Can't sign macOS app generated by Unity

[markshep-wbg]

Following on from #95 I'm opening this issue to report more problems signing a Unity-generated macOS app.

This testcase uses a script that's very similar as for the previous issue, but the app hasn't been altered and is the complete untouched output from Unity, including the Contents/_CodeSignature directory that it generates. As GiHub imposes a per-file 25MB limit on uploads I've had to split it into two. The second tarball contains just the large UnityPlayer.dylib file with everything else in the first tarball:

• test1.tar.gz
• test2.tar.gz

I'm using rcodesign 0.24.0 on macOS and here's some details about the certificate I'm using:

$ /usr/bin/openssl pkcs12 -in CJ8VWSTTKT.p12 -nodes -password pass:password | /usr/bin/openssl x509 -text | head -11
MAC verified OK
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            5c:e4:7a:61:df:39:5d:98:1f:1d:bc:d5:01:62:71:94
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=Apple Worldwide Developer Relations Certification Authority, OU=G3, O=Apple Inc., C=US
        Validity
            Not Before: Sep 20 21:15:40 2023 GMT
            Not After : Sep 19 21:15:39 2024 GMT
        Subject: UID=34PR2WG2R8, CN=Apple Development: Mark Sheppard (CJ8VWSTTKT), OU=TJXK3JV9VB, O=Turbine, Inc., C=US

And this is the output I get from running ./sign in the test directory:

Signing with codesign
---------------------

TrivialProject.app/Contents/Frameworks/UnityPlayer.dylib: replacing existing signature
TrivialProject.app/Contents/Frameworks/UnityPlayer.dylib: signed Mach-O universal (x86_64 arm64) [UnityPlayer]
TrivialProject.app/Contents/Frameworks/libMonoPosixHelper.dylib: replacing existing signature
TrivialProject.app/Contents/Frameworks/libMonoPosixHelper.dylib: signed Mach-O universal (x86_64 arm64) [libMonoPosixHelper]
TrivialProject.app/Contents/Frameworks/libmono-native.dylib: replacing existing signature
TrivialProject.app/Contents/Frameworks/libmono-native.dylib: signed Mach-O universal (x86_64 arm64) [libmono-native]
TrivialProject.app/Contents/Frameworks/libmonobdwgc-2.0.dylib: replacing existing signature
TrivialProject.app/Contents/Frameworks/libmonobdwgc-2.0.dylib: signed Mach-O universal (x86_64 arm64) [libmonobdwgc-2]
TrivialProject.app: replacing existing signature
TrivialProject.app: signed app bundle with Mach-O universal (x86_64 arm64) [com.DefaultCompany.TrivialProject]

Signing with rcodesign
----------------------

registering signing key
automatically registered Apple CA certificate: Apple Worldwide Developer Relations Certification Authority
automatically registered Apple CA certificate: Apple Root CA
using time-stamp protocol server http://timestamp.apple.com/ts01
automatically setting team ID from signing certificate: TJXK3JV9VB
signing TrivialProject.app in place
signing bundle at TrivialProject.app
signing bundle at TrivialProject.app into TrivialProject.app
signing Mach-O file Contents/Frameworks/UnityPlayer.dylib
signing without an Apple signed certificate but signing settings contain a team name; signature varies from Apple's tooling
creating cryptographic signature with certificate Apple Development: Mark Sheppard (CJ8VWSTTKT)
signing without an Apple signed certificate but signing settings contain a team name; signature varies from Apple's tooling
creating cryptographic signature with certificate Apple Development: Mark Sheppard (CJ8VWSTTKT)
signing Mach-O file Contents/Frameworks/libMonoPosixHelper.dylib
signing without an Apple signed certificate but signing settings contain a team name; signature varies from Apple's tooling
creating cryptographic signature with certificate Apple Development: Mark Sheppard (CJ8VWSTTKT)
signing without an Apple signed certificate but signing settings contain a team name; signature varies from Apple's tooling
creating cryptographic signature with certificate Apple Development: Mark Sheppard (CJ8VWSTTKT)
signing Mach-O file Contents/Frameworks/libmono-native.dylib
signing without an Apple signed certificate but signing settings contain a team name; signature varies from Apple's tooling
creating cryptographic signature with certificate Apple Development: Mark Sheppard (CJ8VWSTTKT)
signing without an Apple signed certificate but signing settings contain a team name; signature varies from Apple's tooling
creating cryptographic signature with certificate Apple Development: Mark Sheppard (CJ8VWSTTKT)
signing Mach-O file Contents/Frameworks/libmonobdwgc-2.0.dylib
signing without an Apple signed certificate but signing settings contain a team name; signature varies from Apple's tooling
creating cryptographic signature with certificate Apple Development: Mark Sheppard (CJ8VWSTTKT)
signing without an Apple signed certificate but signing settings contain a team name; signature varies from Apple's tooling
creating cryptographic signature with certificate Apple Development: Mark Sheppard (CJ8VWSTTKT)
signing main executable Contents/MacOS/TrivialProject
signing without an Apple signed certificate but signing settings contain a team name; signature varies from Apple's tooling
creating cryptographic signature with certificate Apple Development: Mark Sheppard (CJ8VWSTTKT)
signing without an Apple signed certificate but signing settings contain a team name; signature varies from Apple's tooling
creating cryptographic signature with certificate Apple Development: Mark Sheppard (CJ8VWSTTKT)

Diffing signatures
------------------

-rw-r--r-- 1 mark.sheppard staff 168555 Nov 10 19:19 diff

Checking codesign
-----------------

--prepared:/Users/mark.sheppard/test/codesign/TrivialProject.app/Contents/Frameworks/libMonoPosixHelper.dylib
--validated:/Users/mark.sheppard/test/codesign/TrivialProject.app/Contents/Frameworks/libMonoPosixHelper.dylib
--prepared:/Users/mark.sheppard/test/codesign/TrivialProject.app/Contents/Frameworks/libmono-native.dylib
--validated:/Users/mark.sheppard/test/codesign/TrivialProject.app/Contents/Frameworks/libmono-native.dylib
--prepared:/Users/mark.sheppard/test/codesign/TrivialProject.app/Contents/Frameworks/libmonobdwgc-2.0.dylib
--validated:/Users/mark.sheppard/test/codesign/TrivialProject.app/Contents/Frameworks/libmonobdwgc-2.0.dylib
--prepared:/Users/mark.sheppard/test/codesign/TrivialProject.app/Contents/Frameworks/UnityPlayer.dylib
--validated:/Users/mark.sheppard/test/codesign/TrivialProject.app/Contents/Frameworks/UnityPlayer.dylib
codesign/TrivialProject.app: valid on disk
codesign/TrivialProject.app: satisfies its Designated Requirement

Checking rcodesign
------------------

rcodesign/TrivialProject.app: nested code is modified or invalid
file modified: /Users/mark.sheppard/test/rcodesign/TrivialProject.app/Contents/Frameworks/libmono-native.dylib
file modified: /Users/mark.sheppard/test/rcodesign/TrivialProject.app/Contents/Frameworks/libMonoPosixHelper.dylib
file modified: /Users/mark.sheppard/test/rcodesign/TrivialProject.app/Contents/Frameworks/libmonobdwgc-2.0.dylib
file modified: /Users/mark.sheppard/test/rcodesign/TrivialProject.app/Contents/Frameworks/UnityPlayer.dylib

[indygreg]

Hmmm. That signing without an Apple signed certificate but signing settings contain a team name; signature varies from Apple's tooling error should not be occurring. That feels like a regression in 0.24.0.

I haven't yet looked at the files to see if there is more going on. But the lack of a team ID will likely cause problems.

[indygreg]

The underlying issue is that the binary identifier embedded in the universal Mach-O binaries + code requirements expressions is not consistent. This is very similar to the other issue you reported. I should have a fix in the next day or two and hopefully in a release as well.

[indygreg]

Your reproduce bundle now signs fine on the main branch. I hope to publish this in a new release sometime in the next week.

[markshep-wbg]

Thanks for the fix - I'm now using version 0.26.0 in our automated builds to sign and notarize our app.