Info: Signing macOS packages with a cert

PaulF
Meraki Employee
Meraki Employee

Info: Signing macOS packages with a cert

For security reasons, and to protect users, it may sometimes be required that you prevent unsigned (or unknown) packages from being deployed.

 

If you're downloading a PKG from a vendor's website, then this *shouldn't* normally affect you. But, if you want to build your own packages (custom pre and post flight scripts, for example), or the application vendor hasn't signed their app (you should consider why this is), then here's a simple guide on how to sign a package for deployment using Meraki Systems Manager

 

PaulF_0-1665650258625.png

 

 

If you don't know if a package is signed on not, when running the installer manually, you'll see a padlock in the top right: Clicking on this will show you the signing certificate

 

Requirements:

You’ll need a developer account at https://developer.apple.com along with a paid for subscription.

 

Part One: Apple Developer Website

  1. Log on to: https://developer.apple.com/account/resources/certificates/list
    1. If redirected, go to Account > Certificate, IDs & Profiles
  2. You should have any certificates already created. Click the +
  3. Select Mac Installer Distribution, as shown, and click Continue PaulF_1-1665650422964.png
  4. The site will now ask for your CSR...

 

PaulF_2-1665650450116.png

 

Part two: Creating a CSR

  1. Open Keychain Access on your Mac
  2. Click Keychain Access > Certificate Assistant > Request a Certificate from a Certificate Authority.
  3. Enter an email address in User Email Address.
  4. In the Common Name field, enter a name for the key
  5. Leave the CA Email Address field empty.
  6. Choose “Saved to disk”, and click Continue, and save this.

 

PaulF_3-1665650540214.png

 

More details here: https://help.apple.com/developer-account/#/devbfa00fef7

 

Part 3: Requesting your certificate

  1. Go back to your web page at Apple Developer
  2. Under Create a New Certificate, click Choose File
  3. Select the CertificateSigningRequest.certSigningRequest file you created earlier
  4. Click Continue
  5. You can now download your certificate
  6. Double Click this to add to your Mac’s keychain (You may wish to create a new keychain to keep your developer certs)

 

PaulF_4-1665650639403.png

 

PaulF_5-1665650648559.png

 

Part Four: Signing your package

You’ll need to know the identity of the signing certificate you created in the first section. You can find installed Identities with:

 

 

security find-identity -v -p codesigning

 

 

Open Terminal in the directory where your newly created install package is. We are going to use com.meraki.plistonly.pkg 

 

Type:

 

 

productsign --sign 'Developer ID Installer: Paul Fidler (7H6G5F4D3D)' com.meraki.plistonly.pkg com.meraki.plistonly-signed.pkg

 

 

 

You’ll be prompted for the currently logged in user’s password.

You should see the following:

 

 

productsign: using timestamp authority for signature
productsign: signing product with identity "Developer ID Installer: Paul Fidler (7H6G5F4D3D)" from keychain /Users/Paul.Fidler/Library/Keychains/login.keychain-db
productsign: adding certificate "Developer ID Certification Authority"
productsign: adding certificate "Apple Root CA"
productsign: Wrote signed product archive to com.meraki.plistonly-signed.pkg

 

 

And, et voila, you now have a signed installer called com.meraki.plistonly-signed.pkg !



0 Replies 0
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels