How to sign macOS PKG files for deployment
Signing a PKG file is essential for security purposes. It ensures that the app is safe and trustable for use, and is free from malware. A signed PKG app file can be remotely deployed to the enterprise-ready macOS devices through the Hexnode UEM console. To sign macOS packages, you will require access to an Apple Developer account using which the certificates can be signed.
Two basic requirements that should be met to deploy macOS PKGs are:
- The .pkg file is built as a product archive.
- To distribute the macOS PKG as an enterprise app. The .pkg file should be signed with a Developer ID obtained from an Apple Developer Enterprise account. For all other apps to be distributed via the Mac App Store, the .pkg file is signed using the “Developer ID Installer” certificate, obtained from an Apple Developer account.
Signing a package is a multi-step process.
- Generate a signing request.
- Generate Developer ID Installer certificate.
- Sign the macOS PKG file.
Steps to generate a signing request
To generate a certificate, first you require a Certificate Signing Request (CSR) file.
- Open the “Keychain Access” program within your macOS device.
- Click on Keychain Access appearing on the top menu bar.
- Go to Certificate Assistant > Request a Certificate From a Certificate Authority.
- Add your email address in the User Email Address field and name in the Common Name field. Leave the CA Email Address field blank.
- Under the Request is option, click Saved to Disc.
- Click Continue.
- Specify the location on the device where the .csr file is to be saved and click Save.
The signing request will be saved to your machine in the specified location. This file is required to generate the “Developer ID Installer” certificate.
Steps to generate Developer ID Installer certificate
To generate the Developer ID certificate:
- Go to the Apple Developer Portal. Click on Accounts.
- Either create a new account or sign in using an existing one.
- Click on Certificates > IDs > Profiles.
- Click on Certificates + and select Developer ID Installer.
- Upload the Certificate Signing Request, which was downloaded in the step mentioned above.
- The Developer ID Installer certificate will be generated. Download the certificate and install it on your macOS device to sign the packages.
Steps to build and sign a macOS PKG file
To build and sign a macOS PKG file for a third-party app,
- Install the app on the device.
- Open Terminal.
- Build the .pkg file using the pkgbuild command.
1sudo pkgbuild --component /path_to_installed_app/macapp.app --install-location /Applications --sign "Developer ID Installer: *******" /path_to_saved_package/packagename.pkg
Here, the quoted text refers to the name of your certificate. The two arguments specify the location of the already installed .app file (/path_to_installed_app/macapp.app) and the location of the newly generated .pkg file (/path_to_saved_package/packagename.pkg), respectively.
- Sign the .pkg file using the productbuild command.
1sudo productbuild --package /path_to_saved_package/packagename.pkg --content /path_to_app/ --sign "Developer ID Installer: *******" /path_to_signed_pkg/signed.pkg
Here, the quoted text refers to the name of the certificate. The two arguments specify the location of the newly generated .pkg file (/path_to_saved_package/packagename.pkg) and the location of the signed .pkg file (/path_to_signed_pkg/signed.pkg), respectively.
Steps to sign macOS PKG files
To sign a macOS PKG file:
- Open “Keychain Access” within the macOS device and locate the certificate. The name of the certificate should be of the format: Developer ID Installer: Apple account name (serial number).
- Open “Terminal”. The command to sign the package would look something like this:
1productsign --sign “Developer ID Installer: Your Apple Account Name (**********)” ~/Desktop/example.pkg ~/Desktop/signed-example.pkg
Here, the quoted text following the –sign tag refers to the name of your certificate. The two arguments, following the name of the certificate, refer to the current location of the unsigned package (/Desktop/example.pkg) and the location of the signed package (/Desktop/signed-example.pkg), respectively.
The signed certificate gets stored in the destination path specified in the command. Now you can upload it to the app inventory.
Check the signature
Verify the signature of the PKG file. Execute the command below to display the signature details like the timestamp of signing, and the Certificate Chain.
pkgutil --check-signature <PKG file>
<PKG file> with the name of the PKG file along with the path of the PKG file.
Check file contents
You can check the contents of the PKG file using the command provided below.
pkgutil --expand <PKG file> <destination folder>
<PKG file> with the name of the PKG file along with the path and
<destination folder> with the path to a new folder. The command will create a new folder (with the provided name) where the PKG file contents will be listed. Expand and check the contents to determine if the PKG file contains the root file and the distribution root file for successful package validation.