MacAdmins need to sign macOS packages to ensure the authenticity and integrity of the software being deployed. Unsigned packages could be rejected by macOS during installation, leading to failed deployments, security concerns, and general employee resentment of us nice folks in IT.
To avoid that chaos, this post will guide you through obtaining a signing certificate through various tools, such as Terminal, Xcode, or third-party apps, to securely sign your macOS packages for deployment.
TL;DR:
Certificate Requirement: A TLS/SSL certificate with signing usage is needed for signing macOS packages.
Apple Developer Account: Developer ID Installer certificate can be generated by linking the account to Xcode or downloading it online.
Signing Command: Use the productsign command to sign a package with a developer certificate.
Xcode Signing: Xcode can automatically request and add a developer certificate to a package during the build and archive stages.
Hancock App: An open-source tool to sign packages by retrieving certificates from the Keychain.
Package Distribution: Signed packages can be distributed using MDM solutions like SimpleMDM.
Getting started
To sign macOS packages, you will need an appropriate certificate, such as a TLS/SSL certificate with signing usage that the client can verify.
It is common to use a Developer ID Installer certificate obtained from an Apple Developer account. Third-party certificates that meet these requirements are also acceptable.
If you don't have a certificate and prefer to use an Apple Developer account, you can start the signup process on Apple’s website.
Apple Developer Account
Certificates can be generated by linking your Developer account to Xcode and exporting the certificate from Xcode. Alternatively, you can log in to your Apple Developer account online and download the certificate through a web browser.
Apple Developer Account instructions
Select the Developer ID Installer certificate type when creating the certificate.
Verify that it is saved to your macOS Keychain.
Once you have your certificate, you can sign the macOS PKG for device management using Terminal, Xcode, or third-party solutions.
Signing PKGs with Terminal and Command Line
We will use the productsign command for this example.
1. Open Keychain Access in macOS and locate your certificate.
If using an Apple certificate: The certificate's name should start with “Developer ID Installer” followed by your Apple Developer account name and ending with a serial number in parenthesis.
2. Open Terminal. The command to sign the package should look similar to this:
productsign --sign "Developer ID Installer: Your Developer Name (1A2B3C4D5E)" ~/Desktop/example.pkg ~/Desktop/signed-example.pkg
The value in quotes after --sign should be your certificate's Common Name.
The first argument (~/Desktop/example.pkg) is the current location of the unsigned package on your computer.
The second argument (~/Desktop/signed-example.pkg) is the destination where you want to save your signed package.
3. Run the command. If successful, you should see the following output in Terminal:
productsign: using timestamp authority for signature
productsign: signing product with identity "Developer ID Installer: Your Developer Name (1A2B3C4D5E)" from keychain /Users/sdeveloper/Library/Keychains/login.keychain-db
productsign: adding certificate "Developer ID Certification Authority"
productsign: adding certificate "Apple Root CA"
productsign: Wrote signed product archive to /Users/sdeveloper/Downloads/munkitools_signed-3.2.0.3476.pkg
4. Verify that the signed package is located at the specified destination.
Signing using Xcode
Suppose you are developing your macOS PKG in Xcode and have an Apple Developer account linked to it. In that case, Xcode can automatically request a certificate from your Developer account and add it to the package's signing certificate during the build and archive stages.
When using this method, verify that you have selected Developer ID Installer from the dropdown list for the Signing Certificate setting under the Signing section of the General Settings tab.
Refer to Apple’s documentation for more detailed instructions.
Third-party tools
In addition to the manual methods mentioned, third-party tools like Hancock are available to help sign packages.
How to use Hancock
Hancock retrieves certificates saved in your computer’s Keychain and provides a GUI for quickly signing your packages.
Download and install the Hancock app from the releases section of the Hancock GitHub site.
Run the Hancock app after installation.
In the app window, select your certificate from the dropdown list of certificates saved in your Keychain.
Click Sign and select the package file you want to sign.
Accept the prompt to allow access to your Keychain.
Choose the location on your computer to save the signed package.
Distributing the package
Once you sign a macOS PKG for distribution, you can distribute the macOS PKG with your chosen device management solution.
You can upload the .pkg file to SimpleMDM or your preferred MDM solution and deploy it to your Macs.
How to sign macOS PKGs for deployment FAQ
What is an argument?
An argument is a piece of data or value you provide to a function, command, or script when you execute it.
Ready to sign your macOS packages and make device management even easier?
Whether using Terminal, Xcode, or a third-party tool, secure your deployment with a Developer ID Installer certificate and take control with SimpleMDM today!