Skip to main content

Is anyone signing the packages they create with Composer?

  • March 26, 2026
  • 4 replies
  • 33 views
FerrisBNA
Forum|alt.badge.img+4

Hello all you Jamf Rockstars,

I was building a new package and decided to add the script I needed to run at the end as part of the package instead of a separate component in the Jamf policy.  When I tried to deploy it I got “Installation failed. The package could not be verified.”

Turns out this can happen when Gatekeeper rejects the package because the package is unsigned, and included a postinstall script.

Composer has a setting for signing packages, I do not have that configured.  There is also a field for “Default Bundle Identifier” under the advanced tab.

 

Is anyone signing their packages?  Do you use a third-party cert?

Are you populating the “Default Bundle Identifier”?  

Thanks in advance,

-Pat

-Pat

    4 replies

    PaulHazelden
    Forum|alt.badge.img+13
    • PaulHazelden
    • Jamf Heroes
    • March 26, 2026

    I sign all of my Composer packages with the Jamf Cert. It will be one of the options when you go to the drop down, provided the Mac you are on is enrolled in your Jamf instance.

    Downside, When you renew your Jamf Cert you expire all of your packages, and need to rebuild them all.

      FerrisBNA
      Forum|alt.badge.img+4
      • FerrisBNA
      • Author
      • Contributor
      • March 26, 2026

      I sign all of my Composer packages with the Jamf Cert. It will be one of the options when you go to the drop down, provided the Mac you are on is enrolled in your Jamf instance.

      Downside, When you renew your Jamf Cert you expire all of your packages, and need to rebuild them all.

      Do you name all the packages you create with an indicator that they are signed? or when they expire?

      -pat

      -Pat
        PaulHazelden
        Forum|alt.badge.img+13
        • PaulHazelden
        • Jamf Heroes
        • March 26, 2026

        No. I name them with a version number and name of the app. The Main Jamf Cert currently lasts for a few years.
        It was a fun suprise the first time I ran into it.
        Never bothered with marking them up, because I know when the cert is expired, and so I know I need to rebuild a load of packages. When the date is within maybe 6 months I will build everything on the same test Mac, and keep the Composer set up in place. Once the cert gets changed, you then change over in Composer and re-package everything. Older stuff will show up, because it will fail to install, catch those and rebuild them to sort out.
        It becomes a good time to clean up the Jamf Server.

          thebrucecarter
          Forum|alt.badge.img+16

          I use my developer certs for this purpose, as does our other Jamf administrator.  We do sign pretty much everything, necessary or not, and notarize and staple where available.

          Not just A Bruce Carter, but THE Bruce Carter! 🤓
            Terms & ConditionsCookie settingsAccessibility statement