate archive must be named exactlycert.p12. Be aware that Windows may hide the extensions by default.
-
Developer account
data |____profiles | |____my_profile # Or what you named your profile | | |____cert.p12 # the signing certificate archive | | |____cert_pass.txt # the signing certificate archive's password | | |____name.txt # a name to show in the web interface | | |____account_name.txt # the developer account's name (email) | | |____account_pass.txt # the developer account's password | |____my_other_profile | | |____...
-
Custom provisioning profile
data |____profiles | |____my_profile # any unique string that you want | | |____cert.p12 # the signing certificate archive | | |____cert_pass.txt # the signing certificate archive's password | | |____name.txt # a name to show in the web interface | | |____prov.mobileprovision # the signing provisioning profile | |____my_other_profile | | |____...
That's all the initial configuration! To recap, you now have the following configuration files:
datafolder (or whatever you named it insave_dirin the config)signer-cfg.ymlfile
You have two options:
- Download the correct binary release (if this is a different computer than you used before)
- Move the configuration files you made in sections
2.1.and2.2.of this guide to the same folder as the binary you just downloaded
- Use the official Docker image
- Move and mount the configuration files from sections
2.1.and2.2.:./signer-cfg.yml:/signer-cfg.yml./data:/data(or whatever you set insave_dir)
For reference, these are the default arguments that will be used:
- The listening port is 8080. You can change this with the argument
-port 1234 - The listening host is all (0.0.0.0). You can change this with the argument
-host 1.2.3.4 - For more, use
-help
The web service cannot work by itself. You have two options:
Secure, fast, reliable, but harder to set up
-
Requires publicly accessible port 443 (HTTPS)
-
Requires domain with valid HTTPS certificate
-
Requires manual configuration of reverse proxy with your own authentication
-
Don't protect the following endpoints:
/apps/*/ /jobs /jobs/* /jobs/*/tus/ /files/*where
*is a wildcard parameter. -
Make sure the request hostname and scheme are preserved by your reverse proxy. For nginx, you need the following lines:
proxy_set_header Host $http_host; proxy_set_header X-Forwarded-Proto $scheme;
Less secure, slower, but quick and easy to set up
ngrok and Cloudflare Argo are supported as tunnel providers. The latter will be demonstrated in this guide since it has no restrictions. Run the signer service with -help to see alternative details.
- Download the correct cloudflared binary for your computer.
- Every time before starting your service, execute the following command and keep it running:
cloudflared tunnel -url http://localhost:8080 -metrics localhost:51881
- Then start your service with the following command:
SignTools -cloudflared-port 51881
- When the service finishes loading, look for a line similar to this:
11:51PM INF using server url url=https://aids-woman-zum-summer.trycloudflare.comhttps://xxxxxxxxxxxx.trycloudflare.comis the public address of your service. That's what you want to open in your browser. If you want faster transfer speeds, you can also use the LAN or localhost IP address. Congratulations!
Check out the FAQ page.