Code signing is the process of creating a code signature for an application. This signature guarantees the integrity of applications and safeguards from any tampering. Apple devices use an application’s code signature to detect changes made after the developer created the code signature. If an application doesn’t have a code signature, the device warns the user before they open it.
Note: You must code sign your application to notarize it with the Xcode command-line or Unity Build Automation.
Unity adds a code signature to every macOS build it produces, known as a Signing Identity. To notarize an application, Apple requires the code signature to include a cryptographic signature, such as a Developer ID certificate, that identifies the developer.
To create a new Developer ID certificate, use the following steps:
.cer.To notarize your application, Apple needs to identify it using an application identifier. There are two ways to get an application identifier: in Unity, or in the application’s information property list file.
When you have your application identifier, you can register it with Apple. To do this, use the following steps:
Entitlements are permissions or restrictions your code signature includes that control the actions your application can take.
To set entitlements for your application, use the following steps:
.entitlements file extension. For example, if you name your application MyProject, create a file called MyProject.entitlements.<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.security.cs.disable-library-validation</key>
<true/>
<key>com.apple.security.cs.disable-executable-page-protection</key>
<true/>
</dict>
</plist>
これらのエンタイトルメントは、macOS アプリケーションが Hardened Runtime を使用するための必要最低限のエンタイトルメントです。アプリケーションにこれ以上のエンタイトルメントが必要な場合は、このリストに追加してください。
To code sign your application you need to use the command line. On your machine, open Terminal and navigate to the directory that the application is in.
To ensure that you have the necessary read permissions to process code signing, run the following command where "application_name.app" is the name of your application:
chmod -R a+xr "application_name.app"
アプリケーションにコード署名するには、以下のコマンドを実行してください。
"application_name.app" は、ビルドしたアプリケーションです。"application_name.entitlements" is the name of the entitlements file."Developer ID Application : XXX (YYY)" は、署名 ID です。codesign
--deep
--force
--verify
--verbose
--timestamp
--options runtime
--entitlements "application_name.entitlements"
--sign "Developer ID Application : XXX (YYY)" "application_name.app"
This command works through the application bundle folder, signs all files, adds a secure timestamp, and embeds the entitlements you’ve set into the signature.
Using the --deep option might cause issues with your code signature. This is because:
このオプションは、署名対象の全てのコードに、同じコード署名オプションとエンタイトルメントを適用するため。
このオプションは、その見つけたコードファイルにのみ署名するため。システムがデータを見つけることを想定している場所にコードファイルがある場合、--deep は、そうしたコードファイルには署名しません。
--deep オプションについての詳細と、それに関連する問題の解決方法については、Sign Your Code (コードに署名する) を参照してください。