Signing a PKG file is essential for security purposes, to ensure that the app is safe and trustable for use and is free from malware. To sign macOS packages, you will require access to an Apple Developer account. Signing certificates can be generated via the Apple Developer account. Two basic requirements should be met to deploy macOS PKGs:
- The .pkg file is built as a product archive.
- To distribute as an enterprise app, the .pkg file should be signed with a Developer ID obtained from an Apple Developer Enterprise account. For all other apps to be distributed via the Mac App Store, the .pkg file is signed using the “Developer ID Installer” certificate, obtained from an Apple Developer account.
Steps to sign macOS PKG files
To sign a macOS PKG file,
- Open Keychain Access within the Mac and locate the certificate. The name of the certificate should be of the format: Developer ID Installer: Apple account name (serial number).
- Open Terminal. The command to sign the package should look something like this:
productsign -sign “Developer ID Installer: Your Apple Account Name (**********)” ~/Desktop/example.pkg ~/Desktop/signed-example.pkg
Here, the quoted text following the –sign tag refers to the name of your certificate. The two arguments, following the name of the certificate, refer to the current location of the unsigned package (/Desktop/example.pkg) and the location of the signed package (/Desktop/signed-example.pkg), respectively.
The signed certificate gets stored in the destination path specified in the command.
Steps to build and sign a macOS PKG file
To build and sign a macOS PKG file for a third-party app,
- Install the app on the device.
- Open Terminal.
- Build the .pkg file using the pkgbuild command.
sudo pkgbuild --component /path_to_installed_app/macapp.app --install-location /Applications --sign "Developer ID Installer: *******" /path_to_saved_package/packagename.pkg
Here, the quoted text refers to the name of your certificate. The two arguments specify the location of the already installed .app file (/path_to_installed_app/macapp.app) and the location of the newly generated .pkg file (/path_to_saved_package/packagename.pkg), respectively.
- Sign the .pkg file using the productbuild command.
sudo productbuild --package /path_to_saved_package/packagename.pkg --content /path_to_app/ --sign "Developer ID Installer: *******" /path_to_signed_pkg/signed.pkg
Here, the quoted text refers to the name of the certificate. The two arguments specify the location of the newly generated .pkg file (/path_to_saved_package/packagename.pkg) and the location of the signed .pkg file (/path_to_signed_pkg/signed.pkg), respectively.