If anyone runs into this when trying to install the Nessus Agent with Jamf Pro:
Installation failed. The installer reported: installer: Package name is Tenable Nessus Agent installer: Certificate used to sign package is not trusted. Use --allow Untrusted to overwrite.
I have a fix. Thanks to Bartłomiej Sojka for pointing out that it's a hard link, and suggesting the solution.
It’s the package downloaded directly from the vendor https://www.tenable.com/downloads/nessus-agents, in the section Nessus Agents - 7.4.3, NessusAgent-7.4.3.dmg
I think the visible package in the disk image is actually a hard link to a hidden package in the disk image, named .NessusAgent.pkg.
I have no idea why.
Here is me using “ls -la” to get a long listing of all the files, even hidden files, in the disk image:
MacBookPro:Nessus Agent Install ladmin$ ls -la total 28120 drwxr-xr-x 5 ladmin staff 238 Sep 10 16:11 . drwxr-xr-x+ 4 root wheel 128 Oct 31 19:55 .. -rw-r--r-- 1 ladmin staff 14357839 Sep 10 16:11 .NessusAgent.pkg d-wx-wx-wt 2 ladmin staff 68 Sep 10 16:11 .Trashes -rw-r--r-- 1 ladmin staff 34145 Sep 10 16:11 Install Nessus Agent.pkg
That “14357839” is the size of the hidden package - it’s much bigger than the visible package.
The good news is that the fix is to copy the hidden item to your Downloads folder (as an example), then upload that package to Jamf Pro:
Open the disk image
In Terminal, use the command:
cp /Volumes/Nessus Agent Install/.NessusAgent.pkg ~/Downloads/Install Nessus Agent.pkg
Eject the disk image
Upload ~/Downloads/Install Nessus Agent.pkg to Jamf Pro
Yeah I have had many problems with Nessus and you hit the nail on the head. Mount the DMG and find the hidden package and use that instead. I have opened up cases with them about this and also told them that their scripts in their package are no longer supported in flat packages.
I have learned more about Nessus than I ever intended to
when packaging nessus, we need to extract the hidden .NessusAgent.pck file, and import that to composer, then edit the 'postinstall' script that is already there? looks there is already a script when I import it, this is what it contains:
chown -R root:admin /Library/NessusAgent/run/
chmod a-w /Library/NessusAgent/run/lib/lib
killall -9 nessusd
/bin/launchctl unload -w /Library/LaunchDaemons/com.tenablesecurity.nessusagent.plist
chmod 0644 /Library/LaunchDaemons/com.tenablesecurity.nessusagent.plist
/Library/NessusAgent/run/sbin/nessuscli install /Library/NessusAgent/run/var/nessus/plugins-core.tar.gz
/bin/launchctl load -w /Library/LaunchDaemons/com.tenablesecurity.nessusagent.plist
id like to include my switches but not sure how to include them into that pre existing script
these are the settings id like to include with my installation: # /Library/NessusAgent/run/sbin/nessuscli agent link --key=XXXXXXXXXXXXXXXXXX --groups=MACS --host=host.domain.com --port=8834
whenever i try to add this, i get an unsupported script error message. wondering if anyone has the instructions for deplying the nessus agent and include group, key, host and port in the config.
Stumbled on this post while figuring out this silly certificate trust issue. Thanks! I would have never thought to check the DMG for a hidden pkg. Why, Tenable?!
@jorge.blandon Why not have a script run in your policy that installs the package? You could even pass different groups as a parameter. Just set it to run "After" the package step.
mount the installer DMG and open terminal
% cd /Volumes/Nessus Agent Install % ls -al total 32696 drwxr-xr-x 4 tlarkin staff 204 Aug 4 20:09 . drwxr-xr-x 6 root wheel 192 Aug 31 20:56 .. -rw-r--r-- 1 tlarkin staff 16658522 Aug 4 20:09 .NessusAgent.pkg -rw-r--r-- 1 tlarkin staff 75703 Aug 4 20:09 Install Nessus Agent.pkg
.NessusAgent.pkg? That is the actual installer. Now we can
cp the pkg to the Desktop or whatever and then
mv it to rename it. Remember, all
. files are invisible to the Finder
cp .NessusAgent.pkg ~/Desktop && mv ~/Desktop/.NessusAgent.pkg ~/Desktop/NessusAgent.pkg
Now you should see it on your Desktop. From here you can rename it in the Finder if you want to add say
_vesrion to the PKG.
Looks like the only reason they wrap it is for the license, logo, and readme <sigh>. I stumbled upon the hidden .pkg in their install guide (but should have checked here first). I shouldn't have to do that. Software is supposed to be self-explanatory. <sigh>
Developers who fail to follow simple rules for app packaging should be shamed out of business... especially for stupid things like this.
<<edit>> Looks like they learned their lesson, as 10.2.0 has a normal pkg file inside the dmg. I withdraw my previous comment
<<edit2>> I take back my take back, they did an even dumber thing by putting a dummy visible pkg in there, fool me once, shame on me
Thanks to the OP for the fix for this