Signing Mac App on OS X Mavericks

Just a tip to anyone that's developing an app for the Mac App Store on the new OS X Mavericks.

Previously you had to sign your app by running the following two commands from a terminal:

• codesign -f -s "CertificateName" --entitlements NameOfEntitlements.entitlements "Name Of App.app"
  
• codesign -f -s "CertificateName" --entitlements NameOfEntitlements.entitlements "Name Of App.app/Contents/Frameworks/MonoEmbedRuntime/osx/libmono.0.dylib"

This won't work on Mavericks though (at least not for me).

The answer is to run the commands like this (notice the "--deep" flag added when you sign the app):

• codesign -f -s "CertificateName" --entitlements NameOfEntitlements.entitlements "Name Of App.app/Contents/Frameworks/MonoEmbedRuntime/osx/libmono.0.dylib"
• codesign -f -s "CertificateName" --entitlements NameOfEntitlements.entitlements "Name Of App.app" --deep

Someone might be able to explain why this change needs to be made, but that's not me. I just felt like it might be useful information to someone else out there so I felt like sharing.

 

Thanks for the info!

 

This codesigning is a nightmare...

I have previously released Unity games on the Mac App Store and never had any of these signing issues. Now I cannot either start the app if it is signed with the Mac App Store cert and it has been rejected because it crashes on start for "Code Signature Invalid". If I try to start the game it immediately crashes (but it works fine if I sign with dev certificate and turn off mac app store validation in player settings).

I have tried @greenrhyno's trick with adding --deep and still nothing. I have tried individually signing every item in the Contents/Frameworks and Contents/Plugins folder in the app and then signing with both the --deep command and without.

I am running mavericks, and have tried both the old Xcode 4.6.3 and Xcode 5 codesign tools. I am using Unity 4.3.2.

How do you know if the app has been properly signed before submitting? I've tried "spctl --verbose=4 --assess --type execute game.app" but it always gives the result "rejected".

 

Ok so I finally got everything signed and approved for the Mac App Store. Things have changed since the last time I've added a game to the Mac App Store, so I'll summarize my steps here for anyone else that has any trouble with this.

Firstly, this article is a good starting point: http://www.conlanrios.com/2013/12/signing-unity-game-for-mac-app-store.html

NOTE: I was never able to run my game once I signed it with a distribution certificate or if I signed it with development certificate but turned on Mac App Store Validation (in Unity player settings). It always crashed out a Game-Center entitlement error. The only way I could get it to run was with a development certificate and Mac App Store Validation turned OFF.

NOTE 2: I was using Mavericks OSX 10.9.1 and XCode 5 and Unity 4.3.2

With a development certificate and the Mac App Store validation turned off, I was able to test IAPs using a test iTunesConnect account. This never used to work before. I am using the awesome UniBill IAP plugin.

To do the signing and entitlements I am using the Unity Entitlements Tool from Jemast: http://jemast.com/unity/unity-entitlements-tool/

Currently this tool didn't work for me in terms of signing as it didn't sign any of the bundles in the Contents/Plugins folder, it only signed the ones in the Contents/Frameworks folder. So I only really used it to do the entitlements, icon and config screen banner. I turned off the Packaging functionality as well as I would have to sign things again myself before packaging. I am using v1.13 of this tool, it might be updated in the future to work without my extra steps though (but if that happens I'm sure Apple will change something a week later and break it...)

1. Setup the Unity Entitlements Tool (UET) with the Mac App Store provisioning profile and cert in the Code Sign Application section, add custom icon and banner images, set Bundle identifier.
2. Enable Entitlements. Add your application identifier (appID + bundle id, for example 1234567890.com.myCompany.myGame), add info for iCloud and/or game-center, push.
3. Enable App Sandboxing. Check the items your app is using (ie: networking, usb, etc..)
4. Don't enable packaging.
5. Press Update Build Pipeline
5. In Unity player settings, turn on Mac App Store Validation
6. Make sure your Product Name in Unity player settings matches the app name in iTunes Connect exactly (it will be rejected otherwise).
7. Build the game (don't select Build Run, just regular Build), make sure to once again have the filename match the app name exactly

Here things get interesting (or insane), so I'll go into more detail about signing. Wherever I list myGame.app, replace that part with your built app and it's path (easiest way to do this is to just drag it into the Terminal window from Finder, that will automatically put in the full path and filename). Some people, like in the above article say that you need to use the Xcode 4.6.3 codesign tool instead of the one that comes with Xcode 5, I did that but I'm not sure if made any difference because just doing that didn't fix anything when I was having trouble (details on how to do this are link).

8. In Finder right click on the built app and select Show Package Contents, open the Contents folder. You should have a Frameworks and a Plugins subfolder. Everything in those 2 folders needs to be signed and then the entire app needs to be signed again after that. For me everything in the Frameworks folder was already signed with the UET but nothing in the Plugins folder was.

9. Open Terminal and run this command to check whether the stuff inside Frameworks folder is signed:
codesign --verify --verbose=4 myGame.app
If the stuff inside frameworks is signed you will see "validated: ..." and the name of the framework.

10. Anything that is not verified in the Frameworks folder and everything else in the Plugins folder needs to be signed using this command in Terminal (myCompany is your company name as it is listed on the certificate, pluginName is the full path and filename of the plugin inside the Contents/Plugins folder)
codesign -f -s "3rd Party Mac Developer Application: myCompany" /path/to/pluginName

11. Once you sign all of these (some plugins/frameworks might have other packages inside them, so to double check right click on each one and if you get an option to Show Package Contents, select it to see if there are any nested bundles. I had this with the Cruncher plugin) then sign the full myGame.app file with this terminal command (entitlements file was created by the UET and inside my game project /Assets/Editor folder):
codesign -f -s "3rd Party Mac Developer Application: myCompany" --entitlements /path/to/entitlements.entitlements /path/to/myGame.app

12. Verify the .app with the same command as in step 9. If anything is not signed or any errors show up here you'll have to tend to those. I had a problem where I could not sign libmono.a more than once, at which point I had to just rebuild from Unity and redo everything from step 8.

13. Package the game with productbuild with this terminal command:
productbuild --component /path/to/myGame.app /Applications --sign "3rd Party Mac Developer Installer: myCompany" myGame.pkg

14. Test the installer with this terminal command, it will install the game into your Applications folder, but at least for me I couldn't actually run the installed game to test if it worked. Also, you will have to delete (or zip up) your myGame.app file before doing this as the installer will overwrite that instead of installing fresh into the Applications folder if it finds that on your system.
sudo installer -store -pkg /path/to/myGame.pkg -target /

15. Upload to the Mac App Store with Application Loader. If any codesign related warning show up after the upload that might mean the app will be rejected (it was for me) because one of the components was not codesigned properly. So I would reject the binary from iTunes Connect, codesign that component, codesign the whole thing again and reupload using the Application Loader.


Other Notes about Mac App Store Submissions:
- Make sure your filename, product name and app name in iTunes Connect match exactly to avoid rejection.
- To make a proper Mac icon file, follow these instructions.
- Make sure to turn off Player Log in the player settings in Unity to avoid rejection.

 

In case some one wanna use a script then http://goo.gl/pq0Wav

 

JJ - this was a huge help, thank you! I was going through the Unity Manual steps. Got hung up a bit with signing certificates and provisioning profiles, but then ultimately got stuck with all the code signing shenanigans. I did have a couple of plugins and frameworks that needed to be signed separately so that was what was screwing things up. The Unity Entitlements Tool from Jemast was very helpful and I followed your steps. The only error I got while codesigning was: "ReceiptVerifierBundle.bundle: unsealed contents present in the bundle root" - I opened up the bundle and removed all of the .meta files that were added by Unity’s source control management, and then the codesign worked. App submitted!

Thanks again!
Jake

 

Glad it helped Jake. It's crazy that it's still so hard to codesign a Mac app even though it's been over a year since I wrote that.

 

Is your script sample still available? that link seems to be dead

 

It's 2019 and I have to the same problem of "unsealed contents", spent a whole day google around and the solution is simply remove the meta files.... geez Unity.....