I have composed and signed a package file (e.g. fileName.pkg) using our Developer ID Installer certificate from developer.apple.com. In order to distribute this file to other Macs in our fleet, Apple is now requiring that these signed installers be notarized. I've spent quite a bit of time looking through the Xcode help site (https://help.apple.com/xcode/mac/current/#/dev033e997ca) and have attempted some of the command line tools (xcrun altool) but simply not having any luck.
I'm sure I'm missing something here and was hoping that someone that knows how to do this could please enlighten me. Most of the instructions on the developer site refer to apps that one has developed using Xcode. But again, all I'm attempting to do here is get a signed/composed .pkg file notarized by Apple.
In order to distribute this file to other Macs in our fleet, Apple is now requiring that these signed installers be notarized.
Unless I'm functioning on outdated information, notarization isn't required for packages deployed through something like Jamf. It'd only be required if you are distributing your packages to your users for them to run manually outside your management system. (It's also required if you are installing it as a part of the DEP enrollment process, i.e. InstallApplication).
" (It's also required if you are installing it as a part of the DEP enrollment process, i.e. InstallApplication)."
Yes, the .pkg file I was composing was being dropped in the Prestage as part of the DEP enrollment process and this was where I was having the issue. I never resolved this completely because Jamf now allows you to drop multiple package files in a Prestage and that resolved my immediate issue.
I had a conversation with an Apple SE and he didn't think it was necessary to sign a Prestage package, but when Jamf initially set us up with Jamf Connect Login, signing the package that installs JCL, in the Prestage, was a requirement.
In case this is still an issue for you, here's a handy walkthrough on notarization that helped us out recently: Notarizing Installers for macOS Catalina - in trying to resolve an issue with devices that skipped or otherwise missed initial DEP/ADE enrollment, we spun up a payload-free package that just runs the needed profiles renew command as a preinstall shell script - we sent this to our affected users so they could complete enrollment without having to mess around with any CLI. Worked fine as a signed pkg until Catalina arrived and we had to notarize it also.
yes, however I am trying to deploy a pkg outside of Jamf.
does not look like SD notary is working for me. i am added to our companies developer portal but appears only owner of the account can create the certificate required. i do have the certificate + password they created but SD Notary is not recognizing the developer certificate..