How to notarize a .pkg file by Apple

brettw
New Contributor II

I have composed and signed a package file (e.g. fileName.pkg) using our Developer ID Installer certificate from developer.apple.com. In order to distribute this file to other Macs in our fleet, Apple is now requiring that these signed installers be notarized. I've spent quite a bit of time looking through the Xcode help site (https://help.apple.com/xcode/mac/current/#/dev033e997ca) and have attempted some of the command line tools (xcrun altool) but simply not having any luck.

I'm sure I'm missing something here and was hoping that someone that knows how to do this could please enlighten me. Most of the instructions on the developer site refer to apps that one has developed using Xcode. But again, all I'm attempting to do here is get a signed/composed .pkg file notarized by Apple.

9 REPLIES 9

hodgesji
Contributor

I'm in the same boat! Wondering about notarization for an installer.pkg to deploy.

HCSTech
Contributor
Contributor

Keep life simple... Check out SD Notary
https://latenightsw.com/2509-2/

georgecm12
Contributor III
In order to distribute this file to other Macs in our fleet, Apple is now requiring that these signed installers be notarized.

Unless I'm functioning on outdated information, notarization isn't required for packages deployed through something like Jamf. It'd only be required if you are distributing your packages to your users for them to run manually outside your management system. (It's also required if you are installing it as a part of the DEP enrollment process, i.e. InstallApplication).

brettw
New Contributor II

" (It's also required if you are installing it as a part of the DEP enrollment process, i.e. InstallApplication)."

Yes, the .pkg file I was composing was being dropped in the Prestage as part of the DEP enrollment process and this was where I was having the issue. I never resolved this completely because Jamf now allows you to drop multiple package files in a Prestage and that resolved my immediate issue.
I had a conversation with an Apple SE and he didn't think it was necessary to sign a Prestage package, but when Jamf initially set us up with Jamf Connect Login, signing the package that installs JCL, in the Prestage, was a requirement.

pruokis
New Contributor III

In case this is still an issue for you, here's a handy walkthrough on notarization that helped us out recently: Notarizing Installers for macOS Catalina - in trying to resolve an issue with devices that skipped or otherwise missed initial DEP/ADE enrollment, we spun up a payload-free package that just runs the needed profiles renew command as a preinstall shell script - we sent this to our affected users so they could complete enrollment without having to mess around with any CLI. Worked fine as a signed pkg until Catalina arrived and we had to notarize it also.

walt
Contributor III

i am curious about this as well, how do you notarize a package created in composer? can it be a flat pkg? This pkg i want to distribute both through Jamf and manually outside of Jamf. just signing it appears to be fine through Jamf but obviously manually it gets caught up in GateKeeper.

merps
Contributor III

I can second the SD notary tool mentioned above. Here's a link to the version released a week ago.

patgmac
Contributor III

FYI, packages deployed through Jamf (MDM enrollment packages or otherwise) do not need to be notarized. Only signed (for enrollment packages only).

walt
Contributor III

yes, however I am trying to deploy a pkg outside of Jamf.

does not look like SD notary is working for me. i am added to our companies developer portal but appears only owner of the account can create the certificate required. i do have the certificate + password they created but SD Notary is not recognizing the developer certificate..