Use the upmSign command-line argument in the Unity Editor command-line interface (CLI) to sign a Git-based package in place. This prepares the package for distribution and ensures it’s compatible with Unity’s package signature ecosystem.
If you publish Git-based packages using continuous integration (CI), you can sign the folder using the Unity Editor CLI. For other methods, refer to Methods for signing packages.
Important
Unity performs signature validation for signed source-format package folders only when consumed as an immutable Git package dependency, for example as a Git URL for a commit or tag.
In other contexts (such as local file or embedded package dependencies), Unity ignores the .attestation.p7m file and doesn’t validate the signature. If you sign a source-format package folder and distribute it through a method other than an immutable Git dependency, consumers don’t receive any signature protection.
For more information about Git dependencies, refer to Introduction to Git dependencies.
Sign your package after you generate any built artifacts and before you commit the changes to your repository. The attestation generated by the upmSign command-line argument includes an integrity hash computed from all tracked files in the package folder. If any file changes after you sign, signature validation fails because the integrity check no longer matches the file contents.
The integrity computation excludes files you specified in your .gitignore file. This means you can safely have ignored build intermediates, IDE metadata, or other transient files in your working directory without affecting the signature. However, any tracked file that changes after you sign invalidates the attestation.
A typical workflow is:
.attestation.p7m file.Follow these steps to gather your organization’s Organization ID and sign your Git-based package from the Editor CLI:
If the project that uses the Git-based package you want to sign is open, close the Unity Editor.
Go to the Unity Cloud Dashboard and select the organization you want to use for signing. For information about selecting or switching organizations, refer to Switch organization.
Note: For large projects whose contributors span multiple organizations, be sure to select the wider organization (or company-wide organization). If that organization doesn’t exist yet, refer to Considerations for companies with multiple organizations.
Copy the Organization ID value. Refer to Identify the organization ID.
Open a terminal or command-line window.
Change directories to the location of your Unity Editor. For information about using Unity Hub to locate your Editor location, refer to Installs.
Input the following command, replacing the placeholder values represented by angled brackets:
Unity.exe -batchmode -username <email_address> -password <your_password> \
-upmSign <path_to_package_folder> -cloudOrganization <your_organization_id>
Unity.app/Contents/MacOS/Unity -batchmode -username <email_address> -password <your_password> \
-upmSign <path_to_package_folder> -cloudOrganization <your_organization_id>
| Parameter to replace | Description |
|---|---|
<email_address> |
The email address you use to sign in to Unity products and services. |
<your_password> |
The password you use to sign in to Unity products and services. |
<path_to_package_folder> |
The fully qualified path to the Git-based package you want to sign. This is the folder that contains the package manifest file (package.json).Note: Don’t include package.json in this parameter value. |
<your_organization_id> |
The Organization ID you copied from the Unity Cloud Dashboard. |
The upmSign command-line argument writes a signed attestation file (.attestation.p7m) to the package folder. This file contains the cryptographic package signature.
Refer to Share your package for information about distributing the signed folder file to others.