How to notarize a .pkg file by Apple
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 01-30-2020 11:14 AM
I have composed and signed a package file (e.g. fileName.pkg) using our Developer ID Installer certificate from developer.apple.com. In order to distribute this file to other Macs in our fleet, Apple is now requiring that these signed installers be notarized. I've spent quite a bit of time looking through the Xcode help site (https://help.apple.com/xcode/mac/current/#/dev033e997ca) and have attempted some of the command line tools (xcrun altool) but simply not having any luck.
I'm sure I'm missing something here and was hoping that someone that knows how to do this could please enlighten me. Most of the instructions on the developer site refer to apps that one has developed using Xcode. But again, all I'm attempting to do here is get a signed/composed .pkg file notarized by Apple.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-02-2020 10:50 AM
I'm in the same boat! Wondering about notarization for an installer.pkg to deploy.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-02-2020 10:57 AM
Keep life simple... Check out SD Notary
https://latenightsw.com/2509-2/
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-02-2020 11:32 AM
In order to distribute this file to other Macs in our fleet, Apple is now requiring that these signed installers be notarized.
Unless I'm functioning on outdated information, notarization isn't required for packages deployed through something like Jamf. It'd only be required if you are distributing your packages to your users for them to run manually outside your management system. (It's also required if you are installing it as a part of the DEP enrollment process, i.e. InstallApplication).
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-07-2020 12:15 PM
" (It's also required if you are installing it as a part of the DEP enrollment process, i.e. InstallApplication)."
Yes, the .pkg file I was composing was being dropped in the Prestage as part of the DEP enrollment process and this was where I was having the issue. I never resolved this completely because Jamf now allows you to drop multiple package files in a Prestage and that resolved my immediate issue.
I had a conversation with an Apple SE and he didn't think it was necessary to sign a Prestage package, but when Jamf initially set us up with Jamf Connect Login, signing the package that installs JCL, in the Prestage, was a requirement.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 12-08-2020 02:42 PM
In case this is still an issue for you, here's a handy walkthrough on notarization that helped us out recently: Notarizing Installers for macOS Catalina - in trying to resolve an issue with devices that skipped or otherwise missed initial DEP/ADE enrollment, we spun up a payload-free package that just runs the needed profiles renew command as a preinstall shell script - we sent this to our affected users so they could complete enrollment without having to mess around with any CLI. Worked fine as a signed pkg until Catalina arrived and we had to notarize it also.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 12-19-2020 07:23 PM
i am curious about this as well, how do you notarize a package created in composer? can it be a flat pkg? This pkg i want to distribute both through Jamf and manually outside of Jamf. just signing it appears to be fine through Jamf but obviously manually it gets caught up in GateKeeper.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 12-21-2020 05:09 AM
I can second the SD notary tool mentioned above. Here's a link to the version released a week ago.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 12-21-2020 09:01 AM
FYI, packages deployed through Jamf (MDM enrollment packages or otherwise) do not need to be notarized. Only signed (for enrollment packages only).
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 12-21-2020 08:42 PM
yes, however I am trying to deploy a pkg outside of Jamf.
does not look like SD notary is working for me. i am added to our companies developer portal but appears only owner of the account can create the certificate required. i do have the certificate + password they created but SD Notary is not recognizing the developer certificate..