Sign MacOS *.pkg files

This guide will show how to get a certificate that will be used to sign and notarize *.pkg file.

Prerequisites

  • Mac computer 
  • You’ll need an Apple developer account with a paid subscription.
    Create a Apple Developer Account https://developer.apple.com/

Create CSR

Two get a certificate we need to create a csr (certificate signing request) and that we can do in keychain access.

  1. Open Keychain Access  under launchpad/Other or in Finder /Applications/Utilities.

  2. In Keychain Access app click menu Keychain Access and point to Certificate Assistant and click on “Request a Certificate From a Certificate Authority”

  3. Dialog Certificate Assistant will appear 
  • User Email Address: type you email
  • Common name: a name that identify your certificate
  • CA Email address: leave empty
  • Let me specify key pair information: uncheck for “normal” use
  • Choose Save to disk and click Continue

4. Save the “CertificateSigningRequest.certSigningRequest”

5. Conclusion Click Show in Finder or click Done

6. In Finder your “CertificateSigningRequest.certSigningRequest” should be located

  6b. In you want to see the what is in the CSR use a decoder

  • open the CSR in TextEdit and it should look something like this

  • Copy everything in the TextEdit, cmd+a and cmd+c
  • Go to https://certlogik.com/decoder/ and paste the content and press decode

  • Check that CSR Check are OK and emailAddress and emailAddress Name is what you wrote in the CSR in Certificate Assistant 


    7. Check Private/Public Key for newly created CSR
  • In KeyChain Access press login on the left sidebar
  • In Keychain Access press Item Keys 
  • There you should se the Common name of your Private/Public key 

Request your certificate

Go to Apple webpage and generate certificate to be used to sign the pkg. 

  1. Go to: https://developer.apple.com/account/resources and sign in

  2. Click Certificates in the sidebar.

  3. Click the blue + button 
  4. Under Software, select one and click Continue
  • Developer ID Installer: A certificate used to sign a Mac Installer Package, containing your signed app.
  • Developer ID Application: A certificate used to sign a Mac app. (notarize)

5. Click Choose File.

6. In the dialog that appears, select the certificate request file (a file with a .certSigningRequest file extension), then click Choose.

7. Click Continue.

8. Click Download.

9. Repeat from point 4 for the other certificate, use the same csr.

10. In Developer portal their should now be two certificates.

11. The certificate file (a file with a .cer file extension) appears in your Downloads folder.

12. To install the certificate in your keychain, double-click the downloaded certificate file. The certificate appears in the My Certificates category in Keychain Access.

13. In Keychain Access the certificate should be shown with the name: Developer ID Installer: Name of Common name (TeamID)

14. Use Terminal to check the that you have the certificate installed

security find-identity -p basic -v
------ RESULT: ------
1) XXXXX[REDACTED] "Developer ID Installer: Name of Common name (TeamID)" 
2) XXXXX[REDACTED] "Developer ID Application: Name of Common name (TeamID)” 
3) [REDACTED] "[REDACTED]" 3 valid identities found

Sign pkg file

  1. Open Terminal and run the code below to sign the pkg and get a new signed version
  • –sign: Common Name of the certificate
  • /Download/package.pkg is the existing package
  • /Download/signed-package.pkg is the signed package 
productsign --sign "Developer ID Installer: Name of Common name (TeamID)" /Download/package.pkg /Download/signed-package.pkg
------ RESULT: ------
productsign: using timestamp authority for signature
productsign: signing product with identity "Developer ID Installer: Name of Common name (TeamID)" from keychain /Users/username/Library/Keychains/login.keychain-db
productsign: adding certificate "Developer ID Certification Authority"
productsign: adding certificate "Apple Root CA"
productsign: Wrote signed product archive to /Download/signed-package.pkg

TIP!

Third-party tools for signing pkg

Hancock is a GUI tool for signing packages

https://github.com/JeremyAgost/Hancock

In Terminal

pkgutil --check-signature /Download/signed-package.pkg
------ RESULT: ------
Package "signed-package.pkg":
   Status: signed by a developer certificate issued by Apple for distribution
   Signed with a trusted timestamp on: 2023-04-24 20:00:30 +0000
   Certificate Chain:
    1. Developer ID Installer: Name of Comman name (TeamID)
       Expires: 2028-09-04 17:12:15 +0000
       SHA256 Fingerprint: xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx
           
       ------------------------------------------------------------------------
    2. Developer ID Certification Authority
       Expires: 2029-02-01 22:12:15 +0000
       SHA256 Fingerprint:
    xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx
       ------------------------------------------------------------------------
    3. Apple Root CA
       Expires: 2035-02-09 21:40:36 +0000
       SHA256 Fingerprint:
           xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx

Notarization

Create an app password

https://support.apple.com/en-us/HT204397

  1. How to generate an app-specific password
  2. Sign in to appleid.apple.com.

  3. In the Sign-In and Security section, select App-Specific Passwords.
  4. Select Generate an app-specific password or select the Add button Blue plus sign icon., then follow the steps on your screen.
  5. The app-specific password is created.

Add the app-specific password to keychain

From Terminal run: 

xcrun notarytool store-credentials --apple-id "email@domain.com" --team-id "TeamID"

Here two questions need to be answered 

  • Type a profile name
  • Type the app specific password 

This will store the app-specific credentials securely in the Keychain. 

------ RESULT: ------
Profile name: notarize-YOUR_APP
App-specific password for "email@domain.com"
Validating your credentials...
Success. Credentials validated.
Credentials saved to Keychain.
To use them, specify `--keychain-profile "notarize-YOUR_APP"

Let’s notarize the PKG file by using this command:

xcrun notarytool submit /Download/signed-package.pkg --keychain-profile "notarize-YOUR_APP"
------ RESULT: ------
xcrun notarytool submit /Download/signed-package.pkg --keychain-profile "notarize-YOUR_APP"
Conducting pre-submission checks for applicationpkg and initiating connection to the Apple notary service...
Submission ID received
id: xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx
Upload progress: 100,00% (38,3 MB of 38,3 MB)
Successfully uploaded file
id: xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx
path: /Download/signed-package.pkg

Information about submission

xcrun notarytool info --keychain-profile "notarize-YOUR_APP" xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx

This process takes about 15 minutes and status should say In Progress

------ RESULT: ------
Successfully received submission info
  createdDate: 2023-04-24T11:18:28.350Z
  id: xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx 
  name: signed-package.pkg
  status: In Progress

After about 15 minutes if everything goes ok, status should be Accepted

------ RESULT: ------
Successfully received submission info
  createdDate: 2023-04-24T11:18:28.350Z
  id: xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx
  name: signed-package.pkg
  status: Accepted

Stapling a PKG File:

xcrun stapler staple /Download/signed-package.pkg
------ RESULT: ------
Processing: /Download/signed-package.pkg
Processing: /Download/signed-package.pkg
The staple and validate action worked!

Verify the Package file:

pkgutil --check-signature /Download/signed-package.pkg
 ------ RESULT: ------
Status: signed by a developer certificate issued by Apple for distribution
 Notarization: trusted by the Apple notary service
 Signed with a trusted timestamp on: 2023-04-24 20:00:30 +0000
   Certificate Chain:
    1. Developer ID Installer: Name of Comman name (TeamID)
       Expires: 2028-09-04 17:12:15 +0000
       SHA256 Fingerprint:
           xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx
       ------------------------------------------------------------------------
    2. Developer ID Certification Authority
       Expires: 2029-02-01 22:12:15 +0000
       SHA256 Fingerprint:
           xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx
       ------------------------------------------------------------------------
    3. Apple Root CA
       Expires: 2035-02-09 21:40:36 +0000
       SHA256 Fingerprint:
           xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx

If something goes wrong, fetch the logs

xcrun notarytool log --keychain-profile "notarize-YOUR_APP" xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *