Code signing is the process of creating a code signature for an application. This signature guarantees the integrity of applications and safeguards from any tampering. Apple devices use an application’s code signature to detect changes made after the developer created the code signature. If an application doesn’t have a code signature, the device warns the user before they open it.
Note: You must code sign your application to notarize it with the Xcode command-line or Unity Build AutomationA continuous integration service for Unity projects that automates the process of creating builds on Unity’s servers. More info
See in Glossary.
Unity adds a code signature to every macOS build it produces, known as a Signing Identity. To notarize an application, Apple requires the code signature to include a cryptographic signature, such as a Developer ID certificate, that identifies the developer.
To create a new Developer ID certificate, use the following steps:
.cer
.To notarize your application, Apple needs to identify it using an application identifier. There are two ways to get an application identifier: in Unity, or in the application’s information property list file.
When you have your application identifier, you can register it with Apple. To do this, use the following steps:
Entitlements are permissions or restrictions your code signature includes that control the actions your application can take.
To set entitlements for your application, use the following steps:
.entitlements
file extension. For example, if you name your application MyProject, create a file called MyProject.entitlements
.<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.security.cs.disable-library-validation</key>
<true/>
<key>com.apple.security.cs.disable-executable-page-protection</key>
<true/>
</dict>
</plist>
These entitlements are the minimum entitlements a macOS application requires to have a Hardened Runtime. If your application requires any more entitlements, add them to this list.
To code sign your application you need to use the command line. On your machine, open Terminal and navigate to the directory that the application is in.
To ensure that you have the necessary read permissions to process code signing, run the following command where "application_name.app"
is the name of your application:
chmod -R a+xr "application_name.app"
To code sign your application, run the following command where:
"application_name.app"
is your built application."application_name.entitlements"
is the name of the entitlements file."Developer ID Application : XXX (YYY)"
is your signing identity.codesign
--deep
--force
--verify
--verbose
--timestamp
--options runtime
--entitlements "application_name.entitlements"
--sign "Developer ID Application : XXX (YYY)" "application_name.app"
This command works through the application bundle folder, signs all files, adds a secure timestamp, and embeds the entitlements you’ve set into the signature.
Using the --deep
option might cause issues with your code signature. This is because:
It applies the same code signing options and entitlements to all the code that it signs.
It only signs code files that it finds. If there are code files in a place where the system expects to find data, using --deep
doesn’t sign these code files.
For more information about the --deep
option and how to resolve issues with it, refer to Sign your code.