Digitally Signing A Unity Mac Build

These days, if you want people to be able to run your game on a Mac you’ve got to digitally sign the thing or else most users will see the dreaded Gatekeeper dialog that claims the game is damaged and should be moved to the trash. All it means to digitally sign your game is that you’re using Apple tools to embed your Developer ID in it so that Gatekeeper will trust the thing. My buddy Rusty has a really straight-forward post about how to do this and how to test it to make sure it works. Read his post first.

Ok, you’re back from reading it? Maybe you noticed he’s not talking about signing a Unity game, so I’m gonna fill in those details.

In place of Rusty’s Step 3, you’ll be building for Mac from Unity, but first you’ll want to run the Unity Entitlements Tool on your project. For distribution outside of the Mac App Store you only need to fill out the Code Sign section, you don’t need Entitlements or Sandboxing. One annoying requirement for the tool is that you need to provide an icns file. On Cosmic DJ I fished UnityPlayer.icns out of the version of the app that I’d built before setting up the tool, though there are ways to create your own icns file. Here’s what the Unity Entitlements Tool looks like for Cosmic DJ:

For distribution outside of the Mac App Store you need to make sure you use Developer ID Application as the signing entity. When you hit the Update Build Pipeline button it will generate an entitlements file in your project and either create a PostprocessBuildPlayer script or append some code to the existing one. What this script does is explicitly sign all of the Unity framework DLLs and all of your Plugins.

When the build completes you still need to sign the .app itself, as in Rusty’s post. It will ask if you want to overwrite the existing signature and you should say yes. You can verify that it worked properly like this:

And it should say:

And then follow the “quarantine” steps: upload to a server or Google Drive or something, download to your computer, attempt to run.