Signing a pkg (for use outside of MDM)

walt
Contributor III

I am not the owner of our Apple Developer portal but had our admin create a Developer ID Installer (for installer packagers) certificate, which they provided and I installed the certificate on my Mac keychain, created a flat pkg in composer, and used that to sign, which it did however when manually trying to install it on another device it still prompts with

.pkg can't be opened because Apple cannot check it for malicious software. The software needs to be updated."

I also tried on a separate pkg using the terminal command to sign the pkg which all worked, but the same issue occurred with that pkg.

Is there a proper process to sign a package that can be used to install without going through gatekeeper and outside of MDM? (the intent of the pkg is to install components for devices that won't be MDM managed but will include certain settings, etc).

thanks!

1 REPLY 1

ithangdang
New Contributor II

It appears you may need to notarize the pkg in order to pass that check. Signing is not sufficient anymore for distribution outside of MDM.

Here is the official document from Apple outlining Notarization.
https://developer.apple.com/documentation/xcode/notarizing_macos_software_before_distribution

This guide from Davide Barranca was helpful in walking through the Notarization steps of a pkg. https://www.davidebarranca.com/2019/04/notarizing-installers-for-macos-catalina/