Package signatures
Starting with Unity 6.3, the Package Manager checks for digital package signatures on all tarball packages used in the Unity ecosystem.
A package signature is a cryptographic identifier that helps verify where a package came from and ensures it wasn’t changed after the developer created it. Package signatures make it easier for everyone to confirm a package’s origin and integrity, and spot any unauthorized changes or tampering. The recommended best practice is for all publishers to sign their packages. Taking this simple step helps members of the Unity community feel more confident when using your packages.
When you try to install a registry package that has signature issues, the Package Manager window flags that package. The following table explains each flag and how you can resolve it.
| Icon | Description | Recommended action |
|---|---|---|
 |
This package has a signature, but the signature is invalid. This might indicate that the package has been tampered with, is unsafe, or malicious. | Consider removing this package from your project. |
 |
This package lacks a signature. Unity can’t verify this package. To protect your project, the recommended best practice is to use only signed packages. | As a package consumer, ask the package owner to publish a version of the package with a signature, then install the signed version. As a package publisher, sign your package, then distribute the signed version. |
Sign your package as a publisher
Starting with Unity 6.3, publishers can sign their package directly from the Package Manager window or by using command line arguments.
When you sign a package, you must associate it with one of your organizations, so package consumers can quickly determine who created and owns it.
The only packages you can sign are packages that have the Custom or Local label in the Package Manager window:
- A Custom label appears on packages you’re developing or customizing in the
Packagesfolder of your project. - A Local label appears on packages you installed with the Package Manager’s Install package from disk method, or package folders you reference as dependencies in your project manifest file.
Sign a package from the Package Manager window
To sign a package from the Package Manager window:
Make sure you’re signed in to the Unity Hub.
Open the Package Manager Window.
Select the package you want to sign.
-
Select Export.
The Package Manager window with the Export button for an editable package In the modal that appears, open the Authoring Org menu and select the organization you want to associate this package with.
-
Select a location to store the signed package and select Select Folder (Windows) or Choose (macOS).
Note: If the package already exists in that location, a warning message prompts you to confirm overwriting the file.
When the export process completes, your file management application opens at the location you specified, showing you the newly created file. A confirmation message also displays in the Console window.
The export operation creates a tarball file (.tgz), which is a compressed archive file. This tarball file contains an encrypted file (.attestation.p7m), which contains the package signature.
Refer to Share your package for information about distributing this tarball file to others.
Sign a package using command line arguments
If you publish packages using continuous integration (CI), you can sign your package from the command line.
To gather your organization’s Organization ID and sign your package from the command line:
If the project that uses the package you want to sign is open, close the Unity Editor.
-
Go to the Unity Cloud Dashboard (https://cloud.unity.com/account/my-organizations) and select the organization you want to use to sign your package.
Note: You can also select the link for your account in the top right corner of the dashboard and select Switch organization for the intended organization, then open the menu again and select Manage organization.
From the My organizations page (or the Organization Settings page), locate the Organization ID field.
Copy the Organization ID value.
Open a command prompt window.
Change directories to the location of your Unity Editor. For more information, refer to Unity Editor command line arguments and Locate the Editor program file.
Input the following command, replacing the placeholder values represented by angled brackets:
Windows
Unity.exe -batchmode -username <your_username> -password <your_password> \
-upmPack <path_to_package_folder> <path_to_tarball> \
-cloudOrganization <your_organization_id>
macOS
Unity.app/Contents/MacOS/Unity -batchmode -username <your_username> -password <your_password> \
-upmPack <path_to_package_folder> <path_to_tarball> \
-cloudOrganization <your_organization_id>
| Parameter to replace | Description |
|---|---|
<your_username> |
The username you use to sign in to the Unity Hub or Unity Editor. |
<your_password> |
The password you use to sign in to the Unity Hub or Unity Editor. |
<path_to_package_folder> |
The fully qualified path to the folder that contains the package.json file for the package you want to sign.Note: Don’t include package.json in this parameter value. |
<path_to_tarball> |
The output path where you want to save the signed tarball file (.tgz).Note: If the folder doesn’t exist, the command creates it for you. |
<your_organization_id> |
The Organization ID you copied from the Unity Cloud Dashboard. |
The output tarball file contains an encrypted file (.attestation.p7m), which contains the package signature.
Refer to Share your package for information about distributing this tarball file to others.