Bug code signing for bundles/dylibs inside app

I can sign a Mac app in the terminal (as per docs --deep etc) but it is not verified as all the libraries inside are reported as "nested code is modified or invalid". Is there a way to fix?

I would be easier to just make an xcode project and use xcode for signing (like say iOS), but xcode tries to build an x86 & arm64 thing and it doesn't run so no good...

Unity 2019 LTS

 

yes tried that, no luck

 

Just to make it clear, I do as per docs:
codesign -o runtime -f --deep -s '3rd Party Mac Developer Application: DEVELOPER NAME' --entitlements "GAMENAME.entitlements" "/AppPath/GAMENAME.app"

after that the app does not even run!! It complains in detailed error because a dylib is not signed correctly.
so maybe you have to sign all plugins and dylibs first as I think xcode does - tried but no... cigar

I think this needs some updating in the docs, even if it is more of an apple issue it would help many people to get robust advice in the documentation.

Will try xcode again

 

case 1304275

If you build to Xcode (I have 12.3) then the immediate error you get is:

Code (CSharp):

1. ld: warning: ignoring file /project_path/Frameworks/UnityPlayer.dylib, building for macOS-arm64 but attempting to link with file built for macOS-x86_64
2. Undefined symbols for architecture arm64:
3.   "PlayerMain(int, char const**)", referenced from:
4.       _main in Main.o
5. ld: symbol(s) not found for architecture arm64

it is set to build for my Mac but the build settings are now Standard Architectures (Apple Silicon, Intel)

You can manually change it to "x86_64" only under architectures, however code signing then will show errors if you have any bundles included (as can be in asset store plugins!)
You need to add --deep to code signing flags

Then on finally running my app throws an error in UnityGfxDeviceWorker(29), though runs if exported:

Code (CSharp):

1.  
2. validateFunctionArguments:3554: failed assertion `Fragment Function(xlatMtlMain): Shader uses texture(_NormalBuffer[1]) as read-write, but hardware does not support read-write texture of this pixel format.'
3.  

Please update the docs or pin on this forum how to build for Mac now

Edit:
If I ignore the assert on debugging (!?) I can then notarise the app with apple, so it requires these Xcode steps:
- Set architecture to x86_64 (unless your unity version handles silicon)
- Add --deep to code signing if needed for sub-components
- Enable hardened runtime if signing for notarisation

The notarised app however does not seem to startup....

 

The above was Unity 2020.1
In 2019 LTS if I build to Xcode and run it crashes right away if I enable hardened runtime (need for notarisation) otherwise runs OK

Edit: solution for this is enable various hardened runtime exceptions
This also fixes 2020 project but that is buggy - crash on xcode debugging, calling Application.quit seems to make OSX think it exited unexpectedly

 

Unity 2019.4.15, I could not see any recent fixes

So terminal sign as per docs did not work (see bug)
Xcode build does work - but a number of manual changes to build settings required which Unity could/should apply for you? Setting architecture to x86_64 not silicon/intel is an immediate requirement

 

I'm also struggling with this: I built a Intel64 + Apple Silicon executable on 2020.2.1f1 and went throug the process described in https://gist.github.com/dpid/270bdb6c1011fe07211edf431b2d0fe4

Uploading to the notarization service works without errors. I then received an email telling me that the software was not notarized. I can then pull some information about the notarization using
`xcrun altool --notarization-info XXX-XXX-XXX-XXX --username X@X.X --password XXX-XXX-XXX-XXX --asc-provider XXXXX`

Here's the log provided by the command

Code (JavaScript):

1. {
2.   "logFormatVersion": 1,
3.   "jobId": "0f5bf3be-eb5a-48b6-82e2-8ce35251e56b",
4.   "status": "Invalid",
5.   "statusSummary": "Archive contains critical validation errors",
6.   "statusCode": 4000,
7.   "archiveFilename": "From_Parts.zip",
8.   "uploadDate": "2021-01-08T08:18:36Z",
9.   "sha256": "4e5f821b1c82616328c7f3abf4a248872f9a996a39a6340e7c36d024e157fa83",
10.   "ticketContents": null,
11.   "issues": [
12.     {
13.       "severity": "error",
14.       "code": null,
15.       "path": "From_Parts.zip/From Parts.app/Contents/Plugins/lib_burst_generated.bundle",
16.       "message": "The binary is not signed.",
17.       "docUrl": null,
18.       "architecture": "x86_64"
19.     },
20.     {
21.       "severity": "error",
22.       "code": null,
23.       "path": "From_Parts.zip/From Parts.app/Contents/Plugins/lib_burst_generated.bundle",
24.       "message": "The signature does not include a secure timestamp.",
25.       "docUrl": null,
26.       "architecture": "x86_64"
27.     }
28.   ]
29. }

Any thoughts on that?

 

thanks for your help @Tautvydas-Zilys. I tried signing with the command you provided which worked without an error, but the app still didn't get notarized. This time, the error was as follows:

Spoiler: Error Message

Code (JavaScript):

1.     {
2.       "severity": "error",
3.       "code": null,
4.       "path": "From_Parts.zip/From Parts.app/Contents/Plugins/lib_burst_generated.bundle",
5.       "message": "The binary is not signed with a valid Developer ID certificate.",
6.       "docUrl": null,
7.       "architecture": "x86_64"
8.     },
9.    {
10.      "severity": "error",
11.      "code": null,
12.      "path": "From_Parts.zip/From Parts.app/Contents/Plugins/lib_burst_generated.bundle",
13.      "message": "The signature does not include a secure timestamp.",
14.      "docUrl": null,
15.      "architecture": "x86_64"
16.    },
17.    {
18.      "severity": "error",
19.      "code": null,
20.      "path": "From_Parts.zip/From Parts.app/Contents/Plugins/AVFoundationWrapper.bundle",
21.      "message": "The binary is not signed.",
22.      "docUrl": null,
23.      "architecture": "x86_64"
24.    },
25.    {
26.      "severity": "error",
27.      "code": null,
28.      "path": "From_Parts.zip/From Parts.app/Contents/Plugins/AVFoundationWrapper.bundle",
29.      "message": "The signature does not include a secure timestamp.",
30.      "docUrl": null,
31.      "architecture": "x86_64"
32.    },
33.    {
34.      "severity": "error",
35.      "code": null,
36.      "path": "From_Parts.zip/From Parts.app/Contents/Plugins/libOni.bundle/Contents/MacOS/Oni",
37.      "message": "The binary is not signed with a valid Developer ID certificate.",
38.      "docUrl": null,
39.      "architecture": "x86_64"
40.    },
41.    {
42.      "severity": "error",
43.      "code": null,
44.      "path": "From_Parts.zip/From Parts.app/Contents/Plugins/libOni.bundle/Contents/MacOS/Oni",
45.      "message": "The signature does not include a secure timestamp.",
46.      "docUrl": null,
47.      "architecture": "x86_64"
48.    }
49.  

So I signed again using my credentials and the first error went away. I applied the same command for the two other libraries (after another failed notarization attempt) and then it worked.

I'm not sure about the bug report, because yes, lib_burst_generated.bundle doesn't get signed, but also some other libraries, which I found out after signing lib_burst_generated.bundle. Who's in charge of signing individual dependencies? Eg. I'm using Obi Rope in my build, thus the dependency on libOni.bundle. Should Virtual Method (the creator of said dependency) sign these? I'm a bit lost, please advise.

 

I am not sure that will happen. Thing is there are dynamic libraries which Unity can include I believe - these are not signed. So you have to do a deep sign - which seems easy in xcode with the addition of deep option (can Unity add by default?), as for terminal code signing... I would prefer not to have to type commands which must be character and option perfect in 2021!

 

I'm having the same issue! How did you guys fix it?

 

Did you guys find a solution?

 

Unity 2019 or some newer one?

 

ERROR ITMS-90296: "App sandbox not enabled. The following executables must include the "com.apple.security.app-sandbox" entitlement with a Boolean value of true in the entitlements property list:

I'm getting this error when I'm uploading it to the App Store Connect.

Pls tell me how to fix this. I'm breaking my head here

 

Add com.apple.security.app-sandbox to your entitlements file

Code (CSharp):

1. <key>com.apple.security.app-sandbox</key>
2.     <true/>

 

@Tautvydas-Zilys it would be terribly helpful if the docs were updated to say this. I just spent 3 hours until I found this forum thread.

Related doc page: https://docs.unity3d.com/Manual/HOWTO-PortToAppleMacStore.html on version 2020.3

EDIT/UPDATE:
Next day I am still having this problem. Tried unity 2020.3.19f1 and 2021.1.22f1 and both still give the same error that the dylibs are not signed.

2ND UPDATE:
Got it to work with Unity 2020.3.19f1 ; I had left off the --deep switch per some instructions in the Apple developer forums; when adding that back it worked (had previously been on 2020.3.6 so upgrading was neccesary as well)