It might be the quickest cross-platform codesign alternative for iOS 12+, supporting macOS, Linux, Windows, and more features. If this tool helps you, please don't forget to 🌟star🌟 ME.

Compile

macOS:

brew install pkg-config openssl minizip
git clone https://github.com/zhlynn/zsign.git
cd zsign/build/macos
make clean && make

Install ideviceinstaller for test:

brew install ideviceinstaller

Linux:

Ubuntu 22.04 / Debian 12 / Mint 21:

sudo apt-get install -y git g++ pkg-config libssl-dev libminizip-dev
git clone https://github.com/zhlynn/zsign.git
cd zsign/build/linux
make clean && make

Install ideviceinstaller for test:

sudo apt-get install -y ideviceinstaller

RHEL / CentOS / Alma / Rocky / Other clones:

You must install epel-release first, eg:

RHEL / CentOS / Alma / Rocky 8:

sudo rpm -Uvh https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm

RHEL / CentOS / Alma / Rocky 9:

sudo rpm -Uvh https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm

Then, install the dependencies and compile:

sudo yum install -y git gcc-c++ pkg-config openssl-devel minizip1.2-devel
git clone https://github.com/zhlynn/zsign.git
cd zsign/build/linux
make clean && make

Windows:

Use Visual Studio 2022 to open build/windows/vs2022/zsign.sln, then compile it on Windows 10/11.

Usage:

Usage: zsign [-options] [-k privkey.pem] [-m dev.prov] [-o output.ipa] file|folder
options:
-k, --pkey              Path to private key or p12 file. (PEM or DER format)
-m, --prov              Path to mobile provisioning profile. Use -m multiple times for app extensions.
-c, --cert              Path to certificate file. (PEM or DER format)
-a, --adhoc             Perform ad-hoc signature only.
-d, --debug             Generate debug output files. (.zsign_debug folder)
-f, --force             Force sign without cache when signing folder.
-o, --output            Path to output ipa file.
-p, --password          Password for private key or p12 file.
-b, --bundle_id         New bundle id to change.
-n, --bundle_name       New bundle name to change.
-r, --bundle_version    New bundle version to change.
-e, --entitlements      New entitlements to change.
-z, --zip_level         Compressed level when output the ipa file. (0-9)
-l, --dylib             Path to inject dylib file. Use -l multiple time to inject multiple dylib files at once.
-D, --rm_dylib          Name of dylib to remove. Use -D multiple times to remove multiple dylibs at once.
-w, --weak              Inject dylib as LC_LOAD_WEAK_DYLIB.
-i, --install           Install ipa file using ideviceinstaller command for test.
-t, --temp_folder       Path to temporary folder for intermediate files.
-2, --sha256_only       Serialize a single code directory that uses SHA256.
-C, --check             Check certificate validity and OCSP revocation status.
-x, --metadata          Extract metadata and icon to the specified directory.
-R, --rm_provision      Remove mobileprovision file after signing.
-S, --enable_docs       Enable UISupportsDocumentBrowser and UIFileSharingEnabled.
-M, --min_version       Set MinimumOSVersion in Info.plist.
-E, --rm_extensions     Remove all app extensions (PlugIns/Extensions).
-W, --rm_watch          Remove watch app from the bundle.
-U, --rm_uisd           Remove UISupportedDevices from Info.plist.
-q, --quiet             Quiet operation.
-v, --version           Shows version.
-h, --help              Shows help (this message).

1. Show mach-o and codesignature segment info.

./zsign demo.app/demo

2. Sign ipa with private key and mobileprovisioning file.

./zsign -k privkey.pem -m dev.prov -o output.ipa -z 9 demo.ipa

3. Sign folder with p12 and mobileprovisioning file (using cache).

./zsign -k dev.p12 -p 123 -m dev.prov -o output.ipa demo.app

4. Sign folder with p12 and mobileprovisioning file (without cache).

./zsign -f -k dev.p12 -p 123 -m dev.prov -o output.ipa demo.app

5. Sign ipa with ad-hoc.

./zsign -a -o output.ipa demo.ipa

6. Inject dylib into ipa and re-sign.

./zsign -k dev.p12 -p 123 -m dev.prov -l demo.dylib -o output.ipa demo.ipa

7. Change bundle id and bundle name

./zsign -k dev.p12 -p 123 -m dev.prov -b 'com.new.bundle.id' -n 'NewName' -o output.ipa demo.ipa

8. Inject dylib(LC_LOAD_DYLIB) into mach-o file.

./zsign -a -l "@executable_path/demo1.dylib" -l "@executable_path/demo2.dylib" demo.app/execute

9. Inject dylib(LC_LOAD_WEAK_DYLIB) into mach-o file.

./zsign -w -l "@executable_path/demo.dylib" demo.app/execute

10. Sign ipa and extract metadata (app info + icon) to a directory.

./zsign -k dev.p12 -p 123 -m dev.prov -x ./metadata -o output.ipa demo.ipa
# writes ./metadata/metadata.json and ./metadata/<hash>.png

11. Enable documents support (Files app integration).

./zsign -k dev.p12 -p 123 -m dev.prov -S -o output.ipa demo.ipa

12. Set minimum OS version.

./zsign -k dev.p12 -p 123 -m dev.prov -M 14.0 -o output.ipa demo.ipa

13. Remove all app extensions (PlugIns/Extensions).

./zsign -k dev.p12 -p 123 -m dev.prov -E -o output.ipa demo.ipa

14. Remove watch app from the bundle.

./zsign -k dev.p12 -p 123 -m dev.prov -W -o output.ipa demo.ipa

15. Remove UISupportedDevices to allow the app on any device.

./zsign -k dev.p12 -p 123 -m dev.prov -U -o output.ipa demo.ipa

Certificate Check (-C)

The -C flag checks the signing certificate of any supported file and performs an OCSP revocation check against Apple's servers. It reads the binary directly from inside IPA files without extracting to disk.

Supported file types: .ipa, .mobileprovision, .p12/.pfx, .cer/.pem, Mach-O binaries.

16. Check an IPA file (reads binary directly from zip, no extraction).

./zsign -C demo.ipa

17. Check a mobile provisioning profile.

./zsign -C dev.mobileprovision

18. Check a P12/PFX certificate file.

./zsign -C dev.p12 -p 123

19. Check a Mach-O binary directly.

./zsign -C demo.app/demo

20. Sign an IPA and verify the signed binary's certificate before archiving.

./zsign -C -k dev.p12 -p 123 -m dev.prov -o output.ipa demo.ipa

Example output:

>>> Check:      demo.ipa (IPA)
>>> Signed:     Yes
>>> Name:       Apple Distribution: Company Name (TEAMID)
>>> Type:       Apple Distribution
>>> Org:        Company Name
>>> Team:       TEAMID
>>> Serial:     XX:XX:XX:XX:XX:XX:XX:XX
>>> Issued:     2025-01-01T00:00:00Z
>>> Expires:    2026-01-01T00:00:00Z (365 days remaining)
>>> Algorithm:  RSA 2048-bit
>>> Issuer:     Apple Worldwide Developer Relations Certification Authority
>>> OCSP:       Valid (ocsp.apple.com)

How to sign quickly?

First, unzip the IPA file, then use zsign to sign the folder containing assets. During the initial signing, zsign will perform a complete signature and cache the signing information into a .zsign_cache directory in the current path. When re-signing the folder with different assets, zsign will utilize the cached data to significantly speed up the process—making signing extremely fast! Give it a try!

License

zsign is licensed under the terms of MIT License. See the LICENSE file.