exporting_for_macos.rst 23 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247
  1. .. _doc_exporting_for_macos:
  2. Exporting for macOS
  3. ===================
  4. .. seealso::
  5. This page describes how to export a Godot project to macOS.
  6. If you're looking to compile editor or export template binaries from source instead,
  7. read :ref:`doc_compiling_for_macos`.
  8. macOS apps are exported as an ``.app`` bundle, a folder with a specific structure which stores the executable, libraries and all the project files.
  9. This bundle can be exported as is, packed in a ZIP archive or DMG disk image (only supported when exporting from a computer running macOS).
  10. Requirements
  11. ------------
  12. - Download the Godot export templates. Use the Godot menu: ``Editor > Manage Export Templates``.
  13. - A valid and unique ``Bundle identifier`` should be set in the ``Application`` section of the export options.
  14. .. warning::
  15. Projects exported without code signing and notarization will be blocked by Gatekeeper if they are downloaded from unknown sources, see the :ref:`Running Godot apps on macOS <doc_running_on_macos>` page for more information.
  16. Code signing and notarization
  17. -----------------------------
  18. By default, macOS will run only applications that are signed and notarized. If you use any other signing configuration, see :ref:`Running Godot apps on macOS <doc_running_on_macos>` for workarounds.
  19. To notarize an app, you **must** have a valid `Apple Developer ID Certificate <https://developer.apple.com/>`__.
  20. If you have an Apple Developer ID Certificate and exporting from macOS
  21. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  22. Install `Xcode <https://developer.apple.com/xcode/>`__ command line tools and open Xcode at least once or run the ``sudo xcodebuild -license accept`` command to accept license agreement.
  23. To sign exported app
  24. ^^^^^^^^^^^^^^^^^^^^
  25. - Select ``Xcode codesign`` in the ``Code Signing > Codesign`` option.
  26. - Set valid Apple ID certificate identity (certificate "Common Name") in the ``Code Signing > Identity`` section.
  27. To notarize exported app
  28. ^^^^^^^^^^^^^^^^^^^^^^^^
  29. - Select ``Xcode altool`` in the ``Notarization > Notarization`` option.
  30. - Disable the ``Debugging`` entitlement.
  31. - Set valid Apple ID login / app. specific password or `App Store Connect <https://developer.apple.com/documentation/appstoreconnectapi>`__ API UUID / Key in the ``Notarization`` section.
  32. You can use the ``xcrun notarytool history`` command to check notarization status and use the ``xcrun notarytool log {ID}`` command to download the notarization log.
  33. If you encounter notarization issues, see `Resolving common notarization issues <https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues>`__ for more info.
  34. After notarization is completed, `staple the ticket <https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/customizing_the_notarization_workflow>`__ to the exported project.
  35. If you have an Apple Developer ID Certificate and exporting from Linux or Windows
  36. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  37. Install `PyOxidizer rcodesign <https://github.com/indygreg/apple-platform-rs/tree/main/apple-codesign>`__, and configure the path to ``rcodesign`` in the ``Editor Settings > Export > macOS > rcodesign``.
  38. To sign exported app
  39. ^^^^^^^^^^^^^^^^^^^^
  40. - Select ``PyOxidizer rcodesign`` in the ``Code Signing > Codesign`` option.
  41. - Set valid Apple ID PKCS #12 certificate file and password in the ``Code Signing`` section.
  42. To notarize exported app
  43. ^^^^^^^^^^^^^^^^^^^^^^^^
  44. - Select ``PyOxidizer rcodesign`` in the ``Notarization > Notarization`` option.
  45. - Disable the ``Debugging`` entitlement.
  46. - Set valid `App Store Connect <https://developer.apple.com/documentation/appstoreconnectapi>`__ API UUID / Key in the ``Notarization`` section.
  47. You can use the ``rcodesign notary-log`` command to check notarization status.
  48. After notarization is completed, use the ``rcodesign staple`` command to staple the ticket to the exported project.
  49. If you do not have an Apple Developer ID Certificate
  50. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  51. - Select ``Built-in (ad-hoc only)`` in the ``Code Signing > Codesign`` option.
  52. - Select ``Disabled`` in the ``Notarization > Notarization`` option.
  53. In this case Godot will use a ad-hoc signature, which will make running an exported app easier for the end users, see the :ref:`Running Godot apps on macOS <doc_running_on_macos>` page for more information.
  54. Signing Options
  55. ~~~~~~~~~~~~~~~
  56. +------------------------------+---------------------------------------------------------------------------------------------------+
  57. | Option | Description |
  58. +==============================+===================================================================================================+
  59. | Codesign | Tool to use for code signing. |
  60. +------------------------------+---------------------------------------------------------------------------------------------------+
  61. | Identity | The "Full Name" or "Common Name" of the signing identity, store in the macOS keychain. [1]_ |
  62. +------------------------------+---------------------------------------------------------------------------------------------------+
  63. | Certificate File | The PKCS #12 certificate file. [2]_ |
  64. +------------------------------+---------------------------------------------------------------------------------------------------+
  65. | Certificate Password | Password for the certificate file. [2]_ |
  66. +------------------------------+---------------------------------------------------------------------------------------------------+
  67. | Custom Options | Array of command line arguments passed to the code signing tool. |
  68. +------------------------------+---------------------------------------------------------------------------------------------------+
  69. .. [1] This option is visible only when signing with Xcode codesign.
  70. .. [2] These options are visible only when signing with PyOxidizer rcodesign.
  71. Notarization Options
  72. ~~~~~~~~~~~~~~~~~~~~
  73. +--------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
  74. | Option | Description |
  75. +====================+===================================================================================================================================================================================+
  76. | Notarization | Tool to use for notarization. |
  77. +--------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
  78. | Apple ID Name | Apple ID account name (email address). [3]_ |
  79. +--------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
  80. | Apple ID Password | Apple ID app-specific password. See `Using app-specific passwords <https://support.apple.com/en-us/HT204397>`__ to enable two-factor authentication and create app password. [3]_ |
  81. +--------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
  82. | Apple Team ID | Team ID ("Organization Unit"), if your Apple ID belongs to multiple teams (optional). [3]_ |
  83. +--------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
  84. | API UUID | Apple `App Store Connect <https://developer.apple.com/documentation/appstoreconnectapi>`__ API issuer UUID. |
  85. +--------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
  86. | API Key | Apple `App Store Connect <https://developer.apple.com/documentation/appstoreconnectapi>`__ API key. |
  87. +--------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
  88. .. note::
  89. You should set either Apple ID Name/Password or App Store Connect API UUID/Key.
  90. .. [3] These options are visible only when notarizing with Xcode altool.
  91. See `Notarizing macOS Software Before Distribution <https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution?language=objc>`__ for more info.
  92. Entitlements
  93. ------------
  94. Hardened Runtime Entitlements
  95. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  96. Hardened Runtime entitlements manage security options and resource access policy.
  97. See `Hardened Runtime <https://developer.apple.com/documentation/security/hardened_runtime?language=objc>`__ for more info.
  98. +---------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
  99. | Entitlement | Description |
  100. +=======================================+==================================================================================================================================================================================================+
  101. | Allow JIT Code Execution [4]_ | Allows creating writable and executable memory for JIT code. If you are using add-ons with dynamic or self-modifying native code, enable them according to the add-on documentation. |
  102. +---------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
  103. | Allow Unsigned Executable Memory [4]_ | Allows creating writable and executable memory without JIT restrictions. If you are using add-ons with dynamic or self-modifying native code, enable them according to the add-on documentation. |
  104. +---------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
  105. | Allow DYLD Environment Variables [4]_ | Allows app to uss dynamic linker environment variables to inject code. If you are using add-ons with dynamic or self-modifying native code, enable them according to the add-on documentation. |
  106. +---------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
  107. | Disable Library Validation | Allows app to load arbitrary libraries and frameworks. Enable it if you are using GDExtension add-ons or ad-hoc signing, or want to support user-provided external add-ons. |
  108. +---------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
  109. | Audio Input | Enable if you need to use the microphone or other audio input sources, if it's enabled you should also provide usage message in the `privacy/microphone_usage_description` option. |
  110. +---------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
  111. | Camera | Enable if you need to use the camera, if it's enabled you should also provide usage message in the `privacy/camera_usage_description` option. |
  112. +---------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
  113. | Location | Enable if you need to use location information from Location Services, if it's enabled you should also provide usage message in the `privacy/location_usage_description` option. |
  114. +---------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
  115. | Address Book | [5]_ Enable to allow access contacts in the user's address book, if it's enabled you should also provide usage message in the `privacy/address_book_usage_description` option. |
  116. +---------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
  117. | Calendars | [5]_ Enable to allow access to the user's calendar, if it's enabled you should also provide usage message in the `privacy/calendar_usage_description` option. |
  118. +---------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
  119. | Photo Library | [5]_ Enable to allow access to the user's Photos library, if it's enabled you should also provide usage message in the `privacy/photos_library_usage_description` option. |
  120. +---------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
  121. | Apple Events | [5]_ Enable to allow app to send Apple events to other apps. |
  122. +---------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
  123. | Debugging | [6]_ You can temporarily enable this entitlement to use native debugger (GDB, LLDB) with the exported app. This entitlement should be disabled for production export. |
  124. +---------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
  125. .. [4] The ``Allow JIT Code Execution``, ``Allow Unsigned Executable Memory`` and ``Allow DYLD Environment Variables`` entitlements are always enabled for the Godot Mono exports, and are not visible in the export options.
  126. .. [5] These features aren't supported by Godot out of the box, enable them only if you are using add-ons which require them.
  127. .. [6] To notarize an app, you must disable the ``Debugging`` entitlement.
  128. App Sandbox Entitlement
  129. ~~~~~~~~~~~~~~~~~~~~~~~
  130. The App Sandbox restricts access to user data, networking and devices.
  131. Sandboxed apps can't access most of the file system, can't use custom file dialogs and execute binaries (using ``OS.execute`` and ``OS.create_process``) outside the ``.app`` bundle.
  132. See `App Sandbox <https://developer.apple.com/documentation/security/app_sandbox?language=objc>`__ for more info.
  133. .. note::
  134. To distribute an app through the App Store, you must enable the App Sandbox.
  135. +-----------------------------------+--------------------------------------------------------------------------------------------------------------------------------------+
  136. | Entitlement | Description |
  137. +===================================+======================================================================================================================================+
  138. | Enabled | Enables App Sandbox. |
  139. +-----------------------------------+--------------------------------------------------------------------------------------------------------------------------------------+
  140. | Network Server | Enable to allow app to listen for incoming network connections. |
  141. +-----------------------------------+--------------------------------------------------------------------------------------------------------------------------------------+
  142. | Network Client | Enable to allow app to establish outgoing network connections. |
  143. +-----------------------------------+--------------------------------------------------------------------------------------------------------------------------------------+
  144. | Device USB | Enable to allow app to interact with USB devices. This entitlement is required to use wired controllers. |
  145. +-----------------------------------+--------------------------------------------------------------------------------------------------------------------------------------+
  146. | Device Bluetooth | Enable to allow app to interact with Bluetooth devices. This entitlement is required to use wireless controllers. |
  147. +-----------------------------------+--------------------------------------------------------------------------------------------------------------------------------------+
  148. | Files Downloads [7]_ | Allows read or write access to the user's "Downloads" folder. |
  149. +-----------------------------------+--------------------------------------------------------------------------------------------------------------------------------------+
  150. | Files Pictures [7]_ | Allows read or write access to the user's "Pictures" folder. |
  151. +-----------------------------------+--------------------------------------------------------------------------------------------------------------------------------------+
  152. | Files Music [7]_ | Allows read or write access to the user's "Music" folder. |
  153. +-----------------------------------+--------------------------------------------------------------------------------------------------------------------------------------+
  154. | Files Movies [7]_ | Allows read or write access to the user's "Movies" folder. |
  155. +-----------------------------------+--------------------------------------------------------------------------------------------------------------------------------------+
  156. | Files User Selected [7]_ | Allows read or write access to arbitrary folder. To gain access, a folder must be selected from the native file dialog by the user. |
  157. +-----------------------------------+--------------------------------------------------------------------------------------------------------------------------------------+
  158. | Helper Executable | List of helper executables to embedded to the app bundle. Sandboxed app are limited to execute only these executable. |
  159. +-----------------------------------+--------------------------------------------------------------------------------------------------------------------------------------+
  160. .. [7] You can optionally provide usage messages for various folders in the `privacy/*_folder_usage_description` options.
  161. .. note::
  162. You can override default entitlements by selecting custom entitlements file, in this case all other entitlement are ignored.
  163. Environment variables
  164. ---------------------
  165. You can use the following environment variables to set export options outside of
  166. the editor. During the export process, these override the values that you set in
  167. the export menu.
  168. .. list-table:: macOS export environment variables
  169. :header-rows: 1
  170. * - Export option
  171. - Environment variable
  172. * - Encryption / Encryption Key
  173. - ``GODOT_SCRIPT_ENCRYPTION_KEY``
  174. * - Options / Codesign / Certificate File
  175. - ``GODOT_MACOS_CODESIGN_CERTIFICATE_FILE``
  176. * - Options / Codesign / Certificate Password
  177. - ``GODOT_MACOS_CODESIGN_CERTIFICATE_PASSWORD``
  178. * - Options / Codesign / Provisioning Profile
  179. - ``GODOT_MACOS_CODESIGN_PROVISIONING_PROFILE``
  180. * - Options / Notarization / API UUID
  181. - ``GODOT_MACOS_NOTARIZATION_API_UUID``
  182. * - Options / Notarization / API Key
  183. - ``GODOT_MACOS_NOTARIZATION_API_KEY``
  184. * - Options / Notarization / API Key ID
  185. - ``GODOT_MACOS_NOTARIZATION_API_KEY_ID``
  186. * - Options / Notarization / Apple ID Name
  187. - ``GODOT_MACOS_NOTARIZATION_APPLE_ID_NAME``
  188. * - Options / Notarization / Apple ID Password
  189. - ``GODOT_MACOS_NOTARIZATION_APPLE_ID_PASSWORD``