How do I sign Composer PKGs?

Contributor III

Hello, I'd like to start leveraging signed packages in Casper. How do I accomplish this with packages I've created in Composer?


Honored Contributor II
Honored Contributor II

Just curious. What specifically do you hope to leverage by signing your own packages?

You'll need a developer account to do this:

If you're concerned about GateKeeper and packages in Mountain Lion then understand that it applies only to items downloaded via the Internet and then only if the downloading application itself flags it for quarantine. It will not prevent someone from installing unsigned packages that are copied to a Mac via SSH, ARD, external disk drive, file server or some other means. I doubt Casper is flagging items for quarantine even if installing over HTTP.

That's my understanding. Someone else may come along later and correct me.

Legendary Contributor III

I think you're right there. I'm pretty certain only files that get downloaded through Safari or other browsers and get flagged as "downloaded" will be affected by GateKeeper in 10.8. I also think it only applies to double clicking a pkg installer, not one run through a command line install the way Casper Suite would be doing. At least that's my understanding as well.

In any event, we plan on turning off GateKeeper early on as we test with 10.8 since its going to take a little time for developers to catch up and sign all their packages properly for Mountain Lion.

Hopefully nothing discussed here is in violation of Apple's NDA since GateKeeper is pretty public knowledge at this point.

Honored Contributor

There's 2 things we're possibly talking about here:
1. Gatekeeper & Mountain Lion-y stuff
2. Code signing.

Package Maker allows you to sign a package with your code signing certificate. At my last job we experimented with this with internally created packages so users knew they were trusted. This shows up in Installer as a padlock in the menu bar that you can click and see the cert chain for. Look at any Apple updater and you'll see what I'm on about.

Perhaps if the OP could clarify...