OSX Notarization

It would be great to be able to change the notarization config without having to reenter all the information and creating a new config. Maybe I'm just too blind to see the option, but it seems to be the only way?

 

Yeah, the Notarization code is heavily based on how we already handled Android and iOS credentials but the Notarization credentials are much more involved. It would definitely make sense to add in the ability to edit them but we probably don't have the time necessary to implement such a thing right now. I'll make a note to keep this in mind for future revisions.

 

That's good to hear. I hate the whole Notarization process from Apple, so I was really hoping this could take some of the load off for me. Currently still struggling to get a result that does not fail and I am currently on my 5th notarization setting. So there will need to be a way to delete the failed ones at least... If possibly it would be great to get some better failure information too. Looking at the log it's not really helping.

 

You should be able to delete the old credentials from the credentials page available at the root level of the developer dashboard (i.e. when no project is selected).

Unfortunately, failure information is usually not directly controlled by us. For most of the log lines we just print what we're given unless there's an obvious substitution we can make to improve clarity.

 

Sorry to continue this, but I have some log information that really disturbs me (6th try):
Signing credentials: AppStoreV6 (iPhone Distribution:

I'm using a p12 file containing: 3rd Party Mac Developer Installer and 3rd Party Mac Developer Application
Where do these signing credentials come from? It feels like a bug to me (I do have iPhone Distribution information in another Build-Config)

 

That line comes from your p12 file, we decrypt that and store/validate some info. That line is the cert name, designated as "CN = {name}" in the file. It's possible to have a valid Notarization profile that mentions iPhone distribution (mostly because you can rename certificates) but it does sound suspicious, you should make sure that you're uploading the correct p12 file. The cert is not necessarily incorrect but does seem likely to be wrong.

The code for OSX credentials and iOS credentials is pretty well isolated and well tested, I don't think it's likely that the Build API is somehow mixing in iPhone credentials. If you try again with a p12 that you are certain is a Mac Developer ID certificate then we can look into it though - especially if the issue is resolved when you first try deleting your iOS credentials (if practical).

 

hmmm it's not a mac developer id certificate. I added both 3rd Party Mac Developer Installer and 3rd Party Mac Developer Application as I want to be able to submit it to the app store. Before writing my last message I had rebuilt the p12 again just in case I had messed up. I've done that again and will wait for the results. I have not deleted the ios config yet, but I guess I can do that. What would really help me is to know what scripts you are running so I could recreate it myself.

 

We're running

codesign --deep --force --verify --verbose --timestamp --options runtime --entitlements #{entitlements_file} --sign #{"\""+credential_info['certificate']['certName']+"\""} #{"\""+app_path+"\""})

then the Fastlane Notarize command, after installing the credentials on the build agent. Each build is run independently so there are no credentials installed other than the one you provided.

 

Thanks Victor. I've tried with Developer ID and get a different error, so I guess something is wrong with my certificates. I will try to build using the code you provided and hope I can find the issue.

 

Is Unity Cloud Build expecting an application specific password or the actual login for the user? I've managed to submit an app for notarization myself using app-specific-password but am still failing to do so with unity cloud build.

I used xcrun to submit the app for notarization instead of fastlane. According to fastlane docs a flag is required to use the app specific password, so that could be one of the culprits for the build/notarization failing??

"Provide the application specific password using the environment variable FASTLANE_APPLE_APPLICATION_SPECIFIC_PASSWORD"

I was not able to submit my app for notarization using the normal login with xcrun, so maybe having an app specific password forces me to actually use it. But if the FASTLANE_APPLE_APPLICATION_SPECIFIC_PASSWORD variable is not set, I guess my builds will always fail? This is just a wild guess, but I am at the end of my wit.

 

That variable is only used for the pilot or deliver actions (which we are not using). Most of the tests we did for the notarization workflow were performed with an app-specific password.

 

It's driving me a bit crazy to be honest. As stated I have managed to upload a build for notarization via cli, so it can't be all wrong. Is there a way we can test this and shorten the process for you and me? I can give you both username and app specific password, then at least the app can be sent in for notarization. The logs currently suggest that the login is the issue, but I have tried this I don't know how many times. Maybe something goes wrong when copying in the password, but I can't tell as I can't see what was typed. Grasping at straws. Could be the provider name but that was also accepted by cli (I got it via xcrun altool --list-providers)

Code (CSharp):

1. ! build of 'sfaeremac' failed. ! notarization failed. Ensure that you have supplied a valid Apple username and password, and that you have supplied a provider name if your Apple ID is associated with multiple providers.

 

Probably the best approach now would be to submit a support ticket and we can investigate directly.

 

Done. Thanks victorw

 

I'm also getting this error in UCB and I'm struggling to figure out where the mistake lies. I'm sure my provider, .p12 file, and app-specific password are all correct, but it's still failing with this error.

 

So we've set up notarization for one of our builds but it looks like nothing happened: the build finished without errors but the app is not notarized and there is nothing in the logs about notarization. Are we doing something wrong?

 

Hey - did you ever solve this one - we are facing the exact same issue. thanks

 

We eventually got it working, here are some of the mistakes that we made:
- We used the standard password for Apple account instead of an "application specific password" <- google this term.
- The provider name is supposed to be optional according to the tooltip but we had to fill it in even though we only have one project and one provider. You have to enter your team ID as the provider name.

 

I am getting crazy atm :'). I keep getting this error:

! build of 'master-mac-desktop-universal' failed. ! notarization failed. Ensure that you have supplied a valid Apple username and password, and that you have supplied a provider name if your Apple ID is associated with multiple providers.

I hope someone can help me out:

- I created an OSX development profile and downloaded the P12 file.
- I created an app specific password
- As Provider Short Name I used the Team ID, as mentioned before
- As Apple ID Username, I use the email address of the Apple account. I also tried using the name of the app specific password.
- As Password I use the app specific password.

Is this all correct? Am I overseeing anything?

 

I am getting the same error, @AdminXRBASE . Did you fix your build?

 

Same error as well, I don't think "app specific password" can be used anymore. I had a similar issue with fastlane / ios and had to use App Store Connect API Key instead. Not sure if that can be used instead to notarize mac build.

 

I am struggling to get cloud build notarization for MacOS to work. I first built my app locally and it works fine (I'm using 2019.4.31 LTS).
Cloud build works too, but notarization fails.

I followed the steps from the unity doc (https://docs.unity3d.com/2021.2/Documentation/Manual/macos-building-notarization.html)
I have a valid Developer ID Application certificate in p12 with its password, an application password created on the apple site. I am using my Team ID as a provider short name (I also tried using the provider short name return by the xcrun command line recommended on the unity doc).

The problem seems to be related to entitlements. I have attached the entitlement file that I use, which is just a copy/paste of the suggested basic entitlements from the unity doc.

Nothing works.

Here is the first error that I get in the log:
Copied entitlements file /BUILD_PATH/vertexbreakers.photoweb.photoweb-macos/.build/last/photoweb-macos/mac.entitlements
Failed to parse entitlements: AMFIUnserializeXML: syntax error near line 1

I don't see what the problem is with my entitlements.

I have attached copies of full logs when building with and without this entitlement file (I removed the first part of the log that corresponds to building the Unity app and only kept the notarization part).

Am I missing something ?

Can anyone help ?

 

I'm surprised that it fails when not supplying the entitlement file, as I configured notarization for the first time yesterday, and the only problem I had was that I used the wrong type of certificate at first.

Have you tried the suggestion at https://developer.apple.com/forums/thread/665880 ? There might be a problem with the whitespace / line returns in your own entitlements file, and running plutil will correct it.

 

Thanks for the heads up, I will give this a shot.

 

Did you end up getting it to work? I've been getting the same error.

 

To get around the error, I had to build the Xcode project and then build the app from there.