Sign a macOS application
Unity Build Automation can notarize and staple your macOS application during the build process. This ensures that your application meets the macOS notarization requirements.
Note: Notarization isn't required to distribute your application through the Mac App Store. The Mac App Store’s upload process includes similar content validation to notarization. Refer to Delivering to the Mac App Store for more information.
Create a Developer ID Certificate from an Apple device
If you develop on an Apple device, you can set up Unity Build Automation to notarize and staple your application.
To meet the requirements, use the following steps:
Note: To generate the .p12
file with multiple certificates, you need to import the following into Keychain access: your Developer ID certificate, your Developer ID - G2 certificate, and the private key used for your Certificate Signing Request. In Keychain Access, export all three items as a single .p12
file and use that file.
- Create a Developer ID certificate and add it to your Keychain. For information on how to do this, refer to Signing identity.
- Export the Developer ID certificate from the Keychain as a file in Personal Information Exchange (
.p12
) format. For information on how to do this, refer to Import and export keychain items using Keychain Access on Mac. - Get your provider short name through your Apple Developer account.
- Go to Membership Details and find your Team ID. You can use the Team ID as a provider short name.
After completing these steps, refer to Notarize with Unity Build Automation.
Create a Developer ID Certificate from a Windows or Linux device
If you develop on Windows or Linux, you can set up Unity Build Automation to notarize and staple your application. To meet the requirements, use the following steps:
- Create a Developer ID certificate and download it. For information on how to do this, refer to Signing identity.
- Convert the Developer ID certificate to the PKCS #12 Personal Information Exchange (.p12) file format. For information on how to do this, refer to Converting a Developer ID certificate to a .p12 file on Windows and Linux.
- Get your provider short name through your Apple Developer account.
- Go to Membership Details and find your Team ID. You can use the Team ID as a provider short name.
After completing these steps, refer to Notarize with Unity Build Automation.
Convert a Developer ID certificate to a .p12 file on Windows and Linux
A .p12
file bundles both your Developer ID certificate and a private key. To create one from your Developer ID certificate:
Open a command-line interface and go to the directory that has your Developer ID certificate file. If you didn't download your Developer ID certificate, refer to Signing identity.
Developer ID certificates use the
.cer
file format. Convert this file to the.pem
file format. To do this, run the following command where:developer_identity.cer
is the Developer ID certificate file to convert.developer_identity.pem
is the file name and file type to output.
openssl x509 -in developer_identity.cer -inform DER -out developer_identity.pem -outform PEM
Generate a new private key. To do this, run the following command where:
mykey.key
is the file name of the private key to output.
openssl genrsa -out mykey.key 2048
Generate the
.p12
file. To do this, run the following command where:mykey.key
is the private key file you generated in step 3.developer_identity.pem
is the.pem
file you generated in step 2.
openssl pkcs12 -export -inkey mykey.key -in developer_identity.pem -out iphone_dev.p12
Generate an application password
To notarize an application, Apple requires an Apple ID and an app specific unique password in a particular format.
For information on how to generate an application password, see How to generate an app-specific password(Apple). The password you generate uses the following format: xxxx-xxxx-xxxx-xxxx
.
Notarize with Unity Build Automation
To notarize your macOS application in Unity Build Automation, use the following steps:
- From the Unity Cloud Dashboard, open DevOps.
- Select Build Automation > Configurations.
- Click the Target setup button.
- Select the Mac desktop Universal build target.
- In the Credentials section, select your Xcode version.
- Enable Enable OSX notarization in Unity Build Automation.
- Add your Bundle ID. This is the application identifier used when code-signing the application.
- Select Add new provisioning credentials (for release).
Note: If you have provided a set of notarization credentials to Unity Build Automation for the same Organization before, you can select those from the drop-down list. - Enter the following details:
Property | Description |
---|---|
Name | Enter a name for your credentials. You can use these credentials for any additional projects you set up in the same organization. |
p12 File | Upload the .p12 file you created from the earlier platform specific steps. |
p12 Password | Enter the password you chose when creating the .p12 file. |
Entitlements File (optional) | Upload an entitlements file. If you don't upload an entitlements file, Unity Build Automation uses the minimum entitlements a macOS application requires to have a Hardened Runtime. For information on what these minimum entitlements are, refer to Entitlements. |
Provider Short Name | Enter the provider short name from the earlier platform specific steps. If your Apple ID is associated with more than one organization and you don’t add this, notarization fails. Note: It's recommended to always use a Provider short name when notarizing in Unity Build Automation. |
Apple ID Username | Enter your Apple ID username. |
Apple ID Password | Enter your application specific Apple ID password. Unity Build Automation doesn't verify Apple credentials until it attempts to notarize your build. |
Confirm your Apple ID Password | Enter your Apple ID password. |
- Save the configuration.
- Ensure that the remaining build target configuration options are complete.
- Start a build for your Mac desktop Universal build target.
When the build is complete, Unity Build Automation attempts to notarize and staple the result. Unity Build Automation runs the codesign
command with the following flags: --deep --force --verify --verbose --timestamp --options runtime
. You can't specify custom flags for your project.
After Unity Build Automation builds, notarizes, and staples your project, you can download a compressed file that has the build.
Environment variables
The following environment variables are available for use in your build configuration. To use them, go to Advanced Settings > Environment Variables and add a new variable.
Property | Value | Description |
---|---|---|
FASTLANE_NOTARIZE_VERBOSE | True | Set FASTLANE_NOTARIZE_VERBOSE to True to include additional log outputs when notarizing your application. |
FL_NOTARIZE_USE_NOTARYTOOL | False | Set FL_NOTARIZE_USE_NOTARYTOOL to False to use altool instead of notarytool for notarization. By default, Unity Build Automation uses notarytool for notarization. |