Friday, June 14, 2019

Unity Games Using CloudKit on MacOS (Part 1)

We are in the process of developing several games for various Apple products, and we're using CloudKit to keep game saves in sync across the various platforms (iOS, tvOS, macOS).  There's a lot of good documentation out there for iOS and tvOS, and Unity provides good tools for exporting the projects to Xcode and letting you build things in Apple's environment with all of their tools readily available.

This is not the case with macOS.

Unity still uses a precompiled binary executable (even with IL2CPP builds) and does not generate an Xcode project that will handle all of your codesigning and entitlement needs.  All of that has to happen manually.  (There do seem to be plans to change this.)  Our task is doubly complicated because the game needs to be released not only on the Mac App Store, but also as a standalone product and still have access to CloudKit features.

Part 1 of this process will detail getting signing identities, App IDs, provisioning profiles, etc. set up, as well as the process of getting your game built and signed correctly to run in a development environment.  Part 2 will (eventually) detail changes you need to make to make the game viable to upload to the App Store and distribute generally.  (Edit: Link to part 2)

First off, a huge debt of gratitude to the folks who put together the Unity Apple Distribution Workflow document.  This guide is thorough and well-referenced.  Things with Apple keep changing, so the blog post you're reading now is accurate for the summer of 2019, but may become less so as Apple changes things in the future.

Also thank you to eppz! Appcrafting for their amazing work digging into the bits and pieces of Unity so they could point us at the tools we needed to finally solve CloudKit access.


We are working on a development version for the moment, so you only need a development certificate.  You do specifically need a Mac Development certificate.  You can either create one yourself on or have Xcode do it for you.

App ID

Our goal is to have iCloud support (through CloudKit) across all platforms: iOS, tvOS, and macOS.  You can only create App IDs that target either iOS/tvOS or macOS.  With iOS/tvOS being the flagship platforms, it probably makes more sense to create your primary App ID for them and have a secondary one for macOS.  But the secondary one will need to have a different name.

Both App IDs will need to have the iCloud/CloudKit capability set.  Again, you can do all the primary work on the iOS/tvOS App ID.  If you're also doing your Unity game on those platforms, make a build there, have it generate the Xcode project, and use Xcode to turn on the iCloud capability and set up CloudKit.  It'll handle creating your default container (which will be named for the iOS/tvOS App ID).

For the macOS App ID, you enable iCloud/CloudKit, but then for the container, point it at the existing container you made for iOS/tvOS.  This way you can share data across platforms.

Register Test Devices

You still need to register your Mac as a test device through Apple.  Xcode can do this for you if you make a temporary project and set your development team.  If you want to do it manually, your Mac's UDID is in Apple -> About This Mac -> System Report -> Hardware (first item selected) -> Hardware UDID.

Edit: This is slightly different as of Big Sur.  See here.

Provisioning Profiles

You will need to make provisioning profiles that combine your signing certificate, App ID, and test devices.  For development, if you're using the Xcode-created signing certificate, you will need to make a temporary Xcode project, make a build, and then extract the provisioning profile from the build.  If you're using certificates you created on, you can similarly create provisioning profiles there and download them.

Since we're doing a development build, create your provisioning profile with your development certificate, then make sure to set your Mac as one of the allowed devices before generating and downloading it.  Also make sure you've taken care of all the CloudKit setup before you generate the provisioning profile.


You need to create an entitlements file for use when signing your game.  The easiest way to do this is to create a temporary Xcode project, give it your credentials, and enable iCloud/CloudKit on it.  Make sure the iCloud container identifier is pointed at the correct one as described in the App ID setup previously.  Here's a sample:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "">
<plist version="1.0">
        <string>your container identifier</string>
    <string>your team identifier.your game app ID</string>
    <string>your team identifier</string>


Sign into iCloud on your test Mac.  Make sure you have iCloud Drive enabled, or CloudKit will not work.

Unity Build

Make your Unity build as normal.  This post won't get into integrating CloudKit into your game (we've used Prime31's iCloud Plugin); we'll assume that is taken care of.

You will need to do this work on a Mac.  You can make Unity builds on Windows, but you will not be able to perform the codesigning steps there.

The build process will generate an application bundle (<your game name>.app) which is really a folder that contains all the important files.

  1. Delete all the .meta files in your plugins.  The Unity Apple Distribution Workflow details this out.  Codesigning will fail if you don't do this, because there are files in unexpected places (from Apple's perspective).  Plugins are located in <your game name>.app/Contents/Plugins.
  2. Modify your Info.plist file (<your game name>.app/Contents/Info.plist) per the Unity Apple Distribution Workflow.  For the purposes of making a development build, you just need to add the key "ITSAppUsesNonExemptEncryption" set to false.  We found that for us (unlike the Unity Apple Distribution Workflow recommendation), we did not need to modify each plugin's Info.plist.
  3. Copy over the correct provisioning profile to <your game name>app/Contents/embedded.provisionprofile.
  4. Modify the Unity executable to link the CloudKit framework.
    1. Following from the eppz! blog, you need to use the third party tool optool.
    2. Run the command optool install -c load -p "/System/Library/Frameworks/CloudKit.framework/Versions/A/CloudKit" -t "<your game name>.app/Contents/MacOS/<your game name>"
    3. This will modify the Unity binary to load the CloudKit framework at startup.  We found that without this - even though the CloudKit framework is linked in the Prime31 plugin - actual calls to CloudKit will fail with the error "connection to service names was invalidated".
  5. Change file permissions for your game bundle: chmod -R a+xr "<your game name>.app"
  6. Codesign your build.  Follow the steps laid out in the Unity Apple Distribution Workflow, but with some modifications that have worked for us for making a development build.
    1. Sign all the .dylib libraries in <your game name>.app/Contents/Frameworks manually.  Do not include entitlements in the signing command.
      1. codesign --force --verify --sign "<your development signing id>" --preserve-metadata=identifier,entitlements,flags "<your game name>.app/Contents/Frameworks/<library name>.dylib
      2. Do this for all the libraries in Frameworks, both in the root folder and in sub-folders
    2. Sign all the plugins in your game.  Do not include entitlements in the signing command.
      1. codesign --force --verify --sign "<your development signing id>" --preserve-metadata=identifier,entitlements,flags "<your game name>.app/Contents/Plugins/<plugin name>.bundle"
    3. Sign the final game application bundle.  Despite what the Unity Apple Distribution Workflow says, we've discovered that you have to include entitlements even in the development signing.  Also, because we signed everything individually, do not include the "--deep" flag, because it will mess with the existing codesigns we've done.
      1. codesign --force --verify --sign "<your development signing id>" --entitlements "<path to your entitlements files>" "<your game name>.app"
At this point your game should be signed and ready to test in development mode on the Mac you registered.

Note that the game will run in sandbox mode.  This means all of its files will be written to ~/Library/Containers/<your app ID>/Data/Library/.  Where the Unity documentation says the log file writes to ~/Library/Logs/Unity/Player.log, the sandboxed version is in ~/Library/Containers/<your app ID>/Data/Library/Logs/Unity/Player.log.  Also of note, even though the game is sandboxed, it will use the iCloud credentials that the current machine is using.

No comments:

Post a Comment