Why does my Godot macOS export fail notarization?

Apple requires hardened runtime + entitlements.plist + valid Developer ID signature. Sign with codesign -o runtime, attach entitlements, then xcrun notarytool submit.

What goes in entitlements.plist?

com.apple.security.cs.allow-jit and allow-unsigned-executable-memory for engines like Godot. Disable based on your features (e.g. Mono needs both).

Fix: Godot macOS Export Notarization Fail

Q: Staple after success?

xcrun stapler staple yourapp.app. Embeds notarization ticket so first launch doesn't require internet check.

Quick answer: codesign with hardened runtime + entitlements.plist. xcrun notarytool submit. xcrun stapler staple after success.

Apple rejects the Godot .app for notarization. Missing hardened runtime or entitlements.

The Fix

# entitlements.plist
<dict>
  <key>com.apple.security.cs.allow-jit</key><true/>
  <key>com.apple.security.cs.allow-unsigned-executable-memory</key><true/>
</dict>

# Sign
$ codesign --deep --force --options runtime \
    --entitlements entitlements.plist \
    --sign "Developer ID Application: Studio" MyApp.app

# Notarize
$ xcrun notarytool submit MyApp.zip --apple-id you@example.com \
    --team-id ABC123 --wait

# Staple
$ xcrun stapler staple MyApp.app

Hardened runtime + entitlements + Developer ID + notary submission + staple = Apple-approved bundle.

Verifying

spctl --assess --verbose MyApp.app shows accepted. First launch on macOS: no Gatekeeper prompt.

“Sign. Submit. Staple. Apple OK.”

Related Issues

For Windows export icon, see Windows icon. For Android keystore, see keystore.

Sign hard. Notarize. Staple.