Code-signing and notarization for Mac

Hi everyone! Have any of you packaged Unreal projects for Mac distribution, either through or outside of the App Store? I have what I think is going to be a problem with a very simple solution, but I’ve reached the limits of my knowledge with this sort of thing. I’m an exhibit/experiential designer trying to build interactive 3D environments with Unreal Engine. Besides being more technically literate than most designers, I don’t have very much development knowledge at all. Blueprints really make a lot possible that I would have never otherwise attempted!

My main development machine runs Windows, and that’s gone off without a hitch.

For the Mac build, I’ve packaged my .app through UE and it’s running great. The part that I can’t seem to wrap my head around is code-signing and notarizing. I believe I’ve gone through the process correctly but I still get the Gatekeeper dialog box rejecting my app as from an “unidentified developer” when I run it on a different Mac or download it onto my development Mac and try to run it.

I’m using a “Developer ID Application” certificate installed to Keychain, and ran codesign with that certificate as shown below on every single binary and .dylib file in the package:

codesign -f -v -s "Developer ID Application: My Name (IDCODE)" --entitlements "/entitlements.xml" --options runtime --all-architectures --timestamp "each-individual-file"

I have then compressed the app into a DMG image and uploaded it for notarization like so:

xcrun altool --notarize-app -primary-bundle-id "com.thebundleID" --file "thearchive.dmg" --username "myappleid" --password "password"

After many attempts I did eventually get this to return with a success. I then ran

xcrun stapler staple "thearchive.dmg"

as well as tried to extract the app from the dmg and ran

xcrun stapler staple ""

and despite

spctl -vvv --assess --type exec ""

coming up “accepted” with a “Notarized Developer ID” matching my own, when I transfer the app to another computer it won’t open easily, with the same “unidentified developer” message as if I hadn’t signed the code at all.

I made a similar post in Apple’s Developer forums and someone commented that proper notarization doesn’t necessarily lead to gatekeeper acceptance. In the console, I see XProtectService taking note of a couple of .dylib files for PhysX3—which are properly signed—but I just don’t know enough to make that information useful.

Has anyone here gone through this process and found a way to make it work? Have I missed something? I’m happy to share a download link for you to try launching as well.

I have had same trouble for months. I am ready/need to try again - any luck or additional tips? I have had same success message from spctl but app will not open with ‘unidentified’ problem.

I wrote a medium article explaining the whole process step by step. Take a look, it might help you.