Sign a macOS application

Follow this workflow to sign and notarize your macOS application during the build process.

Read time 4 minutes

Last updated 16 hours ago

Unity Build Automation can notarize and staple your macOS application during the build process. This ensures that your application meets the macOS notarization requirements. Note: Notarization isn't required to distribute your application through the Mac App Store. The Mac App Store’s upload process includes similar content validation to notarization. Refer to Delivering to the Mac App Store for more information.

Create a Developer ID Certificate from an Apple device

If you develop on an Apple device, you can set up Unity Build Automation to notarize and staple your application. To meet the requirements, use the following steps:

Note

To generate the

.p12

file with multiple certificates, you need to import the following into Keychain access: your Developer ID certificate, your Developer ID - G2 certificate, and the private key used for your Certificate Signing Request. In Keychain Access, export all three items as a single

.p12

file and use that file.

Create a Developer ID certificate and add it to your Keychain. For information on how to do this, refer to Signing identity.
Export the Developer ID certificate from the Keychain as a file in Personal Information Exchange (
```
.p12
```
) format. For information on how to do this, refer to Import and export keychain items using Keychain Access on Mac.
Get your provider short name through your Apple Developer account.
- Go to Membership Details and find your Team ID. You can use the Team ID as a provider short name.

After completing these steps, refer to Notarize with Unity Build Automation.

Create a Developer ID Certificate from a Windows or Linux device

If you develop on Windows or Linux, you can set up Unity Build Automation to notarize and staple your application. To meet the requirements, use the following steps:

Create a Developer ID certificate and download it. For information on how to do this, refer to Signing identity.
Convert the Developer ID certificate to the PKCS #12 Personal Information Exchange (.p12) file format. For information on how to do this, refer to Converting a Developer ID certificate to a .p12 file on Windows and Linux.
Get your provider short name through your Apple Developer account.
- Go to Membership Details and find your Team ID. You can use the Team ID as a provider short name.

After completing these steps, refer to Notarize with Unity Build Automation.

Convert a Developer ID certificate to a .p12 file on Windows and Linux

.p12

file bundles both your Developer ID certificate and a private key. To create one from your Developer ID certificate:

Open a command-line interface and go to the directory that has your Developer ID certificate file. If you didn't download your Developer ID certificate, refer to Signing identity.

Developer ID certificates use the

.cer

file format. Convert this file to the

.pem

file format. To do this, run the following command where:

```
developer_identity.cer
```
is the Developer ID certificate file to convert.
```
developer_identity.pem
```
is the file name and file type to output.


openssl x509 -in developer_identity.cer -inform DER -out developer_identity.pem -outform PEM

Generate a new private key. To do this, run the following command where:
- ```
mykey.key
```
  is the file name of the private key to output.
```
openssl genrsa -out mykey.key 2048
```

Generate the

.p12

file. To do this, run the following command where:

```
mykey.key
```
is the private key file you generated in step 3.
```
developer_identity.pem
```
is the
```
.pem
```
file you generated in step 2.


openssl pkcs12 -export -inkey mykey.key -in developer_identity.pem -out iphone_dev.p12

Generate an application password

To notarize an application, Apple requires an Apple ID and an app specific unique password in a particular format. For information on how to generate an application password, see How to generate an app-specific password(Apple). The password you generate uses the following format:

xxxx-xxxx-xxxx-xxxx

Notarize with Unity Build Automation

To notarize your macOS application in Unity Build Automation, use the following steps:

From the Unity Dashboard, open DevOps.
Select Build Automation > Configurations.
Click the Target setup button.
Select the Mac desktop Universal build target.
In the Credentials section, select your Xcode version.
Enable Enable OSX notarization in Unity Build Automation.
Add your Bundle ID. This is the application identifier used when code-signing the application.
Select Add new provisioning credentials (for release).
Note: If you have provided a set of notarization credentials to Unity Build Automation for the same Organization before, you can select those from the drop-down list.
Enter the following details:

Property	Description
Name	Enter a name for your credentials. You can use these credentials for any additional projects you set up in the same organization.
p12 File	Upload the `.p12` file you created from the earlier platform specific steps.
p12 Password	Enter the password you chose when creating the `.p12` file.
Entitlements File (optional)	Upload an entitlements file. If you don't upload an entitlements file, Unity Build Automation uses the minimum entitlements a macOS application requires to have a Hardened Runtime. For information on what these minimum entitlements are, refer to Entitlements.
Provider Short Name	Enter the provider short name from the earlier platform specific steps. If your Apple ID is associated with more than one organization and you don’t add this, notarization fails. Note: It's recommended to always use a Provider short name when notarizing in Unity Build Automation.
Apple ID Username	Enter your Apple ID username.
Apple ID Password	Enter your application specific Apple ID password. Unity Build Automation doesn't verify Apple credentials until it attempts to notarize your build.
Confirm your Apple ID Password	Enter your Apple ID password.

Save the configuration.
Ensure that the remaining build target configuration options are complete.
Start a build for your Mac desktop Universal build target.

When the build is complete, Unity Build Automation attempts to notarize and staple the result. Unity Build Automation runs the

codesign

command with the following flags:

--deep --force --verify --verbose --timestamp --options runtime

. You can't specify custom flags for your project. After Unity Build Automation builds, notarizes, and staples your project, you can download a compressed file that has the build.

Environment variables

The following environment variables are available for use in your build configuration. To use them, go to Advanced Settings > Environment Variables and add a new variable.

Property	Value	Description
FASTLANE_NOTARIZE_VERBOSE	True	Set `FASTLANE_NOTARIZE_VERBOSE` to `True` to include additional log outputs when notarizing your application.
FL_NOTARIZE_USE_NOTARYTOOL	False	Set `FL_NOTARIZE_USE_NOTARYTOOL` to `False` to use altool instead of notarytool for notarization. By default, Unity Build Automation uses notarytool for notarization.

Documentation

Engine

Services

Grow

Industry

Support

Build Automation

DevOps

Build Automation REST API

Build Automation Editor Package