Code signing is the process of creating a code signature for an application. This signature guarantees the integrity of applications and safeguards from any tampering. Apple devices use an application’s code signature to detect changes made after the developer created the code signature. If an application doesn’t have a code signature, the device warns the user before they open it.
Note: You must code sign your application to notarize it with the Xcode command-line or Unity Build Automation.
Unity adds a code signature to every macOS build it produces, known as a Signing Identity. To notarize an application, Apple requires the code signature to include a cryptographic signature, such as a Developer ID certificate, that identifies the developer.
To create a new Developer ID certificate, use the following steps:
.cer.To notarize your application, Apple needs to identify it using an application identifier. There are two ways to get an application identifier: in Unity, or in the application’s information property list file.
When you have your application identifier, you can register it with Apple. To do this, use the following steps:
Entitlements are permissions or restrictions your code signature includes that control the actions your application can take.
To set entitlements for your application, use the following steps:
.entitlements file extension. For example, if you name your application MyProject, create a file called MyProject.entitlements.<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.security.cs.disable-library-validation</key>
<true/>
<key>com.apple.security.cs.disable-executable-page-protection</key>
<true/>
</dict>
</plist>
이러한 자격은 Hardened Runtime을 갖기 위해 macOS 애플리케이션에서 필요한 최소한의 자격입니다. 애플리케이션에 더 많은 자격이 필요한 경우 이 리스트에 추가합니다.
To code sign your application you need to use the command line. On your machine, open Terminal and navigate to the directory that the application is in.
To ensure that you have the necessary read permissions to process code signing, run the following command where "application_name.app" is the name of your application:
chmod -R a+xr "application_name.app"
애플리케이션을 코드 서명하려면 다음의 위치에 있는 커맨드를 실행합니다.
"application_name.app"은 빌드된 애플리케이션입니다."application_name.entitlements" is the name of the entitlements file."Developer ID Application : XXX (YYY)"는 서명 ID입니다.codesign
--deep
--force
--verify
--verbose
--timestamp
--options runtime
--entitlements "application_name.entitlements"
--sign "Developer ID Application : XXX (YYY)" "application_name.app"
This command works through the application bundle folder, signs all files, adds a secure timestamp, and embeds the entitlements you’ve set into the signature.
Using the --deep option might cause issues with your code signature. This is because:
서명한 모든 코드에 동일한 코드 서명 옵션과 자격을 적용합니다.
발견한 코드 파일만 서명합니다. 시스템이 데이터를 찾으리라 예상되는 위치에 코드 파일이 있는 경우 --deep을 사용하면 이러한 코드 파일을 서명하지 않습니다.
For more information about the --deep option and how to resolve issues with it, refer to Sign your code.