Search Unity

  1. Welcome to the Unity Forums! Please take the time to read our Code of Conduct to familiarize yourself with the forum rules and how to post constructively.

Bug [Action required] Notarization fails because Cloud Build is missing required certificate

Discussion in 'Unity Cloud Build' started by aromana, Feb 1, 2022.

  1. aromana


    Nov 11, 2018
    EDIT: I've confirmed this issue is caused by Unity Cloud Build's lack of support for Apple's new certificate authority (CA), which is now the default for all Developer ID certificates. It is still possible to workaround this issue by issuing new certificates associated with the old CA, but Apple has noted that this will only be available for one year, starting January 27th, 2022. More information available here:

    Unity team, the steps you need to take are to either:

    1) Update Xcode to 13.2
    2) Manually install the new certificate on the cloud build machines, which is available from

    Original post below:


    I've followed Unity's guide on notarizing in great detail. It works fine locally — notarization approved and stapled and tested.

    However, running in Unity Cloud Build, I get these errors:

    Code (CSharp):
    1. Warning: unable to build chain to self-signed root for signer "Developer ID Application: <my studio>, LLC"
    Code (CSharp):
    1.  "issues": [
    2. 31075:     {
    3. 31076:       "severity": "error",
    4. 31077:       "code": null,
    5. 31078:       "path": " Testers",
    6. 31079:       "message": "The binary is not signed with a valid Developer ID certificate.",
    7. 31080:       "docUrl": null,
    8. 31081:       "architecture": "x86_64"
    9. 31082:     },
    10. 31083:     {
    11. 31084:       "severity": "error",
    12. 31085:       "code": null,
    13. 31086:       "path": " Testers",
    14. 31087:       "message": "The signature does not include a secure timestamp.",
    15. 31088:       "docUrl": null,
    16. 31089:       "architecture": "x86_64"
    17. 31090:     },
    18. 31091:     {
    19. 31092:       "severity": "error",
    20. 31093:       "code": null,
    21. 31094:       "path": " Testers",
    22. 31095:       "message": "The executable does not have the hardened runtime enabled.",
    23. 31096:       "docUrl": null,
    24. 31097:       "architecture": "x86_64"
    25. 31098:     },
    These errors make no sense to me, for several reasons:

    1. I am certain that the Developer ID certificate I uploaded in the config for the build target is correct. Just to confirm, it is of type "Developer ID - Application", and includes both the certificate and the private key. Again — this works locally on my computer. It seems that somehow that the certificate and key from the p12 file do not work when run in Unity Cloud Build. I've even deleted the underlying items from my local keychain, and reimported from the .p12 file, then notarized — just to confirm the .p12 file I am providing to Unity is indeed correct.

    2. Why should the signature not include a secure timestamp? This is as simple as passing
    . Even looking at the full build log, there does not appear to be a way to view the actual
    invocation, so I cannot verify

    3. The executable _should_ have hardened runtime enabled. I have attached an entitlements file that produces one; and I've confirmed this locally.

    I'm at my wit's end here, so any help would be appreciated.
    Last edited: Feb 1, 2022
  2. rajivrao


    Unity Technologies

    Feb 19, 2019
    @aromana Has our support for the latest Xcode fixed this issue for you?
  3. aromana


    Nov 11, 2018
    I assume that yes, it would fix this issue, but I already switched my certificates to the legacy CA to workaround this issue, so I can't easily check.
    ValeryNikulina likes this.
  4. JonathanTheDev


    Dec 6, 2017
    I've been having the same issue with notarized cloud builds for Mac even using Xcode 13.2.1. But eventually managed to solve it.

    As @aromana mentioned, it seems to be due to lack of support for the new Developer ID - G2 certificate.

    It took quite a few tries for me to find a solution, but in the end it was super simple.
    I downloaded the G2 certificate from and installed it in Keychain Access. Then when creating the .p12 file, I included the G2 certificate along with the Developer ID and private key. This enabled my builds to be signed and notarized in the cloud builds.

    Hope this helps anyone else stuck on this :)