Search Unity

  1. Welcome to the Unity Forums! Please take the time to read our Code of Conduct to familiarize yourself with the forum rules and how to post constructively.

Bug [Action required] Notarization fails because Cloud Build is missing required certificate

Discussion in 'Unity Cloud Build' started by aromana, Feb 1, 2022.

  1. aromana

    aromana

    Joined:
    Nov 11, 2018
    Posts:
    129
    EDIT: I've confirmed this issue is caused by Unity Cloud Build's lack of support for Apple's new certificate authority (CA), which is now the default for all Developer ID certificates. It is still possible to workaround this issue by issuing new certificates associated with the old CA, but Apple has noted that this will only be available for one year, starting January 27th, 2022. More information available here: https://developer.apple.com/support/developer-id-intermediate-certificate/

    Unity team, the steps you need to take are to either:

    1) Update Xcode to 13.2
    2) Manually install the new certificate on the cloud build machines, which is available from https://www.apple.com/certificateauthority/

    Original post below:

    Hi,

    I've followed Unity's guide on notarizing in great detail. It works fine locally — notarization approved and stapled and tested.

    However, running in Unity Cloud Build, I get these errors:

    Code (CSharp):
    1. Warning: unable to build chain to self-signed root for signer "Developer ID Application: <my studio>, LLC"
    Code (CSharp):
    1.  "issues": [
    2. 31075:     {
    3. 31076:       "severity": "error",
    4. 31077:       "code": null,
    5. 31078:       "path": "Truffle_Testers.app.zip/Truffle Testers.app/Contents/MacOS/Truffle Testers",
    6. 31079:       "message": "The binary is not signed with a valid Developer ID certificate.",
    7. 31080:       "docUrl": null,
    8. 31081:       "architecture": "x86_64"
    9. 31082:     },
    10. 31083:     {
    11. 31084:       "severity": "error",
    12. 31085:       "code": null,
    13. 31086:       "path": "Truffle_Testers.app.zip/Truffle Testers.app/Contents/MacOS/Truffle Testers",
    14. 31087:       "message": "The signature does not include a secure timestamp.",
    15. 31088:       "docUrl": null,
    16. 31089:       "architecture": "x86_64"
    17. 31090:     },
    18. 31091:     {
    19. 31092:       "severity": "error",
    20. 31093:       "code": null,
    21. 31094:       "path": "Truffle_Testers.app.zip/Truffle Testers.app/Contents/MacOS/Truffle Testers",
    22. 31095:       "message": "The executable does not have the hardened runtime enabled.",
    23. 31096:       "docUrl": null,
    24. 31097:       "architecture": "x86_64"
    25. 31098:     },
    These errors make no sense to me, for several reasons:

    1. I am certain that the Developer ID certificate I uploaded in the config for the build target is correct. Just to confirm, it is of type "Developer ID - Application", and includes both the certificate and the private key. Again — this works locally on my computer. It seems that somehow that the certificate and key from the p12 file do not work when run in Unity Cloud Build. I've even deleted the underlying items from my local keychain, and reimported from the .p12 file, then notarized — just to confirm the .p12 file I am providing to Unity is indeed correct.

    2. Why should the signature not include a secure timestamp? This is as simple as passing
    --timestamp
    to
    codesign
    . Even looking at the full build log, there does not appear to be a way to view the actual
    codesign
    invocation, so I cannot verify

    3. The executable _should_ have hardened runtime enabled. I have attached an entitlements file that produces one; and I've confirmed this locally.

    I'm at my wit's end here, so any help would be appreciated.
     
    Last edited: Feb 1, 2022
  2. rajivrao

    rajivrao

    Unity Technologies

    Joined:
    Feb 19, 2019
    Posts:
    111
    @aromana Has our support for the latest Xcode fixed this issue for you?
     
  3. aromana

    aromana

    Joined:
    Nov 11, 2018
    Posts:
    129
    I assume that yes, it would fix this issue, but I already switched my certificates to the legacy CA to workaround this issue, so I can't easily check.
     
    ValeryNikulina likes this.
  4. JonathanTheDev

    JonathanTheDev

    Joined:
    Dec 6, 2017
    Posts:
    1
    I've been having the same issue with notarized cloud builds for Mac even using Xcode 13.2.1. But eventually managed to solve it.

    As @aromana mentioned, it seems to be due to lack of support for the new Developer ID - G2 certificate.

    It took quite a few tries for me to find a solution, but in the end it was super simple.
    I downloaded the G2 certificate from https://www.apple.com/certificateauthority/ and installed it in Keychain Access. Then when creating the .p12 file, I included the G2 certificate along with the Developer ID and private key. This enabled my builds to be signed and notarized in the cloud builds.

    Hope this helps anyone else stuck on this :)
     
unityunity