How to create the proper .pkg file for deployment to the MacStore

CraveTheGrave · July 31, 2019, 4:29pm

Actually it looks like I ended up fixing that using [FONT=courier new]ditto --arch x86_64 to strip the 32-bit code from the .app. However we’re still hitting a rejection from the App Loader with the extremely vague "ERROR ITMS-90135: “The executable could not be re-signed for submission to the App Store. The app may have been built or signed with non-compliant or pre-release tools.”

Has anyone had any luck with uploading apps that use restricted entitlements (e.g. iCloud)?

[EDIT] see below for a solution

CraveTheGrave · August 11, 2019, 12:29am

My team hit a less-typical situation with packaging for Mac where we wanted to include some macOS-specific features like iCloud and GameCenter that require a few extra steps in this process.

For features like iCloud communication, Mac apps need special entitlements linked to an application’s provisioning profile. To upload these apps to the Mac app store, you’ll have to not only sign the app with extra entitlements in the style of the first post in this thread, but also embed the distribution provisioning profile so the operating system knows it can trust those entitlements. I’m writing this up in case someone else finds themselves in a similar situation.

Here’s what worked for us.

**1) **Package the app as Shipping/Distribution for Mac from Unreal (we used version 4.22) as usual.

NOTE: make sure you uncheck “Include Debug Files” in your project settings. If you package an app with a debug .dSYM file in it, Application Loader will fail with the cryptic ERROR ITMS-90135: "The executable could not be re-signed for submission to the App Store. The app may have been built or signed with non-compliant or pre-release tools.” and you’ll lose an entire weekend figuring out what the heck is going wrong

2) Edit the plist of the exported app. You can either open it up via the terminal at [FONT=courier new]MyGame.app/Content/Info.plist or navigate there via finder (Show Package Contents) and double-click it to open it in xcode.

You’ll want to set the Application Type, version strings, and possibly the bundle id to match the identifier you’re uploading to.

3) Remove the file [FONT=courier new]MyGame.app/Contents/Resources/RadioEffectUnit.component and the directory [FONT=courier new]MyGame.app/Contents/UE4/Engine/Build. As mentioned earlier, the RadioEffectUnit stuff can cause problems with packaging. As far as I can tell it’s safe to kill it, but if you actually need these files for your game I’m not sure what you should do

4) As of 2018, the Mac App Store will not accept applications with 32-bit code. Your exported Unreal 4.XX game should be good to go, but a few of the third party libraries in your package include 32-bit and 64-bit code. We have to remove it. In our case we did that with:


lipo MyGame.app/Contents/UE4/Engine/Binaries/ThirdParty/Ogg/Mac/libogg.dylib -remove i386 -output MyGame.app/Contents/UE4/Engine/Binaries/ThirdParty/Ogg/Mac/libogg.dylib


lipo MyGame.app/Contents/UE4/Engine/Binaries/ThirdParty/Vorbis/Mac/libvorbis.dylib -remove i386 -output MyGame.app/Contents/UE4/Engine/Binaries/ThirdParty/Vorbis/Mac/libvorbis.dylib

Though it’s possible your exported package might have other libraries that need stripping.

5) Now add in your Mac App Store Distribution provisioning profile. You may have to create this in the developer portal and download it. Rename it “embedded.provisionprofile” and move it to [FONT=courier new]MyGame.app/Contents/embedded.provisionprofile

**6) **Now prep your entitlements xml for signing. This will vary based on what entitlements you need. Create and fill in a temporary “mygame.entitlements” file (you can name this whatever you want; it isn’t going in your application). Ours looked something like:


<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>com.apple.developer.icloud-container-environment</key>
    <string>Production</string>
    <key>com.apple.developer.icloud-services</key>
    <array>
        <string>CloudKit</string>
    </array>
    <key>com.apple.developer.icloud-container-identifiers</key>
    <array>
        <string>iCloud.com.mycompany.mygame</string>
    </array>
    <key>com.apple.developer.game-center</key>
    <true/>
    <key>com.apple.security.app-sandbox</key>
    <true/>
</dict>
</plist>

7) It’s signing time. You’ll have to sign the game binary, all dynamic libraries, and finally the .app itself. We did this with:


codesign -f -v -s "3rd Party Mac Developer Application:" --entitlements mygame.entitlements MyGame.app/Contents/MacOS/MyGame

This command signs all .dylibs in the file. I’m not sure you need entitlements here.


find MyGame.app/Contents/ | grep .dylib | xargs codesign -f -v -s "3rd Party Mac Developer Application:" --entitlements mygame.entitlements

Then sign the whole app:


codesign -f -v -s "3rd Party Mac Developer Application:" --entitlements mygame.entitlements MyGame.app/

**8) **Finally, build the .pkg:


productbuild --component MyGame.app/ /Applications --sign "3rd Party Mac Developer Installer:" MyGame.pkg

And upload with the Application Loader. If you have any issues with your icon settings or other plist information, those warnings will appear here. Redo all of step 7 if you make any changes to your MyGame.app folder.

Feel free to reach out if you hit any issues trying this. Caveat emptor, we just got this working today and haven’t verified that the uploaded package works once installed by users.

ColdSteel48 · August 11, 2019, 5:04pm

Thank you for sharing!

maybe a stupid question, but it seems like we dont have to sign the pak file ?

CraveTheGrave · August 11, 2019, 6:57pm

I’m not an expert by any means, but It looks like you don’t have to sign the pak since it isn’t executable. App Connect didn’t complain that ours was unsigned, and when signing local development builds it definitely wasn’t necessary in order to make our entitlements work properly. That said, I think if you did sign it the pkg will probably still be valid?

ColdSteel48 · August 11, 2019, 7:15pm

Thank you again for sharing this priceless info!

ColdSteel48 · April 8, 2020, 9:45pm

I wonder how you were able to publish on MAS,
I just discovered that UE4 won’t run on case-sensitive file system.
And that after going through hell with notarization and code signing - did Apple just accepted your submission with this limitation ?
That seems very very weird to me ?
Or did you patched something inside the engine source so it works with case-sensitive environment ?

ColdSteel48 · April 9, 2020, 7:53pm

So, making this to RUN (I mean the game and not the engine itself) on case sensitive system was quite easy:
I had to delete the error and rename 2 strings inside the engine.

I am going again through codesign and notarization process right now - and if it will success I will post a detailed update on how to compile the engine and what new flags we have to add to the codesign parameters.

BladeMaster · August 31, 2020, 8:44pm

When I try to deliver my app to the Mac store, it gives these 2 errors regarding UnrealCEFSubProcess:


ERROR ITMS-90296: "App sandbox not enabled. The following executables must include the "com.apple.security.app-sandbox" entitlement with a
Boolean value of true in the entitlements property list: (
"com.*****.********.pkg/Payload/***********.app/Contents/UE4/Engine/Binaries/Mac/UnrealCEFSubProcess.app/Contents/MacOS/UnrealCEFSubProcess" )]
Refer to App Sandbox page at https://developer.apple.com/documentation/security/app_sandbox for more information on sandboxing your app."

ERROR ITMS-90511: "CFBundleIdentifier Collision. The Info.plist CFBundleIdentifier value 'com.epicgames.UnrealCEFSubProcess' of
'**********.app/Contents/UE4/Engine/Binaries/Mac/UnrealCEFSubProcess.app' is already in use by another application."
**2:11 AM*]*

Has anyone experienced the same? What should I do to get rid of these?