Relax, this is a tutorial and if you’re a seasoned torrentor than this should be fairly quick to learn even without the explanation but for anybody else this should be the simplest guide for you regardless as everything has been compressed here itself rather than sending you to multiple sources.
Sideloading Guide
- DNS – Link / Altlink / Permalink
- Esign – Website (need adblocker)
- Certs – Zip File / AppleP12
- Repo –
https://repository.apptesters.org(copy-paste)
Before we begin:
It’s essential that one thoroughly reads the tutorial first so they understand the concept and technical aspects itself to troubleshoot or avoid problems themselves instead of blindly following it like Linus Sebastian and face issues later.
Start DNS
About: This is simply a DNS Profile with custom block filters meant to prevent Apple Servers from verifying the status of an enterprise cert with your device UDID to approve the bundle ID of an app downloaded outside of the AppStore before installation, as apps aren’t signed locally unlike a PC or Mac since iOS 13. We are reusing revoked certificates to maintain this free until their expiry period and this entire mechanism is called Bypass Revoke as we can’t prevent a certificate’s status itself from getting revoked that the anti-revoke DNS used to claim but if you’re blacklisted (integrity cannot be verified or install failure) from DNS leaks aka the status of the revoked cert already confirmed by your device UDID then head to Final Notes on how to get whitelisted first.
Step 1:
- Make sure Safari is your default browser or being used → Link / Altlink / Permalink
- Go to Settings → General → VPN, DNS, Device Management
- Install the profile and let it work.
For those coming from Android or Windows, having to manually install ‘any’ profile is the default behaviour of iOS or iPadOS unlike macOS (at least the older versions before the enshittification) for custom DNS rules to work on both Cellular and WiFi networks even if one were to just install a DNS Profile ranging from AdGuard to AhaDNS Blitz. If it were anything else, Apple would just state them at the bottom while still asking for your permission first. Running a DNS is completely fine as you need TLS Certificates to decrypt a HTTPS connection, hence it’ll only be filtering certain hosts or domains like an adblocker (included as well) for our sideloading purposes for free without needing to jailbreak.
iOS 18+
Due to a bug, the profile is downloaded as a file first in the downloads folder of your ‘Files’ app. See that the name ends with .mobileconfig by renaming it to “filename.mobileconfig” after which simply open that renamed file manually and revisit your Settings app after.
iOS 18 and onwards also introduces a new change going forward where the device is rebooted (restarts) every time any kind of profile (including a simple DNS) is loaded, use AirPlane mode in advance of reboot to prevent DNS leak and therefore blacklisting… more on that later.
Alternatively, you may also manually add these as blocklist: [Outdated List]
certs.apple.com
crl.apple.com
ocsp.apple.com
ocsp2.apple.com
ocsp.digicert.com
valid.apple.com
appattest.apple.com
app-site-association.cdn-apple.com
You can create a free CloudFlare Zero Trust account for domain blocklist filter rules with your own .mobileconfig file. Otherwise, Egern is a native iOS app that will allow to filter custom rules locally but this is compatible for AdGuard Home users as well.
Please do not disable the DNS after successfully installing an app to renable later when needing to install again only, this is the original DNS with complete blocklist that doesn’t want any shenanigans to attract DNS leaks.
Install Esign
About: Esign is a signing app that can download, unzip, package, import, sign and install iPA files to become apps in addition to accessing public repos directly.
Step 2:
- Visit the site (need adblocker) to install Esign from bottom of the page.
- If one certificate doesn’t work for you, then simply try another.
- Go to Settings → General → VPN, DNS, Device Management → Enterprise App
- Tap on the Certificate Name and there should be a Trust button.
- Now open the Esign app and under the ‘Download’ Tab in the bottom navigation bar, find the ellipses ••• on the top then ‘Settings’ to enable both ‘Auto Import’ & ‘Auto Delete’
Esign No Logs
About: I have come across quite a chatter about Esign No Logs which is a dissected version of the original iPA file that sans all telemetry in the app itself by excluding these:
qmuiteam.com
h.trace.qq.com
ios.bugly.qq.com
ios.bugly.qcloud.com
ucc.umeng.com
ulogs.umeng.com
alogus.umeng.com
utoken.umeng.com
aspect-upush.umeng.com
ulogs.umengcloud.com
aladdinsys.com
baidu.com
api.nuosike.com
Its biggest benefit is the serverless option by heading to Esign Settings → Sign Default Config → Install Address and change to ‘Local‘ but servers itself are no longer maintained making it further a very insulated app. So, if there’s anything like a newer version or a successor than its straight fake. This is the original signer that prioritises function over form enriched with lot of quirks and utility features like an app packager itself skipping the need to rely on a mac entirely for packaging .app files to .ipa especially if you’re from Windows, dylibs injection so you can mod your own decrypted iPA files along with dylibs extraction to also extract the mods from encrypted iPA files all locally, certs inspector to expand the validity if not expiry details of multiple certs at a go and certs exporter that’s not behind passwords or separate mobile provision files by using Base64 code… all for free at one place as opposed to loosely made vibecoded SwiftUI alternatives which might not even dial the UX side of things to feel pretty before exploring other features like custom image or a compressor. This what made it possible in not having to rely on a computer or cloud without ever having to exit the app just for .zip files.
Import Certs
About: Cert is simply short for certificate where we’ll use the expired ones instead of the active ones with ✅
Step 3:
- Open the link or copy the URL posted above to go here:
- Esign → Download → ••• → URL › Paste
- Alternate Source » AppleP12
- Esign → Download → ••• → URL › Paste
- A zip file should be in your ‘File’ section, there’s an inbuilt decompressor so you just need to tap and the extracted folder will appear by the same name.
- There should be a list of certificates, use the one that installed Esign for you although there’s no harm to pick a different one provided this isn’t your first time.
- Now, go to the main ‘Settings’ in the app (bottom bar) for “Sign Default Config” where you’ll enable “Install after signed” followed by “Remove mobileprovision after signing” and change “Install Address” to ‘Local’ while changing “Compress Level” to ‘Size’ before getting out.
Enabling Document Browser allows folder access for installed apps if one seeks to transfer backups later.
Load Repo
About: Repo stands for repository which should allow to act like an App Library of sort, they might look like links but the URLs do not open to a website as they’re meant to be copy-pasted originally.
Step 4:
- Open the link or manually copy
https://repository.apptesters.orgto Esign → App Source (Top Left) → + - Now see yourself being able to search and download natively.
Additional Repo Source
You don’t need to add every repo on Earth unless they serve a particular niche.
iTorrent Repo (Direct)
https://xitrix.github.io/iTorrent/AltStore.json
YTLite Repo (Direct)
https://raw.githubusercontent.com/mrdrvt99/Altstore-Repository/main/ytlite.json
Install Part
About: If you’ve been following attentively up to here then you’d notice you’re yet to install an app and that’s because unlike the AppStore itself the search function only downloads the app as you’d need to sign it first.
Step 5:
- You’d notice on the initiation of this final process is the ‘Signature’ button above the ‘Install’ one. This is what’s more important and would be used more unless you’re duplicating (more on that later) an already signed app like WhatsApp.
How to Duplicate Apps with Esign?
About: There are instances when you’d like to have duplicate apps because you want to keep the original, have the flexibility of multiple messaging accounts or want to maintain two separate use cases. Usually, I use this Shortcut called Signed Installer but Esign can allow duplicating apps too.
Steps:
- Modify the App name to your custom name (for example: YouTube Red) or add + symbol after the original app name, just make sure to change the original name used.
- Add “ .1 “ to the bundle identifier, if example bundle identifier is “com.google.ios.youtube” then change it to “com.google.ios.youtube.1”
Final Notes
There are a couple of things that you might want to remember which is just basic common sense:
- Don’t try to install any of the Esign versions without DNS (Bypass Revoke) otherwise they would be instantly blacklisted as the certs are already revoked and using the DNS later wouldn’t whitelist them.
- There can be instances when you’re still failing to initiate; simply uninstall the app, cert or even DNS involved in this process and start fresh with a different certificate.
- If you’re still failing to install Esign or being greeted with integrity could not be verified popup message for all of the certs then you’re likely blacklisted in which case you would need to backup your data first and either factory reset or local restore your device. Restoring a device from a local backup would only require encrypted messenger, password manager or banking apps to relogin for security otherwise with all the data still preserved.
- Those on older iOS versions can also try BlacklistBeGone which skips restore.
- Before updating your iOS version, first undo the steps above in reverse (uninstall the apps… delete the certs) to not blacklist the particular cert working for you and it is recommended to disable Automatic System Software Updates.
- Apple’s OS has a strange caveat (which is actually a security flaw) where they don’t fully cut off internet to existing routes when new rules are set whether via DoH or VPN, which is why they temporarily resort to unencrypted connections even if you’ve two DNS profiles with symmetrical filters – this causes DNS Leaks that leads to blacklisting as the communication between Apple’s server and device is reinstated again. So, use ‘AirPlane Mode’ like a manual kill-switch to switch between DNS or VPN (only with the same filters mentioned above) every time.
- Avoid setting the DNS to ‘Automatic’ which just randomly switches between the default leading to instant blacklisting.
- If you’re only stuck somewhere in the middle, remind yourself with the following basic questions:
- Did you finish reading?
- Did you try with another attempt?
- Did you explore everything laid out to you?
Remember: The more you read, the less you troubleshoot.
-Avieshek
Extras
If you’re still reading then you’re actually done with sideloading and good to go.
How to use VPN with Bypass Revoke?
About: VPN stands for Virtual Private Network and for this we’ll use CloudFlare Warp.
Setup:
Make sure you have visited the settings for CloudFlare Warp first to add a Gateway DoH Subdomain.
- The interface should change to Zero Trust after successfully adding a subdomain.
- Continue using VPN normally without revoke.
- Before ‘deactivating’ VPN every time, enable Airplane Mode first.
(Enable Airplane Mode → Disable VPN → Undo Airplane Mode)- Continue using internet normally without revoke.
For other VPN services, make sure they’re based on WireGuard where you can either define the Gateway Endpoint (DoH) or custom blocklist rules as Bypass Revoke under settings.
Gateway DoH Endpoint:
https://ciwelz9v7y.cloudflare-gateway.com/dns-query
There can be countries like India in addition to Russia and China with the government increasingly limiting public access to VPN applications by removing its availability from the App Store. In that case, you don’t really need an app and can simply build a WireGuard Profile yourself online where you’d at least need to fill in the optional fields with your own. As shown above, you can directly enter the DoH (Gateway Endpoint) field that carries the same blocklist rules as Bypass Revoke (DNS Section) while the remaining blank fields are actually prefilled by your browser itself.
Injecting dylibs with Esign
About: Dylibs stand short for Dynamic Libraries and this is what allows to run tweaks or fixes.
Setup:
- Before injecting with anything, the first thing you’d want to do is visit:
Esign Settings → Sign Default Config → Library Injection Settings - Change ‘inject folder‘ from / to Frameworks/
Now, if you have the AppTester Repo loaded for example then you can directly search for a dylib or just filter them by category.
Se2cridFilePickerFix dylib for example would finally fix folder access for sideloaded apps with the files app after injection like for Emulators or Lightroom. To inject, simply head back to Step 5 or hit ‘More Settings‘ before tapping ‘Signature‘ above when installing a new app.
BlacklistBeGone
Another method to lift blacklisting (and graylisting) but without going through the hassle of a data restore process via python script: https://github.com/jailbreakdotparty/BlacklistBeGone
Requires a PC/Mac and if this is your first time, it’s recommend to backup just in case. Otherwise, the instructions are simple but you need to follow a couple more steps beforehand in order for them to work which is why am running a quick summary where you’ll still be reading through their instructions.
Steps:
My personal rundown is based on macOS but it can be similarly followed through Windows to Linux systems as well.
- Install a python environment on your computer: https://www.python.org/downloads/
(Make sure to not skip reading after the end of installation for additional instructions.) - Follow the installation instructions for pymobiledevice3: https://github.com/doronz88/pymobiledevice3
(Simply copy the install command to Terminal) - Connect your iDevice to your Mac with the USB cable and disable WiFi Sync and Auto Sync but feel free to make a backup which can always be deleted later to free up space.
- Download and extract the ZIP file for BlacklistBeGone and ensure that the screen stays unlocked while the device is connected, then run “unblacklist.py” file in the folder manually with ‘Python Launcher.app’ instead of the default IDLE.app to go through the steps as instructed in their GitHub page.
- Restart the iDevice when done by pressing and releasing the volume up button then quickly doing the same with volume down button and then holding the side or power button until the logo appears.
- Now, on your iDevice simply skip through everything without selecting any of the options of restoring your backup by selecting “Don’t Transfer Apps and Data” (can’t take screenshot in this mode but likely the last option) then move on to login and directly land on the homescreen.
You’re done ✓
However, it mentions to not necessarily support on iOS 18+ but it does work wonderfully on iOS 16 for example even if not exclusively mentioned. So, try it out regardless because it doesn’t require to remove existing apps while you’re still logged in 👍🏻
Avieshek's Blog
Hi Avieshek, I’ve tried using the Sunshine cert but I’m greeted with a message that the app couldn’t be installed due to validity.
LikeLike
Please, read the final notes and check the link mentioned which is provided with multiple certs and not just Sunshine.
LikeLiked by 1 person
Hello, I’ve never done something like this before but this was easy to follow so thank you. I’m having some trouble with the link from Step 4 for the app source and it might’ve been taken down, is there any solution for this? Thanks.
LikeLike
Already said manually copy-paste to where.
LikeLike
Hello,
Just wanted to tell you that your method works! However, it blocks my Yahoo email app from working and it blocks me from accessing anything Yahoo online and tells me the address is invalid. I have done everything correctly. Could you help me figure this out?
Thank you!
LikeLike
There are some malware-spyware to adware (AdGuard) DNS filters applied for security & adblocking, you should probably switch to Gmail or iCloud in this age but it’s whitelisted now regardless.
LikeLike
Does using khoindns mean I won’t ever be able to receive OTA updates on my phone?
LikeLike
It’s updated now, that was in the past but you can receive OTA updates.
LikeLike
Should I install the Esign No Logs version?
LikeLike
Definitely!
LikeLike
Possible to get notifications from sideloaded apps?
LikeLike
Yes.
LikeLike
Followed the guide here as a tech-illiterate person and everything works great. One thing though, some ads are still getting through like with popups or those that open into a new tab; what can I do about this?
LikeLike
→ How to filter ads & block popups on iPhone and in macOS?
LikeLike
DNS & certs links are broken :(
LikeLike
Was just being updated with more certs, it’s 20 from 15 earlier.
LikeLike
Thank you!
LikeLiked by 1 person
Everything worked for a day and then suddenly everything stopped. When I tap an app, it opens and goes off immediately. Even the Esign app also not opening. I am using Wifi only iPad Air.
LikeLike
Make sure you’ve read the tutorial above thoroughly because as long as you don’t interfere with DNS there should be no issues. I have had 500+ comments per month on my reddit post and all sudden surprises till date stem from the same self-inflicted user sided fault despite the references made in advance.
LikeLike
Hey, sorry if this is a stupid question but what happens if I update my iOS to the newer version, would it mess with the whole thing or no?
LikeLike
There’s a high possibility it might especially if you’re updating through iTunes. To be safe, you can undo the step in reverse before hitting the update button but disable auto-updates.
LikeLike
Hello, I was just curious if I need to do anything in case I have to restart my phone. Should I also put the phone on airplane mode if I decide to use only one of the filters like turning off the Adblock filter since it messes with the internet speed?
LikeLike
Reboot occurs when you’re doing a software update as opposed to a restart. As for your other question, probably safe than sorry to use Airplane Mode when switching to one filter.
LikeLike
Thank you for your answer. Just to clarify, I have to redo the process after a reboot from an update, right??
LikeLike
Undo then Redo, turn-off automatic OTA system updates to do them manually.
LikeLike
Hello, when sideloading Spotify and YouTube, tapping on the dynamic island or the song/video in the Lock Screen isn’t taking me into the app. Installing the exact same ipa files with SideStore doesn’t do this and the apps function normally. Is this a bug or some limitation with ESign?
LikeLike
Esign is just a signer aka install apps by signing them and not modify its properties.
LikeLike
Sorry, if this has already been answered but I’m a bit confused whether I need to keep the DNS profile active all the time as I downloaded a DNS profile from Khomod… Can you clarify this for me?
LikeLike
I don’t see Khomod being recommended anywhere here, please ensure that you read the guide you’re participating in thoroughly first which is properly sourced with respective GitHub repo sources as well before sending in any unrelated queries. I have already explained (in detail) whether DNS filters needs to be active or not but if you’re still lazy to read this laboriously authored tutorial then use ChatGPT to answer your confusion …although the simple answer is yes.
LikeLike
How to add an iPA file that’s not through the repo sources like from direct links?
LikeLike
Download → ••• → URL
LikeLike
Works like a charm but I have one doubt: Once everything is done, do we remove the profile or let stay active?
LikeLike
As said above already, removing the filters means reestablishing the communication to verify the true status of the certs which is revoked and hence your device would be blacklisted.
LikeLike
Hey Avieshek,
Thank you for your tutorial and everything, I would’ve been completely lost without you but I have a problem; when I try to duplicate an app by changing the name and try to install, it says it has the same packet or something like that. I tried with TikTok, YouTube and Twitch where all 3 came with the same message.
LikeLike
Renaming the app name itself isn’t enough but one has to edit their bundle ID as well (.1) as mentioned in the respective section.
LikeLike
Does this guide get your iCloud account blocked or affected?
LikeLike
Nope.
LikeLike
Hi, I’ve been using Esign for the past few months but now suddenly all the certs stopped working and it says: “App cannot be installed because its integrity cannot be verified”. I’m not 100% sure if I’m blacklisted because today in the morning the Sunshine 1 cert worked. But when i downloaded apps it said the internet connection is required to verify app error. I also resetted my device once but it didn’t whitelist me. Idk if it has something to do with me keeping the khoindvn files backed up… I want to keep one DNS for a long time and I never get blacklisted again. 🙏
LikeLike
Even if the certs are revoked, they’ve a expiry period of ~2yrs like for the Sunshine Group. Simply, visit the website and grab a different one like Sunshine 2.
LikeLike
Thank you very much. This is the only working solution I found online.
LikeLiked by 1 person
Whalecum~
LikeLike
There is really no other solution than resetting the device to be able to continue?
LikeLike
Restore~
LikeLike
Thank you so much.
It works well when I follow your instructions step by step. But today I found all the apps signed by Esign cannot be opened, when I checked the system settings it showed that the apps aren’t verified. I am sure that my certificate hasn’t expired, but it was blacklisted by Apple… Since, Bypass Revoke is carried by DNS, why did it happen?
More importantly, is there any solution to my blacklisted status?
Thanks.
LikeLike
If the DNS active status carrying the Bypass Revoke is interrupted whether from a software update or 0% dead battery or from user intervention itself, then that momentary chance is enough to update from Apple Servers with actual revoked status of the cert if it itself hasn’t expired. As for lifting oneself from blacklisting; restoring from a physical backup is the quickest method, a factory reset from iCloud is the slowest method or recovering from any type of backup should get you whitelisted.
LikeLike
Hey, when I try to install the DNS, it downloads as a file and when I go to Settings there’s nothing where Safari is my default browser.
LikeLike
You’re likely on some beta release of iOS 18 where it downloads as a file, in which case it obviously wouldn’t show up on your Settings app first, find where is it (likely in the downloads folder of your ‘Files’ app) and see that the name ends with .mobileconfig (if not then rename, ex: khoindns.mobileconfig) after which you simply need to tap to open.
LikeLike
Does it work on iOS 18?
LikeLike
Any version post iOS 13 (as mentioned above) is supported which includes iOS 18 as well.
LikeLike
Hey, sorry to bother you, I’ve used it before but now I have this issue where once I enter the link I get return data error whether I use the normal or the fwuf link, could you help me or give me advice on where I could’ve gone wrong?
LikeLike
Which section exactly? I’ll take a check once you’ve answered but so far I haven’t heard anything similar.
LikeLike
How long does it take to unblacklist oneself and get Esign again?
LikeLike
Restoring your device from a Mac/PC backup can take ~20mins with the USB cable as opposed to Factory Reset with iCloud backup since you’ve to only account for the rebooting time mostly.
LikeLike
Where can I get CloudFlare Warp iPA?
LikeLike
CloudFlare Warp is a Wireguard based VPN service that’s already free to require a separate iPA file, download link is already mentioned or you can directly install from the AppStore.
LikeLike
If an imported iPA file needed extra entitlements to be signed for it to function, would Esign be able to help with that? I see the ability to select entitlements but unsure if that’s correct or where to go from there, thanks.
LikeLike
Could you expand more with app name to what you’re exactly trying to do?
LikeLike
I had NextDNS for Bypass Revoke but this thing is limited to 300k queries per month. So, when I reached the monthly limit, I got blacklisted after which I backed up my iPhone via iTunes (Windows PC) to restore successfully but why am I still blacklisted?
LikeLike
Using the same NextDNS that led you to blacklisting at first place is the issue for the repeat blacklisting, there’s a readymade solution linked based on CloudFlare which comes without any monthly limit for anyone to use.
LikeLike
I use NextDNS, what should I do next please? Thanks.
LikeLike
There’s a readymade DNS setup in the Guide to help you achieve bypass revoke and avoid blacklisting that comes from exhausting monthly query limit with NextDNS. Make sure you read the notes mentioned later in the guide where you disable automatic software updates or use Airplane Mode in iOS 18 and later.
LikeLike
What should I use inside NextDNS, please?
LikeLike
Denylist = Blocklist (Filter)
LikeLike
I downloaded all the certificates, but I can’t verify app integrity.
LikeLike
That’s what blacklisting is as we are reusing already revoked certificates until their validity actually expires. Avoid carrying multiple mirror solutions or running VPN without the same filters and the like. Try to understand what’s expanded on the Guide so you get the concept behind but for now you’d have to restore, reset or recover your device to exit blacklisting.
LikeLike
Hi, thank you for sharing all your knowledge and wisdom. After successfully installing the DNS profile I got the “this app cannot be installed because its integrity could not be verified” error during download, what should I do? (iPad Air 4th Gen & iPadOS 15.3.1)
LikeLike
Point no. 4 of Final Notes: Restore, Reset or Recover your device from a backup, there’s also BlacklistBeGone mentioned with steps.
LikeLiked by 1 person
Thanks for your effort bro❤️
LikeLiked by 1 person
Feel like I’m too dumb, going into settings from Step 1 gives me no option to install anything including the DNS profile itself with iPhone 16 Pro Max here… Is this because I have developer mode and AltStore on the same device?
LikeLike
This section is what you might’ve needed to read for someone on iOS 18 and later.
LikeLike
Hi, I would like to learn whether there are safety problems and whether it can be used for a long time?
LikeLike
Bypass Revoke is basically DNS filter with block list to have any kind of concern and the Guide expands on it further as well enabling users keen to do it themselves as per their own technical level. The validity of public certs are usually 1-2yrs which seems long in my dictionary even if they get revoked in a week or month, the basis of this method is to use the revoked certs until the very end of their validity like an European.
LikeLike
After I download an app and press on Signature, it says: “No certificate available – Please import the p12 certificate and mobileprovision file first”
LikeLike
Please follow the steps serially and don’t waste my time.
LikeLike
A weird thing is happening, I used this method before but messed up and accidentally blacklisted myself from one of the certs. Now, I’m able to install the Esign with another cert but I am unable to install any apps using the same cert even though Esign works just fine.
LikeLike
Try installing another app or a different version which seems to address in the past. Just in case an existing cache is the culprit, try cleaning everything and start fresh but this indeed is weird.
LikeLike
Above all, thanks for everything you have done for us!!! I am more curious about how to get a new cert myself to sign Esign based on it; like you mentioned, “The validity of public certs are usually 1-2yrs” and I want to sideload for several years.
LikeLike
Not usually possible as the validity of a private cert is tied with the yearly renewal of your developer account. Even with third-party lifetime certificates (only in name like the term unlimited among US carriers), you will receive emails to fill the renewal form every year when the developer account is going to be renewed. Your certificate will stop working if you fail to fill the renewal form in a provided timeframe where you’ll need to buy again. You can toggle ‘Supports Document Browser” to access the contents of your sideloaded app in a folder of your Files app to clone later but you can pay for an Apple Developer account.
LikeLike
I’m getting error when installing Fortnite: “This app cannot be installed because its integrity could not be verified”
LikeLike
Whatever certificate you’re on is blacklisted for you, so use some common sense to cycle through another.
LikeLike
I noticed in a previous comment you used the terminology restart and reboot (which occurs when you have a software update) differently. I power off and power on my phone each night. I turned on airplane mode before restarting and turned it back off shortly after. As soon as I turned it off the apps were revoked. Is there a way around this?
LikeLike
This isn’t something I expected to find in this age but that practice may lead to the battery ballooning in elongated ownership. Airplane Mode was an original suggestion for iOS 18+ users as the entire system restarts whenever installing anything that’s not from the AppStore or those wanting to switch between DNS & VPN carrying the same filters.
Locally backup to a computer (iTunes if on Windows) using the physical cable to restore your device with all data intact. This allows to restore your device without relying on iCloud so it’s quick (or you may use iCloud that may take much longer to restore from) and you’re lifted from the blacklisted status for the revoked certificate after trying out others.
LikeLike
This works with NextDNS?
LikeLike
Yes, of course but it will have a monthly rate limit of 300K queries leading to blacklisting unless you’re using something else like AdGuard Home or others.
LikeLike
Hey so I used a VPN & turned it off & tried going into esign & all apps affiliated with esign & all of them would crash. So naturally I deleted all apps & esign & I tried downloading the certificates & none of them would work but one. It finally worked but I couldn’t open it as it crashed again. So I deleted it & tried it again & now all the certificates don’t work. Is the only solution to factory reset my device?
LikeLike
Your VPN needs to carry the same filters as for Bypass Revoke otherwise you’re only encrypting the network and not using any of the blocklist for filter, thereby exposing you to get blacklisted. As mentioned, in addition to reseting your device directly, one can restore their device from iTunes/Mac after making a local backup using the physical cable where you turn off auto-sync beforehand.
LikeLike
in step 2 when i go to setting i dont find the enterprise app in the vpn and device managment i tried all of the esign there is. What should i do?
LikeLike
You need to read the whole guide, if you attempt to install any of the apps on revoked certificated without bypass revoke then one gets instantly blacklisted; this is also true if one were coming from other sideloading methods. You’ll first need to get rid of blacklisting status in order to use the revoked certificates again where option 1 is to backup to a PC or Mac first and then restore… option 2 is to backup on iCloud before factory reseting your device.
LikeLike
In step 2, after I downloaded esign from bottom of the page, it says “无法安装此app,因为无法验证其完整性” (google tranlate: This app cannot be installed because its integrity/completeness cannot be verified)or “try again later”. What should I do? thanks!
LikeLike
That means your device is blacklisted with the revoked certificate that showed this message. Make sure DNS is active and try another cert, otherwise will need to format/factory reset your device and restore from iTunes/Finder/iCloud as mentioned above.
LikeLike
I got signed apps working with the DNS option. But now when I try the Cloudflare method – when I click on VPN it just switches back and forth rapidly like a freshly caught fish.
Am I supposed to change DNS back to automatic in iPhone settings first, in order for VPN to work?
I’m afraid to change the DNS in case Apple blacklists me immediately after.
LikeLike
DNS shouldn’t be changed to automatic but if you’re using CloudFlare Warp instead of a Wireguard profile then perhaps there might be changes to the app or restrictions in your region like for India: https://techcrunch.com/2025/01/02/cloudflares-vpn-app-among-half-dozen-pulled-from-indian-app-stores/
LikeLike
Thanks, it worked very well.
It seem the link in Step 4 (Sources) isn’t working anymore…
LikeLike
You’re supposed to copy-paste the repo URL in Esign as shown in the Guide.
LikeLike
The cert I used to install ESign from your list and imported to ESign to sign and install apps is the Vietnam one. Yet, I just noticed in the ESign app this cert is still good and not revoked until the 12th? Since I have the DNS installed will ESign and the apps signed with it still be good after it is revoked?
LikeLike
The cert will expire when the validity date nears, switch to another one before hand. If you had ‘Document Browser’ toggled before hitting signature and installing the app, then you can simply copy or move the folder to the new one.
LikeLike
Hi, thanks for the guide and it works but let’s say i want to buy certificate from AppTesters, do I need to download a different version of Esign or do I just put the cert they give me?
LikeLike
Just put the cert and the repo mentioned here.
LikeLike
Hello bro,
I’m just asking if I can use a different VPN as this 1.1.1.1 isn’t working which switches between on and off very quickly and can’t connect or it connects but when I check my IP it still is the same as the old one therefore unable to access websites banned on my old IP.
Thanks in advance.
LikeLike
If you’re trying to sideload a VPN or from a country that has been banning the access to VPNs like India recently in addition to Russia and China then having the app itself isn’t going to bypass deny of access, CloudFlare Warp doesn’t actually mask your IP or reroutes your geo location but only encrypt your connection. You can use other VPNs which are wireguard based if it allows you to set your own blocklist mentioned in the first step under DNS section or build your own WireGuard Profile skipping the need to install an app itself entirely for VPN access also already mentioned under Extras.
LikeLike
Thanks for last reply, I changed cert to revoked one and all was working good past couple days. However, just now my phone died and after powering back ON, all apps say “(App name) No Longer Available” when launching. Is this related to where you mention iOS 18+ and “AirPlane mode to prevent DNS leaks and therefore blacklisting in advance of reboot… more on that later.”?
I did this when setting up but can DNS leak happen any time my phone restarts? Interested in your thoughts and possible assist on this please.
LikeLike
Please, continue from last reply in order to maintain one discussion thread. If “can’t verify app integrity” kind of messages pop up, it means the device is now blacklisted on that particular cert. When your iPhone restarts, it doesn’t reenable DNS filters until you unlock the device with passcode by which time it already connects to the internet for FindMy causing DNS leak… which leads to blacklisting.
On iOS 18, the entire device restarts just to install a simple DNS profile likely to deter users from sideloading or jailbreaking in general as a new behaviour and that’s why Airplane Mode is suggested in such cases like for switching between DNS and VPN as well. However, same can’t be confirmed if your device is powering off itself due to low battery or whether it only works on WiFi and not Mobile Data as I was able to power on from a dead battery without blacklisting although it was immediately done where only WiFi was active, at the same time restarting the device manually didn’t provide the same result but both WiFi and Cellular was active. This is something new and very unpredictable but my guess is newer iOS devices doesn’t actually turn off completely and hence why this behaviour is not universal.
Backup Guide
Restore Guide
LikeLike
Thanks for the detailed response.
I agree it is a bit sporadic as my phone has died before and the DNS did not leak.
I will put my devise on a static IP on the home network so I can block it if it dies again without shutting down my whole network and try doing this along with removing the SIM card before booting up next time to see if I can avoid another leak.
Like you said though if the phone is dead for a prolonged period of time it’s possible it could leak when it’s in that dead state as it still has network access for Find My.
Curious what the result will be, I will reply back when it inevitably happens again.
LikeLike
Hi there, when creating a separate DNS, is there anything we have to do other than blocking the domains shown in Step 1?
LikeLike
That’s it.
LikeLike
Hello, about 2 weeks ago I followed the tutorial and it’s working like a charm. However, today when I opened any sideloaded app, it crashed. I went to check my certificate in settings, it showed a popup for verification which I googled it myself and found that I have possibly been blacklisted (although, I didn’t touch my DNS or VPN nor my battery died once). I would like to know all of the posible reasons I got blacklisted, is there a way to unblacklist beside factory reset (I’ve done it once but it very took ages to install, login everything again and I do not wish to do it again). My final question is that after I whitelist myself, is there any way to prevent this happening again?
Thanks.
LikeLike
Anything that can interrupt the Bypass Revoke filters as mentioned will lead to blacklisting like automatic software updates for example which causes a reboot. It wouldn’t matter if your battery died or not as this is just one of the scenarios mentioned the device powers off or restarts which can be done manually as well. One would notice that biometrics doesn’t work to unlock a device immediately after a restart and requires a passcode which means that things like DNS or VPN also doesn’t get to be active until then as this is on an OS level implementation and not at kernel level but if your device still connects to the internet without it then there’s a DNS leak resulting with blacklisting. However, this only impacts the certificate you were using at the time and you should be able to switch with a different one.
Basically, the reasons for blacklisting are DNS leak and Device Restart whether it comes from switching to disabling of DNS or dead battery to software update device restarts. If you do a restore instead of reset as mentioned under ‘Final Notes’ then it takes maybe 30mins where only password manager, encrypted messenger or banking apps need a relogin although with all information stored – this is something we prefer to do in order to test out certificates repeatedly.
LikeLike
I suspect, the DNS patching prevents ChatGPT from working that returns with suspicious activity detected on device message.
LikeLike
I presume, you’re using a custom solution because the readymade version has ChatGPT whitelisted in which case you need to allow the following domain URL:
register.appattest.apple.comChatGPT requests started to pass through Apple servers since the integration with Apple Intelligence, just keep the allow list above the block list rules.
LikeLike
I am using Avex Digital Inc. Esign but why none of my certs are working?
LikeLike
Did you actually read? Until you approve the certificate, you won’t be able to sign other apps with the said certificate and is why you’re still able to install Esign.
LikeLike
Hey, how can I install an iPA file direct from my dowloaded folder? Thank you!
LikeLike
File → ••• → Import
LikeLike
When I try to install Esign It tells me that the integrity couldn’t be verified
LikeLike
That’s what blacklisting means, read the final notes to either reset with iCloud or restore with iTunes/Finder – links are included.
LikeLike
I was able to follow and get Spotify working with no problems. The only issue I have is that I can’t access betting apps like FanDuel but when I remove the DNS profile the app is accessible again, what am I missing?
LikeLike
CloudFlare Security Filters (Adware, Badware, Malware etc) are active on the scene, you may try disabling ‘Adware ✓’ filters when all internet connections are ceased with Airplane mode or learn about DNS leaks under Final Notes before making the change.
LikeLike
Disabling the filter worked thanks for the fast reply!
I also tried connecting to a VPN and got blacklisted but was able to get the apps working again after a restore; where did I go wrong? Thanks.
LikeLike
VPN uses their own DNS connection which is why one has to either manually mirror the same Block/Deny List Rules in Bypass Revoke or change the Gateway DoH Endpoint as mentioned in the VPN section before using one.
LikeLike
Hey, great guide! Followed all the steps and it went past the verify integrity check smoothly. I just don’t know if the next part is anywhere related to the given tutorial but I could really use some insight here: After I opened a sideloaded game from an external source, it says needing to connect my Apple account with a login popup. Wasn’t the bypass supposed to block it or is it unrelated?
LikeLike
Entirely unrelated, you need to lookup the definition of sideloading here as am not sure what’s the confusion about if the elaborate expansion in the guide above wasn’t obvious enough to confuse the role of bypass revoke mechanism which is to sideloading only.
LikeLike
Hey, thanks for this! I can get right to the end but it says, “The certificate has been revoked, it may not be installed after signing!!!” – Do you know what’s happening?
LikeLike
If you’re talking about the red text during the live preview of the signing process on Esign then you should be already aware that we indeed are using revoked certificates at first place for sideloading to be free on iOS and hence the ‘bypass revoke’ method if the name itself wasn’t obvious enough from the beginning which shouldn’t matter when you should be focusing at the end result. Just spend some time alone from reading to familiarising first instead of immediately jumping to seeking attention at each instance before finishing the task at hand where I only respond to queries that hasn’t been raised before.
LikeLike
Thanks for the quick reply! That explanation for the red text makes sense, but I am still having the issue with some apps downloading fine but not opening which makes me wonder if it’s an issue with the apps themselves. Here are few I’ve encountered:
Worked: Elevate, Wallpapers, FlipClock, Hill Climb, EeveeSpotify
Didn’t: Widgetsmith, HiWidget, Fonts
LikeLike
When blacklisted, one wouldn’t be able to do anything actually. The iPA files shared for sideloading are tweaked by a developer before availing them for user install since they need to be decrypted first from the AppStore. So, obviously this is some compatibility to optimisation issue from the app itself on your device.
LikeLike
Could this be done in tvOS somehow?
LikeLike
Sorry, I don’t have Apple TV and just use Sonarr-Radarr-Lidarr-Readarr… with Prowlarr via qBittorrent directly on a Mac where IINA is a recommended player.
LikeLike
Hey, I’ve been trying to reread the post to see if I did something wrong but I think I followed everything correctly. After a few days of everything working perfect my apps were revoked, it’s telling me to verify apps but I click on verify and nothing happens. Is there a way to fix this without having to redo the whole process? Thanks in advance 🙏🏽
LikeLike
You might’ve followed through everything initially but it seems like you blacklisted yourself later by disrupting the DNS active status which can be from a range of things like playing with the DNS settings itself to using a VPN that has its own DNS rules or restarting the device whether from a software update or dead battery. Either try a different certificate or read the ‘Final Notes’ section to whitelist oneself with the existing ones.
LikeLike
Hey! This is such a great guide. It has really helped me a lot. Here goes my question: Is it still necessary to erase everything sideloading-related before updating to a new iOS version? Isn’t there any other way? Thanks in advance man.
LikeLike
Not the DNS but remaining else since the sideloaded apps rely on a cert unlike Android, the apps associated get automatically removed when the cert itself is also removed. The removal of certs is to prevent blacklisting as the implementation of DNS rules is only at the OS level and not kernel level to still remain active during reboot especially when you’re rewriting the software with an update actively. There is although technically a very advanced if not a complex way without jailbreaking to answer your question and that involves being adept to manually write your own Egern Script which is equivalent to editing your firewall rules on a desktop PC or Mac. Otherwise, you can toggle ‘Document Browser’ before signing apps to save their internal folder separately and move them later.
LikeLike
Amazing tutorial, @avieshek – Thanks for putting it together. Two quick questions:
1. If I understand correct then restarting my device with Airplane Mode will mitigate the risk of blacklisting but in case it gets blacklisted, what are the steps to resign the apps with another certificate?
2. Is there any privacy concern? I am using a company phone so I want to be on the safe side.
Thank you very much.
LikeLike
Appreciate the words of encouragement, answering your two queries:
1. While Airplane Mode helps against DNS leaks during DNS switching, it’s also not a full proof solution to the weird unpredictability of iOS itself where your device can still get blacklisted if you ‘manually’ shutdown or update your device. However, one doesn’t actually need to do anything if there’s another certificate at your disposal but links are mentioned in the ‘Final Notes’ section to either Reset or Restore after making a backup which is to whitelist an existing cert. You’ll need to remove any installed certs before restoring from a backup as you’re trying to whitelist the cert than your device actualy.
2. This basically just blocks certain domain and is a simple DNS filter unlike VPN or TOR with adblockers as an added perk. You can opt for the backup link in Step 1 which sans the adblockers for Bypass Revoke filters only in case there are issues on enterprise network.
LikeLike
Since, all my certificates are revoked and CloudFlare Warp is banned in India, what are my options?
LikeLike
Take a deep breath and read what’s already written and provided, backup and restore is your only option for whitelisting …the links to which is already explained under ‘Final Notes’ but CloudFlare Warp is a VPN solution.
VPN is not needed for achieving sideloading itself but it is the only free solution while being compatible for the said purposes to avoid blacklisting. Indian Government has only banned the availability of the mobile app on the respective App Stores so CloudFlare services are still up and building a WireGuard Profile is possible when provided with a Gateway DoH Endpoint which you can find above.
LikeLike
Thanks for this amazing tutorial. I was wondering if I could not use the Bypass Revoke DNS and switch back to my AdGuard DNS when not using my sideloaded apps. Thanks again
LikeLike
Instant blacklist but this AdGuard guide should be worth your read: https://avieshek.wordpress.com/2024/07/07/how-to-filter-ads-and-block-popups-on-iphone-and-macos/
LikeLike
Hello, since of yesterday Spotify stopped working for me. First I was able to open the app and songs were unplayable even podcasts, tried deleting and reinstalling a new version. Same issue. I tried switching accounts and now the app crashes immediately as soon as I open it since switching accounts.
LikeLike
Has nothing to do with Spotify, simply blacklisted on that particular cert.
LikeLike
Amazing tutorial bro :)
LikeLiked by 1 person
What can I do if app is not opening with integrity could not be verified message?
LikeLike
Finish reading.
LikeLike
Amazing tutorial, I was able to follow completely and now have some apps installed from the repos you provided. But the problem is when I try to sign an IPA file I upload (even when using the dylib fixes mentioned), the app crashes on launch. Any ideas in how to fix?
LikeLike
Not sure what the situation on your side is, the sideloadbypass dylib for example is for apps that has been decrypted to iPA files for sideloading. Maybe, the version is incompatible (iOS version, iPad version…) or it’s been decrypted with TrollStore or is restricted to Jailbreak and the list goes on; pretty sure it has to do something with the iPA file itself. Try other certs in case there’s some glitch.
LikeLike
I don’t want to use Airplane mode whenever restarting my device or disconnecting from Bypass Revoke DNS, would it be rather possible to simply turn-off Mobile Data or WiFi connection since the point is to make sure there is no internet connection like Airplane Mode, right? Give me an insight if I am wrong please.
LikeLike
You can manually cut off internet by individually deactivating cellular or WiFi as the point is indeed the same with Airplane mode.
LikeLike
Hi, I get the unable to verify app message after installing the cert for a week or so but my phone never dies or restarts and updates are off; what to do where couple of my friends have the same problem
LikeLike
That’s some new graylisting (different from blacklisiting) where apps get restricted instead of the cert which is very recent and started appearing after the recent 8th May (2025) Epic vs Apple verdict where the later lost. Investigating the new filters internally but until then you can go through BlacklistBeGone section in the Guide if you’ve a computer for easier removal of the issue status or go through the usual blacklisting removal process.
LikeLiked by 1 person
Answers will be very much appreciated, thank you.
LikeLike
LikeLike
Sorry I didn’t know how that worked for typing. I got everything done. I’m to the point where I unzip the files and choose a certificate, I chose the only one that worked for me to download it and it says it’s not in the correct format. What do I do?
LikeLike
Common sense would tell you:
.esigncert → Esign
.ksigncert → Ksign
This is something you don’t need a tutorial if you’re literate enough to type a grammatically sound message.
LikeLike
Hi, I found your guide so clear and easy to follow!! However, after being able to install the app that i wanted and it working perfectly for like 2/3 days it stopped working and when i tried to open it or to open esign it showed this message: Unable to verify the app. To verify the reliability of the developer “iPhone Distribution:GAC TOYOTA MOTOR CO.,LTD”, an internet connection is required.The app will not be available until the verification process is completed. So both apps now don’t work. What can i do? (i’m sorry english is not my first language)
LikeLike
It’s still in testing but you may try out this DNS ‘after’ going through the procedure to clearing a blacklist status allowing to use the very same certificate when done.
LikeLike
Hi, the new DNS seems to be working fine. I am using it for 14 days, can you please include Adblock filters as well? Thanks.
LikeLike
The latest DNS already has Adblock filters integrated along with additional filters like for running cracked Adobe desktop apps. Adblock filters can’t stop YouTube or Spotify ads on iOS apps and that’s why we are sideloading here.
LikeLike
Hi, can you make a more detailed guide for BlacklistBeGone? Their is no zip file on their GitHub page and no mention of restarting device; I find your methods easier.
LikeLike
Reboot = Restart
How to BlacklistBeGone:
My personal experience is based on macOS but it can be similarly followed through Windows to Linux as well.
• Install a python environment on your computer:
https://www.python.org/downloads/
(Make sure to not skip reading after the end of installation for additional instructions.)
• Follow the installation instructions for pymobiledevice3:
https://github.com/doronz88/pymobiledevice3
(Simply copy the install command to Terminal)
• Connect your iDevice to your Mac with the USB cable and disable WiFi Sync and Auto Sync but feel free to make a backup.
• Download and extract the ZIP file for BlacklistBeGone and ensure that the screen stays unlocked while the device is connected, then run “unblacklist.py” file in the folder with ‘Python Launcher.app’ instead of the default IDLE.app to go through the steps as instructed in their GitHub page.
• Restart the iDevice when done by pressing and releasing the volume up button then quickly doing the same with volume down button and then holding the side or power button until the logo appears.
• Now, on your iDevice simply skip through everything without selecting any of the options of restoring your data by selecting, “Don’t Transfer Apps and Data” (can’t take screenshot in this mode but likely the last option) then move on to login and directly land on the homescreen.
You’re done ✓
However, you can continue to use the device without a restart like for iOS 16 as example but when you indeed do, it’ll show the same options in the last step so unless you’re habituated better go through it at the very instant so not to be confused later. I have embedded the direct download link above but it’s under the green button on GitHub (code) which wouldn’t say download literally.
LikeLike
Hey sorry to bother you, your tutorial is perfect but I’m scared of one thing: When you mention blacklisted, is it only with the cert and sideloaded apps or it’s my entire phone? (Like, can I still use my phone like normal?)
LikeLike
It’s only the revoked certs, you can still use your device as normal and it has nothing to do with it.
LikeLiked by 2 people
Hey, just wanted to comment and inform you how amazing you are!!!! By far the easiest tutorial I’ve dealt with so far!! I’ve always hated the SideStore limit with Apple ID, I was searching for other options and somehow someone shared this link, everything worked so smoothly! Thanks again for taking the time to do all this, keep doing what you are doing! Great work!
LikeLiked by 1 person
Hey man, love your tutorials but may I ask is there anyway to whitelist without factory reset as I always get blacklisted. I’m using iOS 18 and thanks in advance.
LikeLike
There’s already a proper guide for BlacklistBeGone above or you could restore from a local backup without ever relying on iCloud.
LikeLike