Signed QuickAdd.pkg and the Apple Intermediate Cert - What?

NowAllTheTime
Contributor III

I might be missing something here, so I'm looking for some outside opinions on this in case I am. As I understand it, if you want to be able to install the QuickAdd.pkg via user initiated enrollment without getting the gatekeeper prompt you need to sign it with a mac dev installer cert. All of that makes sense. We have a dev account and have created and signed the package - no problem. But then according to the below KB articles you also need the Apple intermediate certificate, which the KB article instructs you to deploy via a JSS Policy.

https://jamfnation.jamfsoftware.com/article.html?id=301
https://jamfnation.jamfsoftware.com/article.html?id=294

So, here's where I'm lost. How am I supposed to get a cert on a machine with a policy if I haven't enrolled it to the JSS with the QuickAdd.pkg yet to receive said policy? Also, what is the point of the gatekeeper setting of "Mac App Store and identified developers" if Apple isn't even shipping the full chain of intermediate certs for identified developers in the base OS X install? This all seems so silly that I have got to be overlooking something. Anyone else signing their quickadd, and if so how are you addressing this issue?

5 REPLIES 5

davidacland
Honored Contributor II

Hi, you should be signing with your developer cert and if gatekeeper is in its default state (App Store and signed developers only) that should be sufficient.

You are right, it would be chicken before the egg otherwise.

justinrummel
Contributor III

So https://jamfnation.jamfsoftware.com/article.html?id=301 is unfortunately referencing only 1/2 of the https://jamfnation.jamfsoftware.com/article.html?id=294 article.

You need the The Developer ID Certification Authority intermediate AND the Worldwide Developer Relations Certification Authority (from /article.html?id=294) on the machine that you want to export the Developer ID Installer Distribution certificate (from /article.html?id=301).

Most likely the two certs (from /article.html?id=294) are already on the machine once you enter your OS X Developer Admin Apple ID in Xcode, but it doesn't hurt to check.

I hope that is clearer.

NowAllTheTime
Contributor III

Thank you both for that information, I'm glad to hear that it's not the chicken and egg scenario after all.

I'm still running into user enrolled Macs seeing the quickadd.pkg as being signed with an invalid certificate and it won't run under the default Gatekeeper setting. I exported the installer cert via Xcode with both of the Dev ID CA intermediate and the Worldwide Relations CA certs installed on the same machine that I exported the installer cert from. I'll check in with my TAM to see what their recommendations are.

emax
New Contributor III

<bump>

We've run into the same issue. We had some unrelated issues getting the JSS to provide the right version of the Quickadd.pkg, but now that we've verified that it has all the proper certs, we're still getting the Gatekeeper prompt.

@jasonaswell Were you ever able to get resolution to this?

Dying to know.

NowAllTheTime
Contributor III

9.81 Seemed to resolve the issue for us. User creation and LDAP auth are still a little wonky, but I think that's more an issue on Apple's end right now. But at the very least the quick add seems to install without any of the errors we used to get.