The "app is not properly signed" error in SideStore looks like a broken download, but it is almost always a signing problem: the certificate or the anisette data SideStore used to sign the app was invalid. The app itself is usually fine. Here is what the error means and the order to work through the fixes.
Short answer
The error means the code signature SideStore applied is not valid, so iOS refuses to install or launch the app. SideStore re-signs apps with a certificate tied to your Apple Account, and that step fails when the anisette server is down, when a free certificate has expired after seven days, when the certificate was revoked, or when the pairing file is invalid. Per SideStore's troubleshooting docs, the most common fix is switching the Anisette server in settings, followed by refreshing the app to re-sign it.
What you should know
- It is a signing failure, not a corrupt app: the certificate or anisette data used to sign the app was invalid.
- Anisette downtime is the usual cause: signing needs Apple's anisette data, and a failing server breaks it.
- Free certificates expire in seven days: an app that worked last week may simply need a refresh.
- A revoked certificate breaks every app: installing across multiple devices or too many apps can trigger revocation.
- The pairing file matters: an invalid or missing pairing file blocks SideStore from refreshing and re-signing.
What does "not properly signed" actually mean?
It means iOS checked the app's code signature and rejected it. Every app installed outside the App Store still has to be signed with a valid Apple certificate, and SideStore handles that by signing the app with a development certificate tied to your Apple Account. When that signature is missing, malformed, or built from bad anisette data, iOS reports the app as not properly signed and refuses it. So the fix is never to re-download a different copy of the app; it is to repair the signing path SideStore uses. It helps to picture two halves of that path: SideStore needs valid anisette data from Apple to authenticate the signing request, and a valid certificate to actually sign the binary. A failure in either half produces the same generic error, which is why the message alone does not tell you which fix you need, and why working through the causes in order is faster than guessing.
What causes it most often?
A short list of failures covers almost every case. The table ranks them by how often they are the real cause, with the matching fix.
| Cause | Symptom | Fix |
|---|---|---|
| Anisette server down or returning bad data | Signing fails right after Apple Account sign-in | Switch the Anisette URL in SideStore settings, or self-host one |
| Free certificate expired after seven days | The app worked before and now will not launch | Refresh the app in SideStore to re-sign it |
| Certificate revoked | Errors across several apps at once | Sign in again to reset the certificate, then re-sign |
| Invalid or missing pairing file | Refresh and install failures, AFC errors | Regenerate the pairing file and re-pair the device |
| Free Apple Account limits reached | New installs fail while old apps work | Remove old sideloaded apps, or wait out the seven-day window |
How do you fix it, step by step?
Work from the cheapest fix to the most involved:
- Switch the Anisette server: in SideStore settings, change the Anisette URL to an official or self-hosted server, then retry. This resolves the most common case.
- Refresh the app: a free certificate lasts seven days, so refreshing re-signs the app with a current certificate.
- Re-pair the device: if refresh keeps failing with connection or AFC errors, regenerate the pairing file and pair again.
- Reset the certificate: if several apps fail at once, the certificate was likely revoked, so sign in again to issue a fresh one and re-sign your apps.
- Check your limits: a free Apple Account allows a small number of active sideloaded apps and app IDs in a rolling window, so remove old apps if you have hit the cap.
Why does the free Apple Account matter here?
Because a free account carries the tight limits that cause most of these failures. A certificate from a free Apple Account is valid for seven days, after which the app must be re-signed, and the account allows only a handful of active sideloaded apps and a limited number of new app IDs per week. Some apps also request entitlements a free account cannot sign, such as certain push or associated-domain capabilities, which makes signing fail outright. A paid Apple Developer account removes the seven-day expiry and raises the limits, which is why heavy sideloaders tend to use one. The seven-day cycle is also why a sideloaded app that has been quietly working can fail on a day you changed nothing, since the expiry, and not anything you did, is what moved.
What to watch out for
The trap is certificate revocation. Apple revokes a free signing certificate when it is overused, for example when you install across several devices on the same account or churn through many app IDs, and a revoked certificate breaks every app it signed at once, not just the new one. Reset it by signing in again rather than reinstalling each app by hand. Code signing is also the same build-integrity layer that matters when an app heads to the App Store rather than to a sideloader: a pre-submission scan such as PTKD.com (https://ptkd.com) verifies signing and reads the compiled IPA against OWASP MASVS, which is the App Store side of the same concern. For SideStore itself, the fix stays with the certificate, the anisette server, and the pairing file.
What to take away
- "Not properly signed" is a signing failure, so repair the certificate or anisette path rather than re-downloading the app.
- Switch the Anisette server first, then refresh the app, since anisette downtime and the seven-day certificate expiry cause most cases.
- A revoked certificate breaks every signed app at once, so reset it by signing in again instead of fixing apps one by one.
- A free Apple Account brings the seven-day expiry and tight limits; a paid account avoids the expiry, and for App Store builds a pre-submission scan such as PTKD.com checks signing on the compiled IPA.
