Unity Appstore Distribution Workflow & Guide

Hi all,

We’ve written a automated workflow / guide to prepare distribution for OSX (from start to finish) in and outside of the Appstore. Based on all the guides & bits ‘n pieces we could find. Together with an extensive full guide that’s (hopefully) accessible for beginners & useful for people who are troubleshooting. We also included DIY if the scripts scare you

We were able to deliver to Apple using this workflow, but for sure there are a lot of other factors that could mess up this process. So if you find missing pieces or mistakes, please let us know.

If anyone wants to become a collaborator please PM me even if its to update the documentation page. Obviously there are not a lot of people developing for OSX but with a bit of help it could be a place to find all info needed on this enigma. We’ve incorporated everything we could find, but for sure there are still many troubleshooting pieces missing.

Also we wrote the words, but rather like a compilation, credit for all the ground work goes to threads/people described in the credits in the readme.

You can read the full text guide with DIY here and get the git here.

 

Signing

-------------------------------------------------------------------


3rd Party Mac Developer Application: xxxx xxxx (xxxxxxx): no identity found

---
I use real team name instead of "xxx"

What do I need to fix?

 

Ok, I came with the second MacBook. And I needed to reissue my old certs and provisioning profile.

In such case, you need to reissue certs through Xcode > Preferences > Accounts and provisioning profiles through the Member Center.

It's the only way with old certs & prov. profiles.

Please, add this info to the manual and mention me with my Unity Assets.

My published app with this manual: Poohlik: Origin of Hard.

 

I'd just like to say many thanks to UNSH and their collaborators for their work on this utility. Might have a few questions later, but this is probably going to be a lifesaver for me.

 

Hi there UNSH-

I'm still running into problems with my app being denied network access, even after updating the .entitlements file to include the com.apple.security.network.client key. Is there any way I can check independently that the .app has the required entitlements for network access after signing?

EDIT: I should also mention that "spctl -a MyAppName.app" is giving a 'rejected' result, but the SignAndPackage script seems to exit without complaints.

 

There are examples in the doc, but its TeamName (TeamId)

So with a space e.g
John (VKHJKJJLLK)

Or if your team name has spaces
John games (VKHJKJJLLK)

EDIT : You can find both in the member center.

 

Ok can you elaborate a little bit more. You used a second macbook that didn’t have an old provisioning profile on it and you needed to download it again?

elabo

 

Hi,

To start off there was a bug about 7 days ago in the build so make sure you have the latest version. The problem was that it didn’t refer to the correct entitlements file so check that first. I’m responsible for UZDW and I’m currently on holiday with only my phone so it’s a bit difficult to delve deep. I updated the git but I can’t test it right now and my collegues are on windows. Also we compiled this workflow based off other peoples input and as an attempt to work together to include all pitfalls, but we are by no means specialists. What the doc describes is what we encoutered, beyond that our experience is little. But I’ll try my best from here.

I can check independently that the .app has the required entitlements for network access after signing?

I don’t think so, you should be able to read the log @ utilities>console and check what errors you get when you open the app. And use that as reference.

Beyond that I think you have to check with the entitlements and figure it out with the Apple docs. There is a reference to the entitlements page in the doc.

Our app downloads from gdrive and we had no problems with the entitlement in the examples. But I don’t know what your game does.

I should also mention that "spctl -a MyAppName.app" is giving a 'rejected' result, but the SignAndPackage script seems to exit without complaints.

I don’t believe that the signing checks your entitlements, it just signs with what you provide it.

I’m sorry I can’t be much of a help but I have very little access here.

 

Okay then, thanks for the feedback UNSH. I *think* I'm using the latest version (I only bumped into this script on monday or so), but I'll double-check my results and get back to you.

 

If I didn't make any mistakes fixing it on my phone, Monday's version should be ok. I'm back next monday so then I'll know for sure and maybe I can help you more. Either way let me know what happens so we expand the documentation of the lost

 

Hey UNSH- two points I'm confused about. When I look at the final-stage signing script, I notice that the 'dev' option (for creating a testable version of the app-store build) doesn't use the entitlements file during signing, but the 'outside' option does? The functioning of my app's network-calls depends on the correct use of entitlements, so is the 'outside' option more useful for testing purposes? (It seems rather counter-intuitive.)

My other question, if you know the answer off-hand: What is the difference between a Unity build with 'mac app store validation' set to 'on' vs. 'off'? Is it a change to the binary itself or a permission in the .plist or something else that could be relatively easily tweaked by external scripts?

 

Hi, as we don't use any Appstore features I haven't really tested this beyond checking if the app opens, but it does indeed seem. Honestly I quite literally followed this tutorial (at the bottom of the page), which states you should not add the entitlements for a testing build. So I added the code, but without further testing as we didn't need it. This workflow is a work in progress and I can only confirm the things crossing my path.

I just checked two builds and I see no difference between the two plist files. It may be possible, but my first guess is you can't.

 

There also crept in a mistake in building the test build, I'm fixing it now.

EDIT: Ok so the product build command for dev was not correct so that may very well be it, I'm not sure what I did there but it should be fixed. I tested and it worked for me here. I updated the git so try again to see if it works. If it doesn't work pm me or mail me so I send you a version to test product build with entitlements.

grtz

 

Thanks UNSH. I was actually able to submit successfully to the app store using the older version of the script last week. The two other questions were largely a matter of curiosity, since I was thinking of rolling up another script to create all 3 versions (dev, store and external) simultaneously.

On that final note- once the signing step for external distribution is completed, should it be possible to create a .dmg from the signed .app, rather than a .zip or .pkg file?

 

I believe that once its signed your good to go. The zipped file is also just a copy of the signed app file. But again not tested and not 100% sure.

Would you mind telling what the problem was with the denied network access? Also if you want to add to the workflow let me know or just push to the git.

 

Hey UNSH- sorry for not getting back. The network access denial was simply because of com.apple.security.network.client being missing from the entitlements file- it wasn't difficult to patch in once I understood the flow.

 

This is awesome-- thank you for making this

 

You're very welcome

 

Thank you so much for this workflow! I has helped me greatly understand the process of what needs to happen for my macOS builds. However, I do have an error that I get after this workflow is complete.

Exception Type: EXC_CRASH (Code Signature Invalid)
Exception Codes: 0x0000000000000000, 0x0000000000000000
Exception Note: EXC_CORPSE_NOTIFY
Termination Reason: Namespace CODESIGNING, Code 0x1

Even if I go through an manually sign the process I still get this error. This happens after I add iCloud to our entitlements. If I remove the iCloud entitlements, the game will launch but crash on the first frame asking for iCloud.

Does anyone have any idea why the iCloud entitlements would brick the build? The provision profile that I am using has them correctly enabled.

 

Icloud is completely untested (because we didn't need it) and apparently not working. I've been talking to someone who is also having this problem and found there's this guide from Kitteh Face that describes how they did it. I am now updating the docs and code according to their findings but I can't really test it. So if you could get the latest git and see if it works and let me know what happens because I am working blind.

0. Make sure your provisioning profiles were made with iCloud capabilities already configured.
1. There is a new entitlements file for iCloud development that you need to adjust accordingly
2. Before you run SignAndPackage (Taken from kittehface.com) Modify the Unity executable to link the CloudKit framework.

1. Following from the eppz! blog, you need to use the third party tool optool.
2. Run the command optool install -c load -p "/System/Library/Frameworks/CloudKit.framework/Versions/A/CloudKit" -t "<your game name>.app/Contents/MacOS/<your game name>"
3. This will modify the Unity binary to load the CloudKit framework at startup. We found that without this - even though the CloudKit framework is linked in the Prime31 plugin - actual calls to CloudKit will fail with the error "connection to service names com.apple.cloudd was invalidated".

​

 

I'm experiencing this same issue as well. I tried going through UNSH's guide on github and the steps in the Kitteh Face blog post, as well as many different combinations of signing commands, but all of my builds crash with the same Code Signature Invalid exception.

UNSH, did you ever see a crash like this while working on the initial guide? I haven't been able to find any useful information in the crash report to help locate the specific cause of the signing error, but if you had any experience or tips diagnosing something similar that could be a big help!

One thing I did notice while attempting to run these commands manually is that the SignAndPackage script only signs one of the five dylibs included in the build for the version of Unity I'm using. Specifically, my build from 2018.3 includes:

Contents/Frameworks/libcrypto.dylib
Contents/Frameworks/libssl.dylib
Contents/Frameworks/UnityPlayer.dylib
Contents/Frameworks/MonoBleedingEdge/MonoEmbedRuntime/osx/libmonobdwgc-2.0.dylib
Contents/Frameworks/MonoBleedingEdge/MonoEmbedRuntime/osx/libMonoPosixHelper.dylib

I've tried signing just the two in the MonoBleedingEdge directory (I guess libmono.0.dylib was at some point replaced by libmonobdwgc-2.0.dylib?) and signing all 5, but I get the same crash regardless.

I'm going to try doing all of the provisioning from scratch today and following the Kitteh Face guide again, so I'll post back if I find anything. Thanks!

EDIT: Also, just to be clear, once the RepeatForUpdatedBuild script is run, the game should be immediately launchable from the 1_MyBuild directory correct? I've seen reports online that this crash will occur when trying to run a distribution build locally and is expected because it needs to be signed by Apple first, but my understanding is that builds with a development profile should still work locally.

Also, thanks UNSH for the awesome guide and your willingness to support it!

 

Alright, I was able to get a functioning build. The Code Signature Invalid crash was indeed caused by signing with a Distribution certificate instead of a Development one. The SignAndPackage script uses "3rd Party Mac Developer Application: $DEVNAME" for the signing identity in dev builds, but in my setup this is actually a Distribution certificate. I changed the identity to my Development certificate (named something like "Mac Developer: <name> (XXXXXXXXXX)") and was able to do a build after signing all .dylibs in the build.

For reference, my SignAndPackage script now looks like this for dev builds:

Code (CSharp):

1. if [ "$BUILD_FOR" = "dev" ] ; then
2.   for file in "$appDir/Contents/Frameworks/"*.dylib
3.   do
4.       codesign --force --verify --verbose=4 --display --sign "$DEVIDENTITY" --preserve-metadata=identifier,entitlements,flags "$file"
5.   done
6.   for file in "$appDir/Contents/Frameworks/MonoBleedingEdge/MonoEmbedRuntime/osx/"*.dylib
7.   do
8.       codesign --force --verify --verbose=4 --display --sign "$DEVIDENTITY" --preserve-metadata=identifier,entitlements,flags "$file"
9.   done
10.   for file in "$appDir/Contents/Plugins/"*.bundle
11.   do
12.       codesign --force --verify --verbose=4 --display --sign "$DEVIDENTITY" --preserve-metadata=identifier,entitlements,flags "$file"
13.   done
14.   codesign --force --verify --verbose=4 --display --sign "$DEVIDENTITY" --entitlements "$locationEntitlements" "$appDir"
15. elif [ "$BUILD_FOR" = "appstore" ] ; then

 

I thought that signing with a developer id you sign your build for outside of the Appstore, I could be very wrong though ( EDIT: And wrong it is) . In any case if you can test iCloud functionality then we're a bit closer closer to a solution. And you're right all those .dylib’s should be signed to, I’m updating the script with to loop through the respective folders instead.

To answer your questions :
No you’re not supposed to use the build in "1_Build". Product build will create an installer in "7_Distribution/Your_Build_Destination/Dev_or_Dist/Your_Version" Also when building for the Appstore delete the build in the 1_Build folder because the installer will install there instead of the Applications folder.

No we didn’t have any crashes then but like I said we didn’t use iCloud and our setup was really simple. We sent our builds to the Appstore they were accepted and pushed the whole experience deep into the subconscious like a childhood trauma The last build we sent to the Appstore was about six months ago and things have changed yet again apparently so three hoorays for that.

EDIT : You're right, so I got completely confused on building for development, my apologies I'm adjusting the script now.

 

Sounds good. I can confirm that cloud saves are working for me after updating the signing procedure and using optool as outlined in the Kittehface post!

Thank you once again for posting these scripts and guide, and continuing to support it... it's been a massive help! Even after your need to engage personally with the trauma has subsided

 

You're very welcome! We use it to though so until Unity gets macOS Xcode up and running any of your problems that get fixed will help us to in the future

 

UPDATE v1.7
- Fixed development signing & readme which was signing with the wrong credentials
- Fixed provisioning profiles mixup in readme & folder structure
- There is now a separate development folder in /5_Entitlements to put your dev entitlements so you don't need to change them between development and distribution builds.
- Changed the folder structure in 7_Distribution to be less chaotic
- Cleaned up the signing code
- Various corrections and adjustments to make things more clear.

 

I'm following this as well to get iCloud working and everything signed. What a nightmare but I really appreciate this tool.

I'm having some troubles though, when I add the com.apple.security.app-sandbox entitlement it crashes with some log errors:
Sandbox deny file-read-data
Sandbox deny iokit-open IOAudioEngineUserClient
Sandbox deny network-outbound

If I remove the sandbox entitlement it runs but I can't get iCloud to sync between iOS/tvOS and macOS. Most likely because they are running on different modes?

 

App sandbox is needed, I would guess that you’re missing entitlements, did you include read/write, and other keys described in the in the icloud entitlements example?
Are you building for development?

 

I've gotten signing to work now but I can't seem to get my progress synced from my iOS build to my macOS build Have you gotten that to work (if you are using iCloud that way). And if so, HOW?!?

 

How do I upload the dSYM along with the pkg? Will Application Loader do this for you?

 

Not sure how things have changed with Notarising but before you uploaded your pkg with Xcode's Application Loader.

not sure if you found your solution but another person had a similar crash and it was related to the iCloud container identifiers in the provisioning profile not matching the identifiers in the entitlements.

 

Updated guide more details on iCloud Namespace CODESIGNING, Code 0x1 crash and entitlements

 

Have anyone tried to make a mac dev build for OSX 10.15 version and able to launch it using the Unity Appstore Distribution Workflow?

I tried to build it for almost a week and the closest I can get now is a code-signed app that launch and immediately close after 1 seconds without any error.

Here is the entitlement i used to code-signed the app, any idea?

Code (CSharp):

1. <?xml version="1.0" encoding="UTF-8"?>
2. <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
3. <plist version="1.0">
4. <dict>
5.     <key>com.apple.developer.game-center</key>
6.    <true/>
7.     <key>com.apple.developer.icloud-container-identifiers</key>
8.     <array>
9.         <string>iCloud.*com.company.product*</string>
10.     </array>
11.     <key>com.apple.developer.team-identifier</key>
12.     <string>*TeamID*</string>
13.     <key>com.apple.security.network.client</key>
14.     <true/>
15.     <key>com.apple.developer.aps-environment</key>
16.     <string>development</string>
17.     <key>com.apple.security.app-sandbox</key>
18.     <true/>
19.     <key>com.apple.developer.ubiquity-kvstore-identifier</key>
20.     <string>*TeamID*.*com.company.product*</string>
21.     <key>com.apple.application-identifier</key>
22.     <string>*TeamID*.*com.company.product.mac*</string>
23.     <key>com.apple.developer.icloud-services</key>
24.     <array>
25.         <string>CloudKit</string>
26.     </array>
27.     <key>com.apple.security.files.user-selected.read-only</key>
28.     <true/>
29. </dict>
30. </plist>
31.  

 

Regarding the CODESIGNING, Code 0x1 crash.
We had the same crash when trying to make an app that uses the iCloud Key Value Stoarge. But the problem causing this was the 'com.apple.developer.aps-environment => development' entitlement from 5_Entitlements/Examples/Icloud_Development.plist. We never enabled APS/PushNotifications for our provisioning profile. We changed this to 'com.apple.developer.icloud-container-environment => development' before signing again, and the app runs now. It seem to sync with iCloud across mac/iOS devices without removing any .meta files or patching the executable to load CloudKit (we dont use CloudKit [yet]).

 

Have you verified it working between iOS/tvOS and macOS? I'm also only Key Value Storage but I just can't get them to sync between by following any of these guides.

 

We able to make it work in OSX 10.14 and the iCloud Key Value Storage are shared across three platforms ( tvOS, iOS and Mac OSX ). In order for the app to be sync, they have to share the same id for "com.apple.developer.ubiquity-kvstore-identifier" in entitlements.plist.

<key>com.apple.developer.ubiquity-kvstore-identifier</key>
<string>*TeamID*.*com.company.product*</string>

For example, if your team id is ABCDE, and product id ( use the tvOS, iOS id ) is com.happycompany.fungame, then the com.apple.developer.ubiquity-kvstore-identifier value in entitlements.plist would be ABCDE.com.happycompany.fungame for tvOS, iOS and Mac.

 

I'm having issues with the signing step (with or without --deep doesn't matter), I always get this error:

Afterwards, the verify step spits this out:

I found this issue and it seems the only way for me is to wait for Unity to update to `2019.2.3f2`:
https://issuetracker.unity3d.com/is...codesign-errors-on-monobleedingedge-framework

I sign with the distribution certificates and try to build for Appstore Distribution. Does anyone have similar issues/ are there any known workarounds for this?

 

Seems like this is a general issue with various unity version, that has nothing to do with this workflow.
Will post here once the issue cleared, in case others have the problem as well.

 

Hey, we noticed you found our blog post and pulled some stuff from it. Works for me! Building for App Store has been so much messier than we expected when we started.

I wanted to mention we have another post here that might be helpful to folks, you need to add entitlements in order to allow controllers to work on a signed build: http://www.kittehface.com/2019/08/controller-usage-in-signed-macos-game.html

 

You are a true hero... thanks for finding this and keeping everyone updated!

 

Woah! Just realized this today and now saw this post! Thanks for sharing!
We even found the `com.apple.security.device.bluetooth` entitlement and added it, but it didn't work. Will try to also add the `usb`.

EDIT: just tried it and now it works with my wired controller… huge thanks for posting here!

 

By the way in `Unity 2019.2.3f1` the signing issue with the Mono Framework is resolved – I can successfully sign the game now!

 

I'm getting an error:
productbuild: error: Cannot write product to "GAME.pkg". (Could not find appropriate signing identity for “3rd Party Mac Developer Installer: John Doe (666DMBFCK)”.)

Someone have any clue on that? I will be trying to find this out.
(EDIT) first entry on google:
https://stackoverflow.com/questions...ppropriate-signing-identity/57172439#57172439

 

You probably didn’t install the correct signing certificate, check the docs they describe all this more in depth.

 

Yeah I sent you a mail but I never got a reply so just assumed it was ok and credited wherever I took info. Thanks for sharing this and the previous guide!

 

Oh my god, Unsh is here! I'm still fighting the fight, but, thanks for the effort in helping others on this soul crushing experience!

 

Someone had any success with this kind of issue while signing it all?
Veryfing codesign
-------------------------------------------------------------------
../1_MyBuild/game.app: code object is not signed at all

The workflow suggests to look for missed dylibs in the response, but there are no response on this.
Also, while trying to sign manually, every step works, except for the latest step. The error on this last step also returns this exact error message.

Just as proof: my last step sign is something like:
codesign --force --verify --sign "John Doe(AN1TH1NG)" --entitlements "entitlements.plist" "game.app"

Funny is that, my previous test builds where doing fine, using iCLoud and everything. It was just a matter of adding another plugin to my project, and now I have this error.
ALSO funny beucase I've removed this plugin later, but the error persists.

 

Anyone even tried to sign using Xcode 11? So far, I not able to do it successfully.

 

Hey UNSH,

It's been great finding this workflow, you have simplified this exhaustive and overcomplicated process by a ton.

I have a couple questions regarding the procedure.

- Some of the scripts seems to generate conflict regarding my app having spaces in its exectuable name. If for example my name is called "Champion Masters" the PluginsReplaceBundleID script fails at "../1_MyBuild/Champion/Contents".

SignAndPackage has this same issue, not being able to locate the .blundle and .dylib files.

My hot fix was to simply errase the space, run both scripts and re edit the file name, but values such as the "executable file" in the Info.Plist could generate conflict after signing (?)

I ended up manually signing the files as described by Kittehface, but when i run the development build, i get a crash regarding CodeSignature invalid. CODESIGNING, Code 0x1.

My System.log shows the following:

"./MyBuild.app/Contents/MacOS/MyBuild" Code has restricted entitlements, but the validation of its code signature failed.

Unsatisfied Entitlements: Binary is improperly signed.

I've tried signing .dylibs, plugins, the MacOS/build with AND without the -entitlements (using preserve-metadata=identifier,entitlements,flags) as described in Kittehface but both cases give the same output.

I've tried signing with the device ID and with the teamID, for what I understood I had to use the "Mac Developer: MyName (ID)" for development.

Using the "codesign -display -verbose=4" command on each value shows no error, and all seem to have the proper certificate.

Any ideas on what could I be missing?

Once again, thanks for the helpful guide.

Federico

 

If you are using icloud you should look in the docs or this thread as that error is related to a mismatch in the icloud container id. Also for development you should sign with development id and personal not team, it’s described in detail in the docs. I’ll have a look at the script to fix the spaces.