Bug [Action required] Notarization fails because Cloud Build is missing required certificate

EDIT: I've confirmed this issue is caused by Unity Cloud Build's lack of support for Apple's new certificate authority (CA), which is now the default for all Developer ID certificates. It is still possible to workaround this issue by issuing new certificates associated with the old CA, but Apple has noted that this will only be available for one year, starting January 27th, 2022. More information available here: https://developer.apple.com/support/developer-id-intermediate-certificate/

Unity team, the steps you need to take are to either:

1) Update Xcode to 13.2
2) Manually install the new certificate on the cloud build machines, which is available from https://www.apple.com/certificateauthority/

Original post below:

Hi,

I've followed Unity's guide on notarizing in great detail. It works fine locally — notarization approved and stapled and tested.

However, running in Unity Cloud Build, I get these errors:

Code (CSharp):

1. Warning: unable to build chain to self-signed root for signer "Developer ID Application: <my studio>, LLC"

Code (CSharp):

1.  "issues": [
2. 31075:     {
3. 31076:       "severity": "error",
4. 31077:       "code": null,
5. 31078:       "path": "Truffle_Testers.app.zip/Truffle Testers.app/Contents/MacOS/Truffle Testers",
6. 31079:       "message": "The binary is not signed with a valid Developer ID certificate.",
7. 31080:       "docUrl": null,
8. 31081:       "architecture": "x86_64"
9. 31082:     },
10. 31083:     {
11. 31084:       "severity": "error",
12. 31085:       "code": null,
13. 31086:       "path": "Truffle_Testers.app.zip/Truffle Testers.app/Contents/MacOS/Truffle Testers",
14. 31087:       "message": "The signature does not include a secure timestamp.",
15. 31088:       "docUrl": null,
16. 31089:       "architecture": "x86_64"
17. 31090:     },
18. 31091:     {
19. 31092:       "severity": "error",
20. 31093:       "code": null,
21. 31094:       "path": "Truffle_Testers.app.zip/Truffle Testers.app/Contents/MacOS/Truffle Testers",
22. 31095:       "message": "The executable does not have the hardened runtime enabled.",
23. 31096:       "docUrl": null,
24. 31097:       "architecture": "x86_64"
25. 31098:     },

These errors make no sense to me, for several reasons:

1. I am certain that the Developer ID certificate I uploaded in the config for the build target is correct. Just to confirm, it is of type "Developer ID - Application", and includes both the certificate and the private key. Again — this works locally on my computer. It seems that somehow that the certificate and key from the p12 file do not work when run in Unity Cloud Build. I've even deleted the underlying items from my local keychain, and reimported from the .p12 file, then notarized — just to confirm the .p12 file I am providing to Unity is indeed correct.

2. Why should the signature not include a secure timestamp? This is as simple as passing

--timestamp

to

codesign

. Even looking at the full build log, there does not appear to be a way to view the actual

codesign

invocation, so I cannot verify

3. The executable _should_ have hardened runtime enabled. I have attached an entitlements file that produces one; and I've confirmed this locally.

I'm at my wit's end here, so any help would be appreciated.

 

I assume that yes, it would fix this issue, but I already switched my certificates to the legacy CA to workaround this issue, so I can't easily check.

 

I've been having the same issue with notarized cloud builds for Mac even using Xcode 13.2.1. But eventually managed to solve it.

As @aromana mentioned, it seems to be due to lack of support for the new Developer ID - G2 certificate.

It took quite a few tries for me to find a solution, but in the end it was super simple.
I downloaded the G2 certificate from https://www.apple.com/certificateauthority/ and installed it in Keychain Access. Then when creating the .p12 file, I included the G2 certificate along with the Developer ID and private key. This enabled my builds to be signed and notarized in the cloud builds.

Hope this helps anyone else stuck on this

 

Hi,

I do encounter issues with notarization, I get a warning: unable to build chain to self-signed root for signer.

@JonathanTheDev Could you details on how you actually include the g2 certtificate along the developer ID? I am trying to find out how to do that, but no luck so far

Bye,

Jean

 

Hi,

ok! it worked, So to create a p12 with several certificates, you just multi select them and right click, I just did not know it was possible

Thanks @JonathanTheDev for sharing your resolution, it really helped

Bye

Jean

 

I've been getting the same warning and build failures following. How did you manage to get the G2 certificates to be export-able? It has the p12 option gray out for me.

 

try them answers, maybe it will work : https://stackoverflow.com/questions/33163661/os-xunable-to-export-p12-on-keychain

these certifications are sooo babdly implemented, it's amazing... you need to be patient and try everything again and again...

Bye,

Jean

 

Which G2 certificate did you try specifically?

 

Ok, I found the answer. It was "Developer ID - G2" at the bottom of the Create a New Certificate page.

In Keychain Access, with login and Certificates selected, I had to command click our Developer ID Application and the Developer ID Certification Authority (which is the Developer ID - G2) to export together as a p12.

That took a lot of trial and error to find out, I hope that helps someone else.

 

Just chiming in, May 5, 2023 this is still the solution.

1. Create a private key
2. Create a Certificate Signing Request from that private key
3. Submit that CSR to create a Developer ID
2. Download your Developer ID Cert
3. Download the "Developer ID - G2 (Expiring 09/17/2031)" from https://www.apple.com/certificateauthority/
4. Import both your Develiper ID cert and the G2 cert into Keychain Access. Import the private key used for your Certificate Signing Request as well
5. Select the 2 certs and key in Keychain Access at the same time (Cmd + Click). See the screenshot:


Export all 3 items as a single .p12 file. Use THAT .p12 for UnityCloud build

 

Is this the key from developer.apple.com ? (from certificates, identifiers, etc)
That results in a p8 file...
How did you get that into keychain access? It doesn't support p8 files...

`ssh-add --apple-use-keychain xyz.p8` succeeds, but I can't find the new key in keychain...

- Generating Developer ID certificate from just any CSR in keychain...
- using developer id g2 certificate + Developer ID Certification Authority g2 certificate + apple id + application password; fails
- using developer id g2 certificate + Developer ID Certification Authority g2 certificate + apple id + user password; fails

 

@SoylentGraham I've forgotten the details now, but I probably created the private key via the command line, imported it into Keychain, then chose it when creating the CSR.

But I believe you can also let Keychain create a private key for the CSR for you:

Hope this helps

 

Oof, painful. Hopefully the app store connect credentials that we need to put into the build target in unity cloud build do NOT have to be those of the account holder (asking b/c the account holder is the only one that can create this Developer ID certificate.. and we don't want to put those credentials into unity cloud)

I'd assume not because the target config states that a separate account should be created - "Creating a new account for this purpose is strongly recommended" - but does anyone know the answer?

 

Is there an update on this issue? This feels like an abnormal amount of work to enable notarization, would it not be possible to use Apple App Store Connect API key instead?