Search Unity

  1. Calling all beginners! Join the FPS Beginners Mods Challenge until December 13.
    Dismiss Notice
  2. It's Cyber Week at the Asset Store!
    Dismiss Notice

OSX code signing

Discussion in 'OSX' started by catfink, Feb 11, 2017.

  1. catfink

    catfink

    Joined:
    May 23, 2015
    Posts:
    133
    Trying to find some advice on how to deal with OSX.

    Currently we are distributing our game outside of App store and without doing any code signing..... and gatekeeper is the bane of my life. It randomly removes the execution flag when we do patches, it quarantines the .zip file when users download our game. I've had enough of it and want to circumvent it.

    From what I have read we can code sign to bypass gatekeper or we can distribute via the app store (which also involves code signing).

    I am struggling to find good information on code signing a Unity application and staying outside of Apple store - is this a good idea, will it be problem free? Is there even any good information on this as I'm yet to find anything I can understand - I'm not an OSX user, so the apple ecosystem is fairly new to me.

    Is there a guide somewhere on how to code sign a Unity application for OSX, are there any reliable automated tools to make it easy? I even struggled working out how to get a code signing ID as Apple's webpages on the subject are circular in nature so you follow the hypertext links and end up back where you started and no wiser - so frustrating.

    Would appreciate a bit of guidance from someone who has suffered this pain already.
     
  2. JoeStrout

    JoeStrout

    Joined:
    Jan 14, 2011
    Posts:
    8,316
    Yes, we code-sign High Frontier and distribute it through our own store. And in fact, since it's a cross-platform app, we also code-sign the Windows binary on our Mac build machine, as described here.

    We do it all through the Unix command line. Here's the shell script that does all the heavy lifting for the Mac version (only slightly sanitized, and reduced to deal with just one app — our real script does both the demo and full versions of the game):

    Code (CSharp):
    1. #!/bin/bash
    2.  
    3. cd /Users/blah/blah/Build/Mac
    4.  
    5. echo 'Clearing "Untouched" versions...'
    6. rm -rf *Untouched*
    7.  
    8. echo 'Code-signing Mac full build...'
    9. codesign --deep -f -v -s "Developer ID Application: Strout and Sons, LLC" HighFrontier.app
    10. codesign --deep --verify --verbose HighFrontier.app
    11.  
    12. echo 'Zipping Mac full build...'
    13. rm HighFrontier-Mac.zip
    14. zip -r HighFrontier-Mac HighFrontier.app
    15.  
    So, basically, the codesign (that's code-sign, not co-design!) command is what you're looking for. It digs up your private key from the keychain, where it'll be installed if you've managed to follow Apple's (confusing) guidelines, and uses it to sign the app package. Then we just zip it up for distribution. Some people prefer to deliver on a disk image, but as a user, I'd just as soon have a zip file rather than a disk image I have to mount, drag stuff out of, unmount, and then throw away.
     
    Marcos-Elias, bgroves_ce and chelnok like this.
  3. catfink

    catfink

    Joined:
    May 23, 2015
    Posts:
    133
    Very helpful thanks, so we just have to go jump through the Apple hoops to get our code signing id and then the above can be applied?
     
  4. JoeStrout

    JoeStrout

    Joined:
    Jan 14, 2011
    Posts:
    8,316
    Yes, that's right.

    But it's easier than in the Windows world... you wouldn't believe the rigamarole I had to go through to get my CODOMO certificate!
     
  5. catfink

    catfink

    Joined:
    May 23, 2015
    Posts:
    133
    got the apple cert through today and appear to have code signed without issue. One thing we aren't sure about is if you zip a code signed app does that stop the archive from picking up the quarantine flag if you then host that zip on goolge drive or a web host for download?
     
  6. JoeStrout

    JoeStrout

    Joined:
    Jan 14, 2011
    Posts:
    8,316
    No, it's fine. Once the zip file is unzipped, Finder will see that the app is signed and not bug the user about it.
     
  7. catfink

    catfink

    Joined:
    May 23, 2015
    Posts:
    133
    Interesting time we have had with code signing. Because we don't distribute through the Apple Store any zip file we provide gets quarantined (even if we have signed it all). However, we have discovered that if we package using a signed .dmg file then although it downloads as quarantined on first open it verifies and removes the quarantine. At this point we can run fine with full disk access which we can't do using zip distribution as we get moved to a safe read only area due to the quarantine flag.
     
  8. JoeStrout

    JoeStrout

    Joined:
    Jan 14, 2011
    Posts:
    8,316
    Interesting! That's not something I've ever noticed with our game (but then, it's not trying to get full disk access — it uses only a folder in Application Support). But perhaps it explains why so many apps are distributed as .dmg files!
     
  9. catfink

    catfink

    Joined:
    May 23, 2015
    Posts:
    133
    I'm not sure what the subtle difference is between .dmg and .zip for one to follow a different security policy to the other, logically either one could run malicious code (which I'm told is the point of the quarantine). I'm just grateful one way works as we were looking like ending up in the Apple Store (hell no!).
     
  10. tiltfactor

    tiltfactor

    Joined:
    Jan 25, 2016
    Posts:
    1
    Hey JoeStrout:

    Thanks for the script! I'm trying to do the exact same thing as well. I keep getting "no identity found" with respect to my cert, which I assume means I'm not naming it correctly or it's not in the right place. Do you have any tips on installing and naming the cert so codesign command can find it?
     
  11. JoeStrout

    JoeStrout

    Joined:
    Jan 14, 2011
    Posts:
    8,316
    I'm afraid not — except I guess to go back through Apple's guidelines on where/how to install developer certificates.
     
  12. Marneus68

    Marneus68

    Joined:
    Jan 3, 2013
    Posts:
    1
    I know I'm resurrecting an old thread but I'm attempting to do the exact same thing as what JoeStrout here does with his script and somehow any attempt I make to sign the .app manually from the command line is met with the following error message:

    Code (CSharp):
    1.  
    2. Test.app: code object is not signed at all
    3. In subcomponent: /Users/XXX/Workspace/XXX/XXX/Build/OSX/XXX/Test.app/Contents/Frameworks/libssl.dylib
    4.  
    I haven't been able to find much results when looking up that error message, anyone has experienced a similar issue.
     
    Last edited: Jul 25, 2018
    bgroves_ce likes this.
  13. UNSH

    UNSH

    Joined:
    Jul 2, 2012
    Posts:
    35
    I haven't met the error you are having, but sometimes the --deep command doesn't sign everything and you have to sign everything manually. We’ve written an automated workflow / guide to prepare distribution for OSX (from start to finish) in and outside of the Appstore together with an extensive guide I would suggest reading it. The code to do it manually is also included and I would suggest you read up at signingpackage if you scroll up a bit it shows what other packages to sign. Good luck!

    You can read the full text guide with DIY here and get the full here.

    You can find the Unity forum thread here.
     
    Last edited: Jul 28, 2018