How To Sign macOS PKGs for Deployment with MDM

Last updated April 19, 2019

We have written previously about how to distribute macOS PKGs with MDM. To review, Apple MDM has certain requirements for deploying macOS PKGs:

  1. The package is built as a product archive.
  2. The .PKG file must be signed using “Developer ID Installer” certificate, obtained from an Apple Developer account.

This article will cover how to fulfill the latter of those requirements. We will discuss some of the different methods available for signing macOS packages for distribution via MDM.

Getting Started

In order to sign macOS packages, you will need access to an Apple Developer account. If you don’t have one already, you can start the signup process on Apple’s website.

The Apple Developer account is required for generating signing certificates. Certificates can be generated by linking your Developer account to Xcode and exporting the certificate file from Xcode, or you can log in to your Apple Developer account online and download the certificate through a web browser.

When creating the certificate, be sure to select the certificate type as a “Developer ID Installer” certificate. Verify that it is saved to your macOS Keychain.

Once you have your certificate, there are a few different ways to sign the macOS PKG.

Signing PKGs with Terminal / Command Line

For this example, we will use the “productsign” command.

First, open Keychain Access within macOS and locate the certificate. The name of the certificate should start with “Developer ID Installer:”, followed by your Apple Developer account name, and ending with some serial number in parenthesis – take note of this information.

Next, open Terminal. The command to sign the package should look similar to this:

productsign --sign “Developer ID Installer: Your Developer Name (1A2B3C4D5E)” ~/Desktop/example.pkg ~/Desktop/signed-example.pkg

The value in quotes following the “–sign” tag should be the Common Name of your certificate. The first argument (‘~/Desktop/example.pkg’) is the current location on your computer of the unsigned package. The second argument (‘~/Desktop/signed-example.pkg’) is the destination that you want to save your signed package.

Then, run the command. If it is successful, you should see something similar to the following printed out in Terminal:

productsign: using timestamp authority for signature
productsign: signing product with identity "Developer ID Installer: Your Developer Name (1A2B3C4D5E)" from keychain /Users/sdeveloper/Library/Keychains/login.keychain-db
productsign: adding certificate "Developer ID Certification Authority"
productsign: adding certificate "Apple Root CA"
productsign: Wrote signed product archive to /Users/sdeveloper/Downloads/munkitools_signed-3.2.0.3476.pkg

Verify that the signed package is located at the destination you specified.

Signing Using Xcode

If you are developing your macOS PKG in Xcode and have an Apple Developer account linked to it, Xcode can automatically request a certificate from your Developer account and add it to the signing certificate to the package during the build and archive stages. We recommend referring to Apple’s documentation for more detailed instructions on this process.

When using this method, verify that you have selected “Developer ID Installer” from the dropdown list for the ‘Signing Certificate’ setting. This is located under the Signing section of the General settings tab.

Third-Party Tools

In addition to the manual methods we’ve mentioned, there are third-party tools that exist to help with the process of signing packages. One open-source solution we will look at it is called Hancock. This tool retrieves certificates saved in your computer’s Keychain and provides a GUI to easily sign your packages.

The first step is to download and install the Hancock app to your computer. Links to download the installer can be found in the releases section of the Hancock GitHub site.

When the Hancock app has finished installing, run the app. In the app window, a dropdown list will be shown with names of any certificates saved to your Keychain – select your “Developer ID Installer” certificate here. Click “Sign” and select the package file that you want to sign. You will then be prompted to allow access to your Keychain – accept this prompt. Finally, choose the location on your computer where you want to save the signed package.

Distributing the Package

Any of these methods will allow you to adequately sign a macOS PKG for distribution with MDM. Once complete, you can upload the .pkg file to SimpleMDM and deploy it to your Macs. For guidance with this process, you may refer to the walkthrough at the bottom of our previous article: Distribute macOS PKGs via MDM.

 

Leave a Reply

Your email address will not be published. Required fields are marked *

See Why Apple Admins Prefer SimpleMDM

Start My FREE 30-Day Trial Now
  • How to Enroll an Apple TV in MDM - 4 Methods

    By on January 24, 2019
    Read more
  • How To Use Custom Configuration Profiles With Custom Attributes

    By on September 17, 2018
    Read more
  • Avoid Kernel Extension and TCC / Access Control issues during macOS Updates

    By on September 6, 2018
    Read more

See Why Apple Admins Prefer SimpleMDM No strings. No Spam.

Start My 30-Day Free Trial Now