How To Sign macOS PKGs for Deployment with MDM

We have written previously about how to distribute macOS PKGs with MDM. To review, Apple MDM has certain requirements for deploying macOS PKGs:

The package is built as a product archive. The .PKG file must be signed by a trusted certificate.

This article will cover how to fulfill the latter requirement. We will discuss some of the different methods available for signing macOS packages for distribution via MDM.

Getting Started

In order to sign macOS packages, you will need an appropriate certificate (such as a TLS/SSL certificate with signing usage) that is verifiable on the client. It is common to use a “Developer ID Installer” certificate for this purpose, obtained from an Apple Developer account, though third party certificates that meet these requirements are also acceptable. If you don’t have a certificate already and wish to use an Apple Developer account for this purpose, you can start the signup process on Apple’s website.

If using an Apple Developer account, certificates can be generated by linking your Developer account to Xcode and exporting the certificate file from Xcode, or you can log in to your Apple Developer account online and download the certificate through a web browser.

When creating the certificate, be sure to select the certificate type as a “Developer ID Installer” certificate. Verify that it is saved to your macOS Keychain.

Once you have your certificate, there are a few different ways to sign the macOS PKG.

Signing PKGs with Terminal / Command Line

For this example, we will use the “productsign” command.

First, open Keychain Access within macOS and locate the certificate. If using an Apple certificate, the name of the certificate should start with “Developer ID Installer:”, followed by your Apple Developer account name, and ending with some serial number in parenthesis – take note of this information.

Next, open Terminal. The command to sign the package should look similar to this:

productsign --sign "Developer ID Installer: Your Developer Name (1A2B3C4D5E)" ~/Desktop/example.pkg ~/Desktop/signed-example.pkg

The value in quotes following the “–sign” tag should be the Common Name of your certificate. The first argument (‘~/Desktop/example.pkg’) is the current location on your computer of the unsigned package. The second argument (‘~/Desktop/signed-example.pkg’) is the destination that you want to save your signed package.

Then, run the command. If it is successful, you should see something similar to the following printed out in Terminal:

productsign: using timestamp authority for signature productsign: signing product with identity "Developer ID Installer: Your Developer Name (1A2B3C4D5E)" from keychain /Users/sdeveloper/Library/Keychains/login.keychain-db productsign: adding certificate "Developer ID Certification Authority" productsign: adding certificate "Apple Root CA" productsign: Wrote signed product archive to /Users/sdeveloper/Downloads/munkitools_signed-3.2.0.3476.pkg

Verify that the signed package is located at the destination you specified.

Signing Using Xcode

If you are developing your macOS PKG in Xcode and have an Apple Developer account linked to it, Xcode can automatically request a certificate from your Developer account and add it to the signing certificate to the package during the build and archive stages. We recommend referring to Apple’s documentation for more detailed instructions on this process.

When using this method, verify that you have selected “Developer ID Installer” from the dropdown list for the ‘Signing Certificate’ setting. This is located under the Signing section of the General settings tab.

Third-Party Tools

In addition to the manual methods we’ve mentioned, there are third-party tools that exist to help with the process of signing packages. One open-source solution we will look at it is called Hancock. This tool retrieves certificates saved in your computer’s Keychain and provides a GUI to easily sign your packages.

The first step is to download and install the Hancock app to your computer. Links to download the installer can be found in the releases section of the Hancock GitHub site.

When the Hancock app has finished installing, run the app. In the app window, a dropdown list will be shown with names of any certificates saved to your Keychain – select your certificate here. Click “Sign” and select the package file that you want to sign. You will then be prompted to allow access to your Keychain – accept this prompt. Finally, choose the location on your computer where you want to save the signed package.

Distributing the Package

Any of these methods will allow you to adequately sign a macOS PKG for distribution with MDM. Once complete, you can upload the .pkg file to SimpleMDM and deploy it to your Macs. For guidance with this process, you may refer to the walkthrough at the bottom of our previous article: Distribute macOS PKGs via MDM.