Search Unity

  1. Calling all beginners! Join the FPS Beginners Mods Challenge until December 13.
    Dismiss Notice
  2. It's Cyber Week at the Asset Store!
    Dismiss Notice

Notarizing OSX Builds?

Discussion in 'OSX' started by rtalerico, Nov 26, 2018.

  1. rtalerico

    rtalerico

    Joined:
    Oct 27, 2016
    Posts:
    9
    I've been able to codesign my app without any issues, but upon uploading to the notarization service I'm finding a handful of libraries are unsigned. Even after individually signing the inner-contents, I'm struggling to make any progress. On top of that I'm receiving the error on the main app of "The executable does not have the hardened runtime enabled.". I've found very little help for precompiled app notarizing, and was hoping there were others here who have tacked it.

    Anyone else come across these issues?
     
  2. Polygoat

    Polygoat

    Joined:
    Aug 29, 2015
    Posts:
    7
    Did you ever manage to get your app notarized? If so, could you give some pointers?
     
  3. andrews_unity

    andrews_unity

    Unity Technologies

    Joined:
    Dec 11, 2015
    Posts:
    37
  4. amateurd

    amateurd

    Joined:
    Nov 1, 2016
    Posts:
    23
    Am experiencing the same problems on 2019.1.10.

    Any idea how soon this will be working? Until then, it looks like Unity apps can't be distributed on Mac anymore. Is that right?
     
  5. dev_arussell

    dev_arussell

    Joined:
    Sep 2, 2018
    Posts:
    3
    Hey Amateurd, we have successfully passed the notarization process for our Mac OS App. We aren't distributing our product on the Mac App Store, so I can't speak to how that affects what is required.

    The short answer is you will need to manually sign and submit your Mac App for notarization, Unity's build process doesn't have any logic for that.

    Heres an example cmd for running codesign with all the important bits:
    codesign --deep --force --verify --verbose --timestamp --options runtime --entitlements <entitlements_file> --sign "<Developer ID Application: Your Company>"  YourApp.app


    Replace <entitlements_file> with an actual file on disk with the desired entitlements.
    Replace <Developer ID Application: Your Company> with your actual dev ID.

    Hope this helps!
     
    rtalerico likes this.
  6. QFSW

    QFSW

    Joined:
    Mar 24, 2015
    Posts:
    2,481
    Does this mean Unity will be able to get the builds uploaded for notarization for us or will we still need Xcode 10 available to perform it?
     
  7. rtalerico

    rtalerico

    Joined:
    Oct 27, 2016
    Posts:
    9
    Updating for those who may still be in search..

    I was able to successfully upload the app to the Mac App Store. I had to download MachOView to disable GameKit (don't do this if your app uses GameKit).

    From there I created a little script that basically does everything @dev_arussell listed.
     
  8. davenirline

    davenirline

    Joined:
    Jul 7, 2010
    Posts:
    505
    Does anyone have a step by step guide to this? From signing up to be an Apple developer, to building in Unity then opening in XCode to do the notarization process? Can I skip the XCode part? Can I just run a script over the built game.app?
     
  9. christianmahler

    christianmahler

    Joined:
    Jul 9, 2017
    Posts:
    13
  10. Adrian

    Adrian

    Joined:
    Apr 5, 2008
    Posts:
    387
    It appears this is only necessary for Mono builds (the Mono JIT needs it), I switched to an IL2CPP build and then the entitlement wasn't required.
     
    christianmahler likes this.
  11. damonp

    damonp

    Joined:
    Dec 7, 2012
    Posts:
    8
    Here's a step by step guide I made https://gist.github.com/dpid/270bdb6c1011fe07211edf431b2d0fe4
     
    davenirline likes this.
  12. Adrian

    Adrian

    Joined:
    Apr 5, 2008
    Posts:
    387
  13. damonp

    damonp

    Joined:
    Dec 7, 2012
    Posts:
    8
    Great tip. I'll try that out and update my gist. Thank you.
     
  14. srilakshmim

    srilakshmim

    Joined:
    Sep 23, 2013
    Posts:
    12
    @damonp @christianmahler I am distirbuting my app for steam. Do we need to notarize the app before processing it for steam or after processing with contentprep for steam?
    I could successfully do before Steam SDK processing but not after
     
  15. srilakshmim

    srilakshmim

    Joined:
    Sep 23, 2013
    Posts:
    12
    To All, This helped me to resolve all the codsign errors. Do try if your facing code sign issue. I ignored the first time i saw this. But this ended up saving my time.
    My certificates were in login keychain so it I used login.keychain. Replace according to your keychain
    • security lock-keychain login.keychain
    • security unlock-keychain -p "password" login.keychain
    • sudo reboot
    • security list-keychains
      "/Users/admin/Library/Keychains/login.keychain-db"
      "/Library/Keychains/System.keychain"
    • security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "password" /Users/admin/Library/Keychains/login.keychain-db
     
  16. christianmahler

    christianmahler

    Joined:
    Jul 9, 2017
    Posts:
    13
    @srilakshmim You notarize the Game.app before uploading to steam. Make sure to staple the returned ticket to the Game.app. You can check successful notarization by running spctl -a -v Game.app. All in all you don't want to get message like this when opening your game in Catalina:


     
  17. gecko

    gecko

    Joined:
    Aug 10, 2006
    Posts:
    2,033
    @christianmahler so for Steam, do we have to notarize the app every time we do a patch?
     
  18. damonp

    damonp

    Joined:
    Dec 7, 2012
    Posts:
    8
    It looks like contentprep is depreciated. I'd recommend using ContentBuilder. This is what I successfully used for uploading to Steam after notarization.
     
  19. damonp

    damonp

    Joined:
    Dec 7, 2012
    Posts:
    8
    @gecko , any build being uploaded to Steam will need to be notarized.
     
  20. christianmahler

    christianmahler

    Joined:
    Jul 9, 2017
    Posts:
    13
    Yes every new build, Apple does this to ensure there is no malware in your app bundle, but you could introduce malicious stuff with each update.
     
    gecko likes this.
  21. christianmahler

    christianmahler

    Joined:
    Jul 9, 2017
    Posts:
    13
    I built a small unity editor asset which handles automatic osx build notarizations (post build) as well as manual notarizations and ticket staples from within unity, maybe also someone else can make use of it: https://github.com/cunum/unity-osx-notarize. Cheers!
     
    binarynate, damonp and davenirline like this.
  22. HiddenJason

    HiddenJason

    Joined:
    Apr 18, 2016
    Posts:
    16
    A note on entitlements when notarizing for those who might be running into problems, especially when dealing with Steam:

    Mono (which you have to use if you're also using UnityIAP right now) requires: com.apple.security.cs.allow-unsigned-executable-memory

    Steam's API requires:
    • *do not* inlclude com.apple.security.app-sandbox
    • include com.apple.security.cs.allow-dyld-environment-variables
    • include com.apple.security.cs.disable-library-validation
    Without that set of entitlements, SteamAPI_Init will fail (return false) when running a notarized+stapled app bundle on macOS 10.14.
     
  23. Ukounu

    Ukounu

    Joined:
    Nov 2, 2019
    Posts:
    13
    I have a macOS game on Steam, the most recent published update was on October 18. It launches just fine on macOS Catalina, without any warnings. I never signed or notarized it. Am I missing something? Will "notarization" be required at some point in the future, but not mandatory right now?
     
  24. Adrian

    Adrian

    Joined:
    Apr 5, 2008
    Posts:
    387
    @Ukounu Not at this time but it will depend on Steam if they decide to require it.

    The way Gate Keeper works on macOS, it doesn't check every file each time its opened. Instead, it relies on programs that download files to add a quarantine attribute to the file. Gate Keeper then only checks files if they have that attribute and removes it, therefore also only ever checking files once.

    Steam simply isn't applying the quarantine attribute at this time. Therefore Gate Keeper doesn't kick in and notarization isn't enforced. I could imagine them adding the quarantine attribute some time in the future, they've already added a checkbox to indicate if a steam game has been notarized.