Hello! I’m working with UnrealPak and signing/encrypting settings for our project to accomplish the following:
Within our build pipeline, we want to provide 2 versions of the packaged game
1 build with a certain set of features ENABLED & pak file encryption + signing ENABLED
1 build with a certain set of features DISABLED & pak file encryption + signing DISABLED
The custom set of features can be enabled/disabled using .ini config settings and the pak file encryption + signing enabling/disabling is understood to be controlled via bEncryptPakIniFiles and bEnablePakSigning in the Crypto.ini file like DefaultCrypto.ini.
What I’ve figured out so far using a packaged game:
I’ve figured out how to enable/disable our custom set of features using UnrealPak to modify the .pak files with options like -sign and -encrypt as needed to match DefaultCrypto.ini
However, is there a way to modify the encryption/signing settings from a packaged version of the game? I’m thinking I could possibly modify the DefaultCrypto.ini file in my project and leverage BuildCookRun with options like -skipbuild -skipcook -stage -pak to generate the packaged game from the saved built/cooked content.
Would the above idea of modifying DefaultCrypto.ini + BuildCookRun with the above options generate a playable version of the game with the proper crypto settings? And am I understanding this correctly in that the usage of -skipbuild and -skipcook indicates that the staging of the package is depending on the saved built/cooked content?
Is there a way to achieve a similar result in a situation where I only have the packaged game output and not any of the saved build + cook outputs? Not sure if UnrealPak can do this or other built in tools? Or is this not feasible as part of applying the proper encryption/signing settings is outside of the -stage process in BuildCookRun.
The question boils down to whether or not it’s possible to change the encryption/signing settings (specifically bEncryptPakIniFiles and bEnablePakSigning in DefaultCrypto.ini) from a packaged game. Hopefully this question is clear enough but I am happy to clarify or provide more details as needed!
could you elaborate on what you mean by modifying the settings from a packaged game?
Do you want to modify an existing build without having the project available?
Would just creating a second build with a modified config file be an option?
> 1. Would the above idea of modifying DefaultCrypto.ini + BuildCookRun with the above options generate a playable version of the game with the proper crypto settings? And am I understanding this correctly in that the usage of -skipbuild and -skipcook indicates that the staging of the package is depending on the saved built/cooked content?
Yes, skipping those options will assume there is an up-to-date build and cooked data available to use.
However, the signing and encryption keys are embedded into the compiled game (see UE_REGISTER_ENCRYPTION_KEY in ModuleManager.h and it’s definition in TargetRules.cs).
This means that changing or enabling/disabling the encryption or signing settings will require a rebuild of the game’s executable.
At least some of the signing/encryption checks are hardcoded to be enabled if an encryption/signing key is embedded into the executable, so these checks can’t be disabled through a config option in the packaged game.
> 2. Is there a way to achieve a similar result in a situation where I only have the packaged game output and not any of the saved build + cook outputs? Not sure if UnrealPak can do this or other built in tools? Or is this not feasible as part of applying the proper encryption/signing settings is outside of the -stage process in BuildCookRun.
Based on the fact that at least for signing/encryption you would need to build a new executable, I don’t think this is possible out of the box. You could modify the engine code to disabled singing/encryption based on the config files inside your pak file, but this would potentially open up way to circumvent your signing checks. Not verifying a signature is definitely possible, for encrypted pak files you’d always need the correct key to access them, so you’ll also need to recreate the pak files / iostore containers when you want to disable encryption.
> could you elaborate on what you mean by modifying the settings from a packaged game?
So with the custom feature I mention for example, I have a bEnabled boolean setting in my CustomSettings.ini. I found that I can use UnrealPak to set this to be false/true from an existing build, and when I run the game, the new setting is reflected in the game. So I was thinking that there would maybe be a way to achieve something similar with encryption/signing settings in DefaultCrypto.ini, where I can modify an existing build without having the project available (just as you figured in the 2nd question). And creating a second build is a totally viable option, the target of this question was to see if there was any way to shorten the process to reflect any encryption/signing .ini changes without re-building.
But with your answers to my first 2 questions, I think it seems reasonable that, at least out of the box, re-building after making changes in DefaultCrypto.ini is necessary. And thank you for the details around the UE_REGISTER_ENCRYPTION_KEY (and also found UE_REGISTER_SIGNING_KEY). This helps clarify why I was seeing the results I was seeing on my end.
