Sign a macOS application

Unity Build Automation can notarize and staple your macOS application during the build process. This ensures that your application meets the macOS notarization requirements.

Note: Notarization isn't required to distribute your application through the Mac App Store. The Mac App Store’s upload process includes similar content validation to notarization. Refer to Delivering to the Mac App Store for more information.

Create a Developer ID Certificate from an Apple device

If you develop on an Apple device, you can set up Unity Build Automation to notarize and staple your application.

To meet the requirements, use the following steps:

Note: To generate the .p12 file with multiple certificates, you need to import the following into Keychain access: your Developer ID certificate, your Developer ID - G2 certificate, and the private key used for your Certificate Signing Request. In Keychain Access, export all three items as a single .p12 file and use that file.

  1. Create a Developer ID certificate and add it to your Keychain. For information on how to do this, refer to Signing identity.
  2. Export the Developer ID certificate from the Keychain as a file in Personal Information Exchange (.p12) format. For information on how to do this, refer to Import and export keychain items using Keychain Access on Mac.
  3. Get your provider short name through your Apple Developer account.
    • Go to Membership Details and find your Team ID. You can use the Team ID as a provider short name.

After completing these steps, refer to Notarize with Unity Build Automation.

Create a Developer ID Certificate from a Windows or Linux device

If you develop on Windows or Linux, you can set up Unity Build Automation to notarize and staple your application. To meet the requirements, use the following steps:

  1. Create a Developer ID certificate and download it. For information on how to do this, refer to Signing identity.
  2. Convert the Developer ID certificate to the PKCS #12 Personal Information Exchange (.p12) file format. For information on how to do this, refer to Converting a Developer ID certificate to a .p12 file on Windows and Linux.
  3. Get your provider short name through your Apple Developer account.
    • Go to Membership Details and find your Team ID. You can use the Team ID as a provider short name.

After completing these steps, refer to Notarize with Unity Build Automation.

Convert a Developer ID certificate to a .p12 file on Windows and Linux

A .p12 file bundles both your Developer ID certificate and a private key. To create one from your Developer ID certificate:

  1. Open a command-line interface and go to the directory that has your Developer ID certificate file. If you didn't download your Developer ID certificate, refer to Signing identity.

  2. Developer ID certificates use the .cer file format. Convert this file to the .pem file format. To do this, run the following command where:

    • developer_identity.cer is the Developer ID certificate file to convert.
    • developer_identity.pem is the file name and file type to output.
    openssl x509 -in developer_identity.cer -inform DER -out developer_identity.pem -outform PEM
  3. Generate a new private key. To do this, run the following command where:

    • mykey.key is the file name of the private key to output.
    openssl genrsa -out mykey.key 2048
  4. Generate the .p12 file. To do this, run the following command where:

    • mykey.key is the private key file you generated in step 3.
    • developer_identity.pem is the .pem file you generated in step 2.
    openssl pkcs12 -export -inkey mykey.key -in developer_identity.pem -out iphone_dev.p12

Generate an application password

To notarize an application, Apple requires an Apple ID and an app specific unique password in a particular format.

For information on how to generate an application password, see How to generate an app-specific password(Apple). The password you generate uses the following format: xxxx-xxxx-xxxx-xxxx.

Notarize with Unity Build Automation

To notarize your macOS application in Unity Build Automation, use the following steps:

  1. From the Unity Cloud Dashboard, open DevOps.
  2. Select Build Automation > Configurations.
  3. Click the Target setup button.
  4. Select the Mac desktop Universal build target.
  5. In the Credentials section, select your Xcode version.
  6. Enable Enable OSX notarization in Unity Build Automation.
  7. Add your Bundle ID. This is the application identifier used when code-signing the application.
  8. Select Add new provisioning credentials (for release).
    Note: If you have provided a set of notarization credentials to Unity Build Automation for the same Organization before, you can select those from the drop-down list.
  9. Enter the following details:
PropertyDescription
NameEnter a name for your credentials. You can use these credentials for any additional projects you set up in the same organization.
p12 FileUpload the .p12 file you created from the earlier platform specific steps.
p12 PasswordEnter the password you chose when creating the .p12 file.
Entitlements File (optional)Upload an entitlements file. If you don't upload an entitlements file, Unity Build Automation uses the minimum entitlements a macOS application requires to have a Hardened Runtime. For information on what these minimum entitlements are, refer to Entitlements.
Provider Short NameEnter the provider short name from the earlier platform specific steps. If your Apple ID is associated with more than one organization and you don’t add this, notarization fails.
Note: It's recommended to always use a Provider short name when notarizing in Unity Build Automation.
Apple ID UsernameEnter your Apple ID username.
Apple ID PasswordEnter your application specific Apple ID password. Unity Build Automation doesn't verify Apple credentials until it attempts to notarize your build.
Confirm your Apple ID PasswordEnter your Apple ID password.
  1. Save the configuration.
  2. Ensure that the remaining build target configuration options are complete.
  3. Start a build for your Mac desktop Universal build target.

When the build is complete, Unity Build Automation attempts to notarize and staple the result. Unity Build Automation runs the codesign command with the following flags: --deep --force --verify --verbose --timestamp --options runtime. You can't specify custom flags for your project.

After Unity Build Automation builds, notarizes, and staples your project, you can download a compressed file that has the build.

Environment variables

The following environment variables are available for use in your build configuration. To use them, go to Advanced Settings > Environment Variables and add a new variable.

PropertyValueDescription
FASTLANE_NOTARIZE_VERBOSETrueSet FASTLANE_NOTARIZE_VERBOSE to True to include additional log outputs when notarizing your application.
FL_NOTARIZE_USE_NOTARYTOOLFalseSet FL_NOTARIZE_USE_NOTARYTOOL to False to use altool instead of notarytool for notarization. By default, Unity Build Automation uses notarytool for notarization.