This project is a free and simple builder server for SignTools. It is the self-hosted alternative of SignTools-CI - instead of using a Continuous Integration (CI) provider, you turn one of your own Macs into a builder used to pull, sign, and upload any iOS apps to your SignTools service.

You only need to configure one builder. If you already configured a CI provider as your builder, you don't need to do anything here. This project is aimed at people who want to have a self-hosted builder.

This server requires the use of an authentication key so that only the web service can control your builder. However, there is no built-in support for HTTPS or any other form of encryption. Therefore:

⚠️ Anybody with access to the builder's network can potentially manipulate the builder to execute any code that they want on your machine.

To prevent this, only deploy this server in a trusted environment, or even better, wrap the server in HTTPS yourself using a reverse proxy like nginx.

While this server is not expected to interfere with the normal operation of your system, it does perform a substantial amount of work to get your apps signed, including making changes to the keychain.

⚠️ It is highly recommended that you dedicate this Mac exclusively as a builder. Using it for other purposes, especially at the same time as a sign job is running, could lead to undefined issues.

All the steps should be performed on your builder Mac.

1. Install the following dependencies:
   • fastlane
   • curl
   • node
   • python3
2. Download the correct binary release
3. Make the binary executable by running: chmod +x SignTools-Builder. Replace the name with the file that you just downloaded
4. Download the archive of SignTools-CI and extract it in the same folder as the binary from the previous step. These will be your signing files. The whole step can be accomplished with the following commands:

   curl -sL https://github.com/SignTools/SignTools-CI/archive/master.zip -o master.zip
   unzip master.zip
   rm master.zip

⚠️ Remember to update the signing files from above every time that you update the signing service. Otherwise you may experience random issues.

You need to make up an authentication key. It has to be at least 8 characters long. Note it down - you will need to put it in your SignTools service's configuration file later on.

To start the server, use the auth key and signing files from before and pass them as arguments:

./SignTools-Builder -key "SOME_SECRET_KEY" -files "SignTools-CI-master"

The first time you run the server, you will have to allow the unrecognized binary to run on your machine. After that it will run with no interruptions.

For reference, these all of the arguments that will be used:

  -files string
    	Path to directory whose files will be included in each sign job. Should at least contain a signer script 'sign.py'
  -host string
    	Listen host, empty for all
  -key string
    	Auth key the web service must use to talk to this server
  -port uint
    	Listen port (default 8090)
  -timeout uint
    	Job timeout in minutes (default 15)

You can always print them by running with -help.