Use the upm sign command in the Unity Package Manager command-line interface (UPM CLI) to sign a Git-based package in place.
The upm sign command writes a signed attestation file (.attestation.p7m) in the same folder as the package manifestEach package has a manifest, which provides information about the package to the Package Manager. The manifest contains information such as the name of the package, its version, a description for users, dependencies on other packages (if any), and other details. More info
See in Glossary file (package.json), without producing a tarball. If you want to create a signed tarball, refer to the UPM CLI pack instructions in Pack and sign a package with Unity Package Manager CLI.
You can run the upm sign command locally or as part of a continuous integration (CI) pipeline.
The only data that the upm sign command sends is the information required by the signing service so it can sign the package against the specified organization ID.
Important
Unity performs signature validation for signed source-format package folders only when consumed as an immutable Git package dependency, for example as a Git URL for a commit or tag.
In other contexts (such as local file or embedded package dependencies), Unity ignores the .attestation.p7m file and doesn’t validate the signature. If you sign a source-format package folder and distribute it through a method other than an immutable Git dependency, consumers don’t receive any signature protection.
For more information about Git dependencies, refer to Introduction to Git dependencies.
Before you use the upm sign command, make sure you completed all the installation prerequisites and installed the UPM CLI.
upm sign <package-directory> --organization-id <id>
The following table describes the parameters for the upm sign command:
| Parameter | Required | Description |
|---|---|---|
<package-directory> |
No | An absolute or relative path to the root folder of the Git-based package to sign. This is the folder that contains the package manifest file ( package.json). Note: You can omit this parameter if you set the root of your package directory as the current working directory before running upm sign. |
--organization-id <id> |
Yes | The organization ID you copied from the Unity Cloud Dashboard. Refer to the prerequisites in Install Unity Package Manager CLI. |
Sign your package after you generate any built artifacts and before you commit the changes to your repository. The attestation generated by the upm sign command includes an integrity hash computed from all tracked files in the package folder. If any file changes after you sign, signature validation fails because the integrity check no longer matches the file contents.
The integrity computation excludes files you specified in your .gitignore file. This means you can safely have ignored build intermediates, IDE metadata, or other transient files in your working directory without affecting the signature. However, any tracked file that changes after you sign invalidates the attestation.
A typical workflow is:
.attestation.p7m file.To sign a Git-based package for distribution as an immutableYou cannot change the contents of an immutable (read-only) package. This is the opposite of mutable. Most packages are immutable, including packages downloaded from the package registry or by Git URL.
See in Glossary Git package dependency:
Open a Terminal window (macOS or Linux) or a PowerShell window (Windows).
(Optional) Go to the root directory of your custom package. This is the folder that contains your package’s package.json file. If you don’t navigate to this directory, specify its location as the <package-directory> parameter.
Run the upm sign command:
upm sign <package-directory> --organization-id <id>
Replace the placeholder values as described in the parameter table.
The upm sign command writes a .attestation.p7m file inside the root of the package folder (alongside package.json). It doesn’t produce a tarball. The source files themselves aren’t modified.
Note: The presence of an .attestation.p7m file doesn’t guarantee that Unity validates the package at consumption time. Validation runs only when the package is consumed as an immutable Git package dependency. Refer to the important note near the top of this page.
The following command signs the package located in the package subfolder of the current working directory with the specified organization ID:
upm sign ./package --organization-id 1234567890123
This command produces an .attestation.p7m file in the package subfolder.