Unity Games Using CloudKit on MacOS (Part 2)

In the previous post, we discussed signing a development Unity build so it can access iCloud through CloudKit.  This time we're going to talk about signing for uploading to the App Store.  Note that this is current as of this posting, if you run into any major problems let us know.  You can find an address via the Work for Hire/Contacts page.

As before, a huge thank you to all the folks involved in putting together the Unity Apple Distribution Workflow.  It's been an invaluable resource.

You will need to have your project and App ID set up for CloudKit as described in the previous post.

Certificates

This time, you will need to create a distribution certificate for signing.  Specifically, you need a Mac App Distribution certificate.  This will need to be created at developer.apple.com.

You should also create an installer certificate.  Specifically, you need a Mac Installer Distribution certificate.  This is separate and does not involve a provisioning profile.  It is only used for creating an installer package after you've created and codesigned your build.

Provisioning Profile

As in part 1, you'll need to create a provisioning profile with this new distribution certificate and the correct App ID.  No test devices are needed.  Unlike development certificates, this provisioning profile can only be tied to one signing certificate, so make sure that certificate is installed on any machine you need to make a build from.

Entitlements

Entitlements are almost identical to the development version.  The only difference is that you need to point CloudKit at the production database.  When the key is not specified, it defaults to the development database.  The key is "com.apple.developer.icloud-container-environment" and the value is "Production" (make sure it is capitalized).  Once again, here is a sample entitlements file.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>com.apple.developer.icloud-container-environment</key>
    <string>Production</string>    
    <key>com.apple.security.app-sandbox</key>
    <true/>
    <key>com.apple.security.files.user-selected.read-only</key>
    <true/>
    <key>com.apple.developer.aps-environment</key>
    <string>development</string>
    <key>com.apple.developer.icloud-container-identifiers</key>
    <array>
        <string>your container identifier</string>
    </array>
    <key>com.apple.developer.icloud-services</key>
    <array>
        <string>CloudKit</string>
    </array>
    <key>com.apple.application-identifier</key>
    <string>your team identifier.your game app ID</string>
    <key>com.apple.developer.team-identifier</key>
    <string>your team identifier</string>
</dict>
</plist>

Unity Build

Make sure to check Mac App Store validation in your Unity PlayerSettings before starting the build.  Verify your bundle identifier matches your App ID from your provisioning profile.

Make your Unity build with these settings.  The build process will generate an application bundle (<your game name>.app) which is really a folder that contains all the important files.

As before, you'll need to do the codesigning work on the Mac.

1. Remove all the obviously non-App Store plugins that may have been included from other Unity Standalone versions of your game.  Apple's upload process detects some of these and will reject your build.  All plugins are located in <your game name>.app/Contents/Plugins/.  Ones we've found that cause issues include:
1. Unity's Burst plugin - lib_burst_generated.bundle (a binary file included by default in Unity 2019 when you're using the Jobs system) (also lib_burst_generated.txt)
2. Various Steam plugins (also delete x86 and x86_64 folders than contain Linux shared libraries that sometimes get included accidentally, and sometimes there's a libsteam_api.dylib file included)
3. The GOG Galaxy plugin
2. Delete all the .meta files in your plugins.  The Unity Apple Distribution Workflow details this out.  Codesigning will fail if you don't do this, because there are files in unexpected places (from Apple's perspective).
3. Modify your Info.plist file (<your game name>.app/Contents/Info.plist) per the Unity Apple Distribution Workflow.  You need to add the key "ITSAppUsesNonExemptEncryption" set to false.
4. Unlike in the development signing process, for App Store uploads you do need to follow the Unity Apple Distribution Workflow's recommendation and change the bundle identifier for all the plugins.  For each *.bundle folder in Contents/Plugins/, find the Info.plist file (e.g. <your game name>.app/Contents/Plugins/<some plugin>.bundle/Contents/Info.plist).  Change the value of CFBundleIdentifier to the game's bundle identifier (as specified in Unity's PlayerSettings).
1. We occasionally got errors writing to the plugin Info.plist file, so we also make sure to modify its permissions ahead of time so it is definitely writable: chmod 777 "<your game name>.app/Contents/Plugins/<some plugin>.bundle/Contents/Info.plist"
5. Copy over the correct provisioning profile to <your game name>.app/Contents/embedded.provisionprofile.
6. Modify the Unity executable to link the CloudKit framework.
1. You need to use the third party tool optool.
2. Run the command optool install -c load -p "/System/Library/Frameworks/CloudKit.framework/Versions/A/CloudKit" -t "<your game name>.app/Contents/MacOS/<your game name>"
3. This will modify the Unity binary to load the CloudKit framework at startup.  We found that without this - even though the CloudKit framework is linked in the Prime31 plugin - actual calls to CloudKit will fail with the error "connection to service names com.apple.cloudd was invalidated".
7. Change file permissions for your game bundle: chmod -R a+xr "<your game name>.app"
8. Codesign your build.  Follow the steps laid out in the Unity Apple Distribution Workflow.
1. Sign all the .dylib libraries in <your game name>.app/Contents/Frameworks manually.  Do not include entitlements in the signing command.
1. codesign --force --verify --sign "<your distribution signing id>" --preserve-metadata=identifier,entitlements,flags "<your game name>.app/Contents/Frameworks/<library name>.dylib
2. Do this for all the libraries in Frameworks, both in the root folder and in sub-folders
2. Some versions of Unity (particularly Unity 2019) will include additional .dylib libraries in the MacOS executable folder.  These also need to be manually signed like the ones in the Frameworks folder.  (Don't sign the actually binary executable, that comes later.)
1. codesign --force --verify --sign "<your distribution signing id>" --preserve-metadata=identifier,entitlements,flags "<your game name>.app/Contents/MacOS/<library name>.dylib"
3. Sign all the plugins in your game.  Do not include entitlements in the signing command.
1. codesign --force --verify --sign "<your distribution signing id>" --preserve-metadata=identifier,entitlements,flags "<your game name>.app/Contents/Plugins/<plugin name>.bundle"
4. Sign the final game application bundle following the Unity Apple Distribution Workflow.  We need to include the entitlements file listed earlier and this time sign with the "--deep" option, even though we did sign things individually.
1. codesign --force --deep --verify --sign "<your distribution signing id>" --entitlements "<path to your entitlements file>" "<your game name>.app"

You can also generate a package installer.  You'll need to do this on a machine with the installer certificate that you created earlier.  Once the build is created and signed, run the following:

productbuild --component "<your game name>.app" "/Applications" --sign "<your installer signing id>" "<your game name>.pkg"

At this point, your game should be ready to upload to the App Store.  Because of the signing, you cannot run it to actually test things.

Also be aware of Apple's new notarization process, though we're not covering it here.