Search Unity

  1. We are migrating the Unity Forums to Unity Discussions. On July 12, the Unity Forums will become read-only.

    Please, do not make any changes to your username or email addresses at id.unity.com during this transition time.

    It's still possible to reply to existing private message conversations during the migration, but any new replies you post will be missing after the main migration is complete. We'll do our best to migrate these messages in a follow-up step.

    On July 15, Unity Discussions will become read-only until July 18, when the new design and the migrated forum contents will go live.


    Read our full announcement for more information and let us know if you have any questions.

Invalid Code Signature when Exporting Development build for QA

Discussion in 'macOS' started by CharlesC88, Feb 4, 2021.

  1. CharlesC88

    CharlesC88

    Joined:
    Oct 4, 2018
    Posts:
    42
    Ok so I'm using Unity 2020.2 I'm able to get everything build properly and run fine through Xcode on my machine that's on BigSur 11.2. So now I'm trying to get the build to QA for testing. I archive the build and when that's done choose Distribute App and select the Development Option. I choose my provisioning profile that has the proper UDID's in it (have triple checked that the QA's Mac is in the list) and have attempted to use a certificate that says "All" in the developer account as well as a Mac Development signing certificate.

    When QA attempts to open the app after downloading the .zip from dropbox they are getting an error that reads <Game Name> cannot be opened because of a pproblem. Check with the developer to make sure <Game Name> works with this version of macOS. You may need to reinstall the application. Be sure to install any available updates for the application and macOS.

    I originally had the app set to minimum system requirement of 10.11 (QA was on 10.15 osx version) then I had him update to 11.2 same error, updated xcode project to make 11.1 minimum still problem. The attached log on the message had a Termination reason of Code Signature, and a few lines saying the code signature was invalid for UnityPlayer.dylib as well as on the .app/Contents/MacOS

    This build works perfectly on the machine I built it from, but not on the testers machine.
     
  2. Tautvydas-Zilys

    Tautvydas-Zilys

    Unity Technologies

    Joined:
    Jul 25, 2013
    Posts:
    10,756
  3. CharlesC88

    CharlesC88

    Joined:
    Oct 4, 2018
    Posts:
    42
    Is this the same problem? The error the QA is seeing doesn't say anything about it being damaged and that it should be Thrown out, it just says it needs to be updated because of the invalid code signature.

    Also the workaround of re-signing the app. So I was able to download the app and run it just fine. The original version after export worked with no issues. To see if I got the same error, I downloaded the same file as the QA guy. I got an error saying apple couldn't detect malicious software etc. But I was able to Right Click and select Open and run the app in that manner.

    I would of expected to run into the same issue by downloading the app that our QA Did, but I did not.
     
  4. Tautvydas-Zilys

    Tautvydas-Zilys

    Unity Technologies

    Joined:
    Jul 25, 2013
    Posts:
    10,756
    If you run "codesign -vv path/to/game.app", does it show any errors? It definitely sounds related to this issue.
     
  5. CharlesC88

    CharlesC88

    Joined:
    Oct 4, 2018
    Posts:
    42
    I just ran it, and the two lines said
    <Game>.app: valid on disk
    <Game>.app: Satisfies it's Designated Requirment

    This was at least on the exported version before uploading. I'll run it again on a downloaded copy of the app

    Edit: I just had my QA guy try it but he got a permission denied thing when attempting to run the command.
     
    Last edited: Feb 5, 2021
  6. Tautvydas-Zilys

    Tautvydas-Zilys

    Unity Technologies

    Joined:
    Jul 25, 2013
    Posts:
    10,756
    Hmm, perhaps it's not the same issue after all. Do think you could snag a screenshot of that dialog?
     
  7. CharlesC88

    CharlesC88

    Joined:
    Oct 4, 2018
    Posts:
    42
    I'm hoping I sent the items directly to you. I used the "Start a Conversation" option when clicking in your name as I've never had to do that before now.
     
  8. Tautvydas-Zilys

    Tautvydas-Zilys

    Unity Technologies

    Joined:
    Jul 25, 2013
    Posts:
    10,756
    Yup, I received them. Can you try these two things in order to better understand the error?

    1. Ask your QA to instead of running the downloaded app from "Downloads" folder, drag it to "Applications" before opening it;
    2. Before sending over the build, replace our code signature with your own by doing "codesign --deep -s - /path/to/game.app".

    Do both of these steps independently.
     
  9. CharlesC88

    CharlesC88

    Joined:
    Oct 4, 2018
    Posts:
    42
    Ok it'll be a bit for the results.
     
  10. CharlesC88

    CharlesC88

    Joined:
    Oct 4, 2018
    Posts:
    42
    @Tautvydas-Zilys when I run the comman "codesign --deep -s - /path/to/game.app" it says .app: is already signed

    Also when moving the .app over tot he applications folder, it produces the exact same error as what I already sent you, even though the command above said it's already singed I will be uploading a new version of it now so will have results of that test in a little over an hour or so.
     
  11. Tautvydas-Zilys

    Tautvydas-Zilys

    Unity Technologies

    Joined:
    Jul 25, 2013
    Posts:
    10,756
    Oops, I forgot to include "-f" flag, which forces it to overwrite existing signature.
     
  12. CharlesC88

    CharlesC88

    Joined:
    Oct 4, 2018
    Posts:
    42
    Ok this time it said it was replacing existing signatures, then after about a minute it brought up the prompt for entering another command. I'm going to assume that worked, It'll be about an hour to upload and have QA test it before I can get back with the results
     
  13. CharlesC88

    CharlesC88

    Joined:
    Oct 4, 2018
    Posts:
    42
    @Tautvydas-Zilys OK after running the command "codesign --deep -s - /path/to/game.app" we are no longer getting the error I first reported. It is now saying that we are missing the entitlement com.apple.develper.icloud-services

    I even tested the local copy of the build (Which was working fine before doing the new sign) and it is throwing the same CKException for the missing entitlement now.

    Edit: I sent you a copy of the new crash log
     
  14. Tautvydas-Zilys

    Tautvydas-Zilys

    Unity Technologies

    Joined:
    Jul 25, 2013
    Posts:
    10,756
    So looks like the original issue will be fixed by the fix for the issue I linked above.

    As for the entitlement: that's interesting. Are you using some icloud functionality in your app?
     
  15. CharlesC88

    CharlesC88

    Joined:
    Oct 4, 2018
    Posts:
    42
    Yes our app is for Apple Arcade and it is required that we use CloudKit for our saves for cross device play on arcade as we are released on Mac, iOS and tvOS i'm just trying to do an update to the game as we pulled everything in house after release. (We used a 3rd party company for the initial port). Our current live version of the game was built with unity 2018.4 but I had to update to 2020.2 because apple is requiring Apple Silicon support for the mac build. We also use Game Center entitlement.

    Edit: As for the entitlement. As I said the build was working fine with no crash BEFORE doing the command you gave. Have the command however it's like the entitlements got messed up somehow.
     
  16. CharlesC88

    CharlesC88

    Joined:
    Oct 4, 2018
    Posts:
    42
    Just want to clarify, the build I have on my local machine is also throwing the crash I sent after running the command, the only version of the build that WAS working is no longer working after that.
     
  17. CharlesC88

    CharlesC88

    Joined:
    Oct 4, 2018
    Posts:
    42
    i've tried running "codesign -d --entitlements - "/path/to/game.app" but it just keeps spitting out Executable=/Path/To/Game.app/Content/MacOS/Game"

    Running
    security cms -D -i "Payload/YourApp.app/embedded.mobileprovision" has the com.apple.icoud-services listed
     
  18. Tautvydas-Zilys

    Tautvydas-Zilys

    Unity Technologies

    Joined:
    Jul 25, 2013
    Posts:
    10,756
    Oh right. Yes, that codesign command with -f flag will strip any entitlements. Sorry, I somehow totally blanked on that. If your app needs additional entitlements, you can add "--entitlements path/to/entitlements.plist" to the signing command line. That plist file would have to contain these contents:

    Code (csharp):
    1. <?xml version="1.0" encoding="UTF-8"?>
    2. <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
    3. <plist version="1.0">
    4.     <dict>
    5.         <key>com.apple.developer.icloud-services</key>
    6.         <true/>
    7.     </dict>
    8. </plist>
    9. <?xml version="1.0" encoding="UTF-8"?>
     
  19. CharlesC88

    CharlesC88

    Joined:
    Oct 4, 2018
    Posts:
    42
    Does it have to have a .plist extension? The original Entitlements file had a .entitlements extension in the Xcode project also is there a specific order to that command where i would add the --entitlements part?
     
  20. CharlesC88

    CharlesC88

    Joined:
    Oct 4, 2018
    Posts:
    42
    I've tried every combination it keeps saying "no identity found"

    Edit: Never mind looks like it was just a syntax error on my part was missing the - before the app path
     
    Last edited: Feb 5, 2021
  21. Tautvydas-Zilys

    Tautvydas-Zilys

    Unity Technologies

    Joined:
    Jul 25, 2013
    Posts:
    10,756
    Extension shouldn't matter. Are you building the game through Xcode project? Or exporting the app from Unity directly?
     
  22. CharlesC88

    CharlesC88

    Joined:
    Oct 4, 2018
    Posts:
    42
    @Tautvydas-Zilys The full process I go through is as follows.

    I build the game in Unity and click the "Create Xcode project" option. I then open the Xcode project and ensure that the entitlements are set properly (Cloudkit, Game Center etc.). I ensure that the scheme has Beyond Blue.app as the executable, I then make sure the build setting are using the new system and not the legacy, and set the derived data to be specific to the project (as everything is on an external to manage my limited storage space better). I then make sure the certificate and provisioning profiles are set in the Signing & Capabilites. I'm using a Mac Development Certificate and a mac development provisioning profile that currently has 26 devices approved on it. After this I set the "Build target??" to My mac and run the game through XCode to ensure there are no issues. Once that is confirmed I change the build target to Any Mac (intel-64, Apple Silicon) and go to Product > Archive. Once the product is Archives I hit Distribute App and choose the Development Option. For the icloud environment I choose Development I then wait for it to finish signing everything, again using the Mac Development certificate/profile. Once the app is fully signed I hit Export and it creates a folder with the following Items in it.

    Game.app
    DistributionSummary.plist
    ExportOptions.plist
    Packaging.log

    This is the folder I then compressed into a .zip file and upload to dropbox and the one that we have been working with through this process.

    In addition I just ran the command "codesign --deep --entitlements "path/to/entitlement.plist -f -s - "path/to/game.app" and it said it was re-signing the app, but now it's saying I don't have permission to open the app (where I did before) and it's creating another crash log with another code signature failure.
     
  23. CharlesC88

    CharlesC88

    Joined:
    Oct 4, 2018
    Posts:
    42
    I have been able to get the app to work successfully on my machine and my machine only, the problem lies in trying to get it to QA for testing. I have yet to try to Upload the Xcode project and have it built on another machine to see if that works as it's around 40gb's I would have to upload.
     
  24. Tautvydas-Zilys

    Tautvydas-Zilys

    Unity Technologies

    Joined:
    Jul 25, 2013
    Posts:
    10,756
    I see. It could be that codesign is destroying more than just entitlements. Instead of doing the signing manually after building from Xcode, you could just have Xcode sign all the libraries for you. Add "--deep" (or "--deep -f" if it fails) to this field in Xcode:

     
  25. CharlesC88

    CharlesC88

    Joined:
    Oct 4, 2018
    Posts:
    42
    I've already added --deep to that line I will try --deep -f and see if that works.

    I forgot to mention that part in my steps as there are so many I do without thinking now that I've been going through this process all week long. I've probably made about 30 builds in the last few days trying to fix various problems.
     
  26. CharlesC88

    CharlesC88

    Joined:
    Oct 4, 2018
    Posts:
    42
    I just find it odd that the problem only happens when the app is downloaded from dropbox on a different machine, I have no problems even running the downloaded version on the machine I build it with.
     
  27. CharlesC88

    CharlesC88

    Joined:
    Oct 4, 2018
    Posts:
    42
    Ok Local copy has been exported with the --deep -f flag, works on my machine but this is not unexpected as all other previous builds worked on this machine (with the exception of those we ran the manual signing command on) May not be till Monday before I find out if it's working on QA's machines as I believe they are offline now.
     
  28. Tautvydas-Zilys

    Tautvydas-Zilys

    Unity Technologies

    Joined:
    Jul 25, 2013
    Posts:
    10,756
    I'm sorry you have to go through all this :(. It's been frustrating to deal with it on our side too, especially since all these issues aren't well documented on Apple's side.
     
  29. CharlesC88

    CharlesC88

    Joined:
    Oct 4, 2018
    Posts:
    42
    @Tautvydas-Zilys Ok so I was able to get someone to test the build with the --deep -f flag and it's the same error. I had a call with one of the guys from the company that did our original port and after talking with him he did pose a question I'd like to ask.


    When I do the distribute app portion and after everything is showing is signed before I hit export. It shows the app with the UnityPlayer.dylib GameAssembly.dylib, UnityFbxSdkNative.bundle and a custom .bundle when I click on these it shows that the ones that are sign (Player, Assembly and custom bundle) have the Certificate associated, but that there is no profile associated. Only on the .app does it say there is a profile associated. Could this be a problem? I would think not because then I would assume it wouldn't run on my device. I will send a screenshot of what I'm talking about directly
     
  30. Tautvydas-Zilys

    Tautvydas-Zilys

    Unity Technologies

    Joined:
    Jul 25, 2013
    Posts:
    10,756
    Would you be able to send me the .app file so I could poke around it locally?
     
  31. CharlesC88

    CharlesC88

    Joined:
    Oct 4, 2018
    Posts:
    42
  32. Tautvydas-Zilys

    Tautvydas-Zilys

    Unity Technologies

    Joined:
    Jul 25, 2013
    Posts:
    10,756
    Thanks, I received it. I can definitely reproduce the issue.. trying to figure out what is going on.

    One thing I noticed (that is probably not related to the issue you're seeing but I still think is worth mentioning) is that you built your game as Intel + Apple silicon, and all your native plugins are Intel only. That means even if the game was to launch on an Apple silicon machine, it would fail to properly work because the plugins would not get loaded.
     
  33. CharlesC88

    CharlesC88

    Joined:
    Oct 4, 2018
    Posts:
    42
    @Tautvydas-Zilys Do I have to do something to get the plugins to work with Silicon? I thought just choosing the option in the build settings (In Unity) was enough.
     
  34. Tautvydas-Zilys

    Tautvydas-Zilys

    Unity Technologies

    Joined:
    Jul 25, 2013
    Posts:
    10,756
    You have to recompile them for Apple silicon. Unity takes care of building your project for it but can't change already precompiled code :(.
     
  35. Tautvydas-Zilys

    Tautvydas-Zilys

    Unity Technologies

    Joined:
    Jul 25, 2013
    Posts:
    10,756
    I've been rereading this thread to make sure I didn't miss anything and this sentence drew my attention:

    Is the .app you sent me (and to QA) signed using that development provisioning profile? Is your QA device among the list of the approved devices?
     
  36. CharlesC88

    CharlesC88

    Joined:
    Oct 4, 2018
    Posts:
    42
    Yes and yes
     
  37. Tautvydas-Zilys

    Tautvydas-Zilys

    Unity Technologies

    Joined:
    Jul 25, 2013
    Posts:
    10,756
    Can you 1) build app as Intel only (because your plugins would make the game not work at all if running natively on Apple silicon, and if you build Intel only then it can run just fine through Rosetta) and 2) Ask your QA to double click on "embedded.provisionprofile" that's inside the app package in the Contents folder and see if they can install it.
     
  38. CharlesC88

    CharlesC88

    Joined:
    Oct 4, 2018
    Posts:
    42
    @Tautvydas-Zilys installing the embedded profile seemed to do the trick.

    Now why is it that the profile needed to be installed on the machine?
     
  39. Tautvydas-Zilys

    Tautvydas-Zilys

    Unity Technologies

    Joined:
    Jul 25, 2013
    Posts:
    10,756
    I have no idea... that step will obviously not need to be done when the app is downloaded from the app store. I'll see if I can find out why it wasn't installed automatically since you shouldn't have to do it manually.
     
  40. CharlesC88

    CharlesC88

    Joined:
    Oct 4, 2018
    Posts:
    42
    @Tautvydas-Zilys So I had posted on the apple developer forums about this issue as well, and the guy that has been responding there explained in more detail why manually installing the provisioning profile worked, and why it's wrong.

    Basically he said because we are using the --deep flag when signing the app in xCode it's associating the entitlments with everything (the main .app, UnityPlayer.dylib, GameAssembly.dylib and our custom bundle).

    https://developer.apple.com/forums/thread/673060
     
    dirty-rectangle likes this.
  41. Tautvydas-Zilys

    Tautvydas-Zilys

    Unity Technologies

    Joined:
    Jul 25, 2013
    Posts:
    10,756
    Oh boy, that does clear things up a bit. I had no idea that --deep flag applied entitlements to dylibs (or that their presence would prevent the app from running). It sounds like your only option is to remove --deep from Xcode codesign args, and make sure that every library is codesigned before building Xcode project (or perhaps before even building the Unity project). The libraries Unity adds shouldn't need this since we sign them ourselves (that is UnityPlayer.dylib and GameAssembly.dylib), but other libraries that come from your Unity project you will have to sign yourself manually.
     
  42. CharlesC88

    CharlesC88

    Joined:
    Oct 4, 2018
    Posts:
    42
    So if I'm going to manually sign the bundles/libraries I would then have to remove the --deep flag from xCode and before building there run codesign -s - /path/to/bundle on each thing and then build in xCode?

    Also another question, why does this not seem to be a problem on the iOS/tvOS builds? It's the exact same project but I don't have to jump through any hoops I can just build for iOS/tvOS in Unity then build again in xCode once I know my profiles/certificates/entitlements are correct. Is there something unique about Mac builds that prevents you guys from basically mirroring the build process for those devices?
     
  43. Tautvydas-Zilys

    Tautvydas-Zilys

    Unity Technologies

    Joined:
    Jul 25, 2013
    Posts:
    10,756
    Yup! If everything is signed before building the Xcode project, the --deep flag isn't needed anymore.

    Unity doesn't sign plugins when creating the macOS Xcode project right now. This is something we are working on fixing: https://issuetracker.unity3d.com/issues/xcode-macos-bundle-plugins-are-not-signed-in-xcode-projects

    Once that fix lands, doing this manually will no longer be necessary. It was an oversight when we added Xcode support for macOS builds.
     
  44. CharlesC88

    CharlesC88

    Joined:
    Oct 4, 2018
    Posts:
    42
    Thank you, and I appreciate your time and rapid responsiveness in helping me with this issue. It is much appreciated considering the daily update requests I'm getting from my producer on when this apple update will be ready for submission haha.