How to sideload on iOS without jailbreak or Revoked for free in the easiest way possible?

Sideload Esign No worries, this is a tutorial, and if you’re an experienced torrent user, you’ll likely pick it up quickly even without the full explanation. For everyone else, this guide is designed to be straightforward, with everything you need right here—no jumping between multiple sources.

Sideloading Guide

DNS
https://github.com/khoindvnDNS/iOS/raw/main/DNS/khoindns.mobileconfig
Esign
https://github.com/khoindvnDNS/iOS/tree/main/Esign-iPA
Certs
https://github.com/khoindvnDNS/iOS/raw/main/DNS/Esign-Certs.zip
Repo
https://repo.apptesters.org

Before we start:
It’s important to carefully read through the entire tutorial to understand the concepts and technical details. This way, you can troubleshoot or prevent issues on your own, rather than blindly following along and ending up surprised like Linus Sebastian with a shocked Pikachu face later on.

Start DNS

About: This is a pre-made DNS profile provided by Khơindvn on GitHub, thanks to a YouTuber named “Pork the Jork.” It’s designed to prevent Apple servers from verifying the bundle ID of apps downloaded outside the App Store. This profile allows apps to be signed before installation, bypassing the verification process, which has been in place since iOS 13 (as apps are no longer signed locally like on PC or Mac). This mechanism, known as Bypass Revoke, helps you regain access even if you’ve been blacklisted.

Step 1:

Ensure that Safari is set as your default browser or is used before tapping the link.

Go to Settings → General → VPN, DNS, & Device Management.
Install the profile and allow it to take effect.

ovPqORh — ^{Based on user feedback as seen above, Khơindvn’s original solution is kept over forked ones like Khomod.}

For those coming from Android or Windows, manually installing any profile is standard behavior on iOS or iPadOS, unlike macOS (at least the older versions before things got more restrictive). This applies even to DNS profiles like NextDNS, AdGuard, or AhaDNS Blitz. If there were any additional permissions or concerns, Apple would clearly state them at the bottom of the prompt when requesting your approval.

Alternatively, you may also manually add these as filter:

ocsp.apple.com
ocsp2.apple.com
valid.apple.com
crl.apple.com
certs.apple.com
appattest.apple.com
vpp.itunes.apple.com

You can create a free CloudFlare Zero Trust account and manually block the mentioned domains. The ReadMe text also provides instructions on filtering adware by creating your own .mobileconfig file. Alternatively, Egern is a native iOS app that lets you set domain block rules locally if you’re familiar with scripting. This app is also compatible with AdGuard Home users.

Install Esign

About:
Esign is an app for signing iPA files. It allows you to download, unzip, package, import, sign, and install iPA files to convert them into apps. Additionally, Esign can access public repositories directly for streamlined app management.

Step 2:

Visit the link (or alternate link) to install Esign (Free version only) from the bottom of the page.
If one certificate doesn’t work, try another one.
Go to Settings → General → VPN, DNS, & Device Management → Enterprise App.
Tap on the certificate name and press the Trust button.
Open the Esign app, and under the Download tab in the bottom navigation bar, tap the ellipses (•••) at the top.
Go to Settings and enable both Auto Import and Auto Delete.

GrFNPW9 — ^{Download Settings for Esign}

Get Certs

About: Cert is simply short for certificate where we’ll use the expired ones instead of the latest one… presumably HDFC Life Insurance (Indian) or older like Sunshine Insurance Group (Chinese) but you’ll be downloaded with all of them.

Step 3:

1. 1. Tap on the link here or copy it from above, then go to your:
    - Esign → Download → ••• → URL › Paste.
  2. A zip file should appear in your Files section. Use the inbuilt uncompressor by tapping on the file; this will create an extracted folder with the same name.
  3. Inside the extracted folder, you should see a list of certificates. Select the one that you used to install Esign.
  4. After a successful import, you can delete both the folder and the zip file.
  5. Now, go to the main Settings in the app (bottom bar) for Sign Default Config, enable Install after signed, and then exit the settings.

Load Repo

About:
Repo stands for repository, which serves as an app library. The one mentioned here is the TrollStore iPA Library from GitHub, allowing you to access a variety of iPA files conveniently.

Step 4:

1. Tap on the link or manually copy it from above.
2. Open Esign → App Source (Top Left) → +.
3. You should now be able to search for and download apps natively.

^{Shortcut tool to find the RAW URL of any GitHub File Link for repo source.}

Install Part

About: If you’ve been following attentively up to here then you’d notice you’re yet to install an app and that’s because unlike the AppStore itself the search function only downloads the app as you’d need to sign it first.

Step 5:

You’ll notice that at the start of this final process, there’s a ‘Signature’ button located above the ‘Install’ button. This button is more important and will be used frequently, unless you’re duplicating an already signed app, such as WhatsApp (more on that later).

How to Duplicate Apps with Esign

About:
There are times when you may want to duplicate apps to keep the original version, manage multiple messaging accounts, or maintain separate use cases. While I usually use a shortcut called Signed Installer, Esign can also facilitate app duplication.

Steps:

Modify the App Name: Change the app name to your custom name (for example, YouTube Red) or add a + symbol after the original app name. Just make sure to change the original name used.
Adjust the Bundle Identifier: Add “.1” to the bundle identifier. For example, if the original bundle identifier is com.google.ios.youtube, change it to com.google.ios.youtube.1.

Final Notes

Here are a few important reminders that are just basic common sense:

DNS Requirement: Don’t attempt to install any apps using Esign without DNS (Bypass Revoke), as they will be instantly blacklisted. The certificates are already revoked, and using DNS later will not whitelist them.
Troubleshooting Installs: If you encounter issues initiating the process, try uninstalling the app, certificate, or DNS involved, and start fresh with a different certificate.
Before Updating iOS: Before updating your iOS version, reverse the steps (uninstall the apps, delete the certificates, and remove the profile) to avoid blacklisting the installed certificate. It’s also recommended to disable Automatic System Software Updates.
Exhausted Certs: If you’ve exhausted all the certificates or have already been blacklisted, consider performing a factory reset or restoring your device after backing it up. Restoring from a physical backup will allow only messenger apps and password managers that require re-login.
DNS Leaks: Apple’s OS has a security flaw where it doesn’t fully cut off internet access to existing routes when new rules are set via DoH or VPN. This can lead to temporary unencrypted connections and DNS leaks, resulting in blacklisting. To switch between DNS profiles with Bypass Revoke, use Airplane Mode.
If You’re Stuck: If you find yourself stuck, ask yourself the following basic questions:
- Did you finish reading the tutorial?
- Did you try again with a different approach?
- Did you explore all the options laid out for you?

Additional Repo Source

If you read till here, as a reward these are some additional repo which I personally use:

iTorrent Repo (Direct)

https://xitrix.github.io/iTorrent/AltStore.json

YTLitePlus Repo (Direct)

https://raw.githubusercontent.com/Balackburn/YTLitePlusAltstore/main/apps.json

EeveeSpotify Repo (Direct)

https://raw.githubusercontent.com/whoeevee/EeveeSpotify/swift/repo.json

CyPwn IPA Repo (Egern)

https://ipa.cypwn.xyz/cypwn.json

You don’t need to add every repo on Earth unless they serve a particular niche category.

Extras

If you’re still reading then you’re actually done with sideloading and good to go.

How to use VPN with Bypass Revoke?

About: VPN stands for Virtual Private Network and for this we’ll use CloudFlare Warp.

Setup:

Make sure you have visited the settings for CloudFlare Warp first to add a Gateway DoH Subdomain.

CYklf3O — Go to **Advanced** → **Connection Options** → **DNS Settings** and enter: **ciwelz9v7y**.
After successfully adding the subdomain, the interface should change to **Zero Trust**.
Continue using your VPN as normal without revoking access.
Before deactivating the VPN each time, enable **Airplane Mode** first:
**Enable Airplane Mode** → **Disable VPN** → **Turn off Airplane Mode**.
You can then continue using the internet normally without revoking access.
For other VPN services based on **WireGuard**, ensure to define the **DNS Server** (DoH) instead of DNS in your settings.

Gateway DoH Endpoint:
https://ciwelz9v7y.cloudflare-gateway.com/dns-query

Injecting dylibs with Esign

About: Dylibs stand short for Dynamic Libraries and this is what allows to run tweaks or fixes.

Setup:

Before injecting with anything, the first thing you’d want to do is visit:
Esign Settings → Sign Default Config → Library Injection Settings
Change ‘inject folder‘ from / to Frameworks/

pdKrv9r — ^{Injection Settings for Esign}

Now, if you have the AppTester Repo loaded for example then you can directly search for a dylib or just filter them by category.

The Sideloadbypass dylib allows you to fix crashes for a decrypted iPA file after injection, such as with Egern. To inject the dylib, simply return to Step 5 or select More Settings before tapping Signature when installing a new app.

Important Note: Ensure that the iPA file isn’t decrypted from TrollStore, as it will crash regardless. The dylib can only be used with apps installed through TrollStore.

Esign No Logs Version

I have come across quite a chatter about Esign No Logs (5.0) which is a custom version of Esign iPA file that sans all of its telemetry. You can simply create a custom DNS filter list of these instead like for Bypass Revoke before: (Update: It’s now native from the download site)

qmuiteam.com
h.trace.qq.com
ios.bugly.qq.com
ios.bugly.qcloud.com
ucc.umeng.com
ulogs.umeng.com
alogus.umeng.com
utoken.umeng.com
aspect-upush.umeng.com
ulogs.umengcloud.com
aladdinsys.com
baidu.com
api.nuosike.com

If you’re facing problems then you can block esign.yyyue.xyz safely by simply heading to Esign Settings → Sign Default Config → Install Address and change to ‘Local‘