Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
How to notarize a Unity build for MacOs 10.15 Catalina

How to notarize a Unity build for macOs 10.15 Catalina

As of January 2020, all apps running on macOs 10.15 Catalina are required to be notarized. For Unity games distributed outside the Mac App Store, such as with Steam, the notarization process is done post build using a series of Xcode command line tools.


  • a Mac that is compatible with macOs 10.15 Catalina :
    • MacBook (2015 or newer)
    • MacBook Air (2012 or newer)
    • MacBook Pro (2012 or newer)
    • Mac mini (2012 or newer)
    • iMac (2012 or newer)
    • iMac Pro (from 2017)
    • Mac Pro (2013 or newer)
  • macOs 10.15 Catalina installed
  • Xcode 11.0 installed
  • Apple developer account at
  • Apple Id account at

Developer ID Application certificate

This certificate will be used for code signing the build. If you don't already have one, you can create one in the account section of the Apple developer website

In the "Create a New Certificate" section, select to add a "Developer ID Application" certificate. After clicking continue, you should see further instructions about how you'll first need to create and upload a "Certificate Signing Request" using the Keychain Access app

After you've uploaded the Certificate Signing Request file, you should then be able to download the Developer Id Application certificate. Once downloaded, clicking on the file should add it to Keychain Access where you'll see it under the certificates section. It will be called something like "Developer ID Applicate : YourCompanyName (0123456789)"

Generated Password

To upload a build to Apple servers you'll need to use a "generated password". To create one, go to and then in the "Security" section click on "Generated Password..."

The password you generate will look similar to the format abcd-efgh-ijkl-mnop

Unity Build & Player Settings

  • In the Build Settings, target platform should be set to Mac OS
  • In Player Settings, use default settings and set a unique Bundle Identifier

Entitlements file

This is an xml file used to give executable permissions to the app when code signing. In particular, all apps need to have "Hardened Runtime" entitlements. Here are the minimum entitlements needed for a Unity build :

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "">
<plist version="1.0">

Save this file as "YourGame.entitlements". Additional entitlements can be found at


The following steps use the Terminal command line and assume your build and entitlements file are in the same directory.

Change all file permissions in the app

For the code signing to work in a later step, we need to change permissions for files within the app directory.

chmod -R a+xr ""

Code sign the app

Next, in the command line, we need to use the codesign tool on the permission changed files by using your Developer ID Application certificate (literally the name of the certificate in double quotes).

codesign --deep --force --verify --verbose --timestamp --options runtime --entitlements "YourGame.entitlements" --sign "Developer ID Application : YourCompanyName (0123456789)" ""

If successful, you should see a message similar to: signed app bundle with Mach-O thin (x86_64) [com.YourCompany.YourGame]

Create a zip

Once the code is signed, we need to compress the application into a zip file for uploading. You can do this in the command line.

ditto -c -k --sequesterRsrc --keepParent "" ""

Upload the zip to Apple's notarization service

Now that we have the compressed zip file, we'll want to upload it to the Apple servers for notarization using the xcrun altool in the command line. In order to do this, you'll need your Apple ID username (usually an email address), your Apple ID generated password (the one with the format abcd-efgh-ijkl-mnop) and your Apple Developer "Provider Short Name". Often the "Provider Short Name" is your Team ID (ten digit alphanumeric id), you can find in the membership section of your Apple developer account

However, if your "Provider Short Name" is not the same as your Team ID, you can find it by running the following command:

xcrun iTMSTransporter -m provider -u YourAppleIDUsername -p abcd-efgh-ijkl-mnop

Also, you'll need your game's bundle id that you defined in Unity Player Settings. Usually the format for that is similar to com.YourCompany.YourGame

To upload the build to the notarization service, run the command:

xcrun altool --notarize-app --username YourAppleIDUsername --password abcd-efgh-ijkl-mnop --asc-provider ProviderShortName --primary-bundle-id com.YourCompany.YourGame --file

If the upload was successful, you should see a message with a RequestUUID similar to:

No errors uploading ''.
RequestUUID = xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

From there, you will need to wait for the notarization service to process the upload. This can take anywhere from 1 minute to an hour or sometimes longer if the service is overloaded. When it's completed you'll get an email with the subject "Your Mac software was successfully notarized". Alternatively, you can ping the service for the current status of the upload using that RequestUUID by running the following command.

xcrun altool --notarization-info xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx --username YourAppleIDUsername --password abcd-efgh-ijkl-mnop --asc-provider YourAppleDeveloperTeamID

Staple the app

After notarization is completed, Apple creates a ticket that you need to "staple" to the app. To do that, we'll use the xcrun stapler tool.

xcrun stapler staple ""

If successful you should see the following message:

The staple and validate action worked!

Check notarization

After everything is completed we can use the spctl tool to check if the app is recognized as having the proper notarization.

spctl -a -v

If successful, you should see a message similar to: accepted
source=Notarized Developer ID

Now, whether or not the notarization was successful, if you try and open the app on your local machine, everything will appear to work fine. A good way to double check everything is actually working is to upload the notarized build to somewhere on the web (eg Google Drive), download it, and then see if the app opens properly. If working correctly, then all you should see is a small warning that you downloaded it from the web and then it should open normally.

Copy link

MonkeyGland commented Jul 2, 2020

@GiovanniFrigo D'oh - I can't believe I missed that. Thank you mate - much appreciated.

Copy link

JaroslavHolan commented Jul 15, 2020

Hi @dpid
How to fix unsealed contents present in the bundle root?

We have the same problem. Many comments advise us to delete .meta files. But we do not have any .meta file in our bundle .app.
Can anyone advise?

Copy link

EddieCameron commented Jul 18, 2020

I made a shell script based on this guide to automate some of the process

Copy link

sweatyc commented Sep 29, 2020

Same here, zip -r didn't work and gave “The signature of the binary is invalid.” errors.

Using ditto -c -k --sequesterRsrc --keepParent <App>.app <App>.zip fixed the problem! @dpid please fix this.

Copy link

dpid commented Sep 29, 2020

Updated the gist to show the ditto command. Thank you for the tip, @sweatyc @hallgrimgames

Copy link

PavelMo4alov commented Oct 30, 2020

Very good article! I signed a lot of builds )))) But today I noticed that my app not request microphone permission after staple =( What I need to add in entitlements file? Help me please! Thank you!

I find answer:

Copy link

AlexanderHJohnstone commented Jan 24, 2021

Thanks for the awesome guide. I'm now getting the following message on the notarization command:

altool[18217:1491434] CFURLRequestSetHTTPCookieStorageAcceptPolicy_block_invoke: no longer implemented and should not be called

It seems to still upload and notarize ok, but wondering if this should be fixed or if it's just a quirk on my end.

Copy link

widVE commented Feb 3, 2021

Thank you so much for this guide. I've worked through all of the steps with success, however once I upload a zip of the final stapled, successfully notarized application, and then re-download it, unzip, and try to run, I get a plain "The file can't be found" error message. Using MacOS Catalina 15.7, Unity 2020.2.1f1. Note - I only codesigned the main app file, nothing within (but didn't receive any errors) - any chance this may be the culprit?

Copy link

Jiaquarium commented Feb 17, 2021

Thank you so much for this. I made a simple Makefile script based on this to automate the process here.

Just replace all the variables in the Makefile with your own (or use env variables) and assumes your build folder is set up like in the repo. Hope this saves some people some time.

Copy link

dean-ivre commented Feb 19, 2021

Im getting this error unsealed contents present in the bundle root @dpid @JaroslavHolan

Copy link

jasonzhetan commented Mar 15, 2021

Thank you for the amazing guide! I signed and notarized the app with no problem. However, when I try to tuck a signed app into a .pkg, then try to notarize it, it returns as failed with "The signature of the binary is invalid" for the executable in Contents/MacOS. Some Googling has indicated either a problem with nesting or extended attributes. Does anyone here have any experience or ideas with solving this issue?

Copy link

aDu commented Apr 10, 2021

Thanks for this, you are doing God's work. <3

Extremely concise and to the point, was very quick to execute and understand the instructions. 5/5. I owe you a beer mate.

Copy link

drew-512 commented Apr 14, 2021


Copy link

Bakelord commented Apr 29, 2021

Massive thanks for what is arguably the greatest achievement on the internet - a thorough guide the beat the nonsense of Apple's Notorization.

Copy link

wysiwyggins commented May 19, 2021

Everything goes as described, but the resulting app gives a "You do not have permission to open the application “(app name)”, Contact your computer or network administrator for assistance". error when you launch it

Copy link

StefanOber commented May 31, 2021

Thank you so much! Very detailed and understandable. You saved me a lot of time.

Copy link

MashupGamingDKK commented Jun 17, 2021

Everything goes as described, but the resulting app gives a "You do not have permission to open the application “(app name)”, Contact your computer or network administrator for assistance". error when you launch it

Same thing happened to me, I found out it is something caused by codesign with a bad entitlements, I am still not sure what is the correct entitlements but I found this little asset made by someone else.

edited: the password refers to the generated password, not your apple id password, should be something like aaaa-bbbb-cccc-dddd
It worked for me.

Some other related material should be on this

The writer for this article also replied something on the above forum.

Hope it can help you even after so long time.

Copy link

Can0nC commented Oct 25, 2021

Hi everyone, I was able to go through the process and successfully notarize the app. But unfortunately, for some reason, it broke the app, which lead to the error DllNotFoundException: Unable to load DLL 'agoraSdkCWrapper': The specified module could not be found. (The app was able to run without any error before notarization).

Any help or suggestions? Thank you!

Copy link

Cjericho4 commented Nov 28, 2021

I made a Makefile based on other comments made here that uses the codesign command given by @ThunderboxEntertainment as that was the only one that would work for the app that we made, I also found that if you only run the first command that he gives you can notarize without signing the application itself. You can find the Makefile here:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment