This guide will show how to get a certificate that will be used to sign and notarize pkg file.
Prerequisites
Mac computer
You’ll need an Apple developer account with a paid subscription. Create a Apple Developer Account https://developer.apple.com/
Create CSR
Two get a certificate we need to create a csr (certificate signing request) and that we can do in keychain access.
Open Keychain Access under launchpad/Other or in Finder /Applications/Utilities.
In Keychain Access app click menu Keychain Access and point to Certificate Assistant and click on “Request a Certificate From a Certificate Authority”
Dialog Certificate Assistant will appear
User Email Address: type you email
Common name: a name that identify your certificate
CA Email address: leave empty
Let me specify key pair information: uncheck for “normal” use
Choose Save to disk and click Continue
Save the “CertificateSigningRequest.certSigningRequest”
Conclusion Click Show in Finder or click Done
In Finder your “CertificateSigningRequest.certSigningRequest” should be located
6b. In you want to see the what is in the CSR use a decoder
open the CSR in TextEdit and it should look something like this
- Copy everything in the TextEdit, cmd+a and cmd+c - Go to https://certlogik.com/decoder/ and paste the content and press decode - Check that CSR Check are OK and emailAddress and emailAddress Name is what you wrote in the CSR in Certificate Assistant 7. Check Private/Public Key for newly created CSR - In KeyChain Access press login on the left sidebar - In Keychain Access press Item Keys - There you should se the Common name of your Private/Public key
Request your certificate
Go to Apple webpage and generate certificate to be used to sign the pkg.
Developer ID Installer: A certificate used to sign a Mac Installer Package, containing your signed app.
Developer ID Application: A certificate used to sign a Mac app. (notarize)
5. Click Choose File. 6. In the dialog that appears, select the certificate request file (a file with a .certSigningRequest file extension), then click Choose. 7. Click Continue. 8. Click Download. 9. Repeat from point 4 for the other certificate, use the same csr. 10. In Developer portal their should now be two certificates. 11. The certificate file (a file with a .cer file extension) appears in your Downloads folder. 12. To install the certificate in your keychain, double-click the downloaded certificate file. The certificate appears in the My Certificates category in Keychain Access. 13. In Keychain Access the certificate should be shown with the name: Developer ID Installer: Name of Common name (TeamID) 14. Use Terminal to check the that you have the certificate installed
security find-identity -p basic -v
------ RESULT: ------
1) XXXXX[REDACTED] "Developer ID Installer: Name of Common name (TeamID)"
2) XXXXX[REDACTED] "Developer ID Application: Name of Common name (TeamID)”
3) [REDACTED] "[REDACTED]" 3 valid identities found
Sign pkg file
Open Terminal and run the code below to sign the pkg and get a new signed version
--sign: Common Name of the certificate
/Download/package.pkg is the existing package
/Download/signed-package.pkg is the signed package
productsign --sign "Developer ID Installer: Name of Common name (TeamID)" /Download/package.pkg /Download/signed-package.pkg
------ RESULT: ------
productsign: using timestamp authority for signature
productsign: signing product with identity "Developer ID Installer: Name of Common name (TeamID)" from keychain /Users/username/Library/Keychains/login.keychain-db
productsign: adding certificate "Developer ID Certification Authority"
productsign: adding certificate "Apple Root CA"
productsign: Wrote signed product archive to /Download/signed-package.pkg
------ RESULT: ------
Status: signed by a developer certificate issued by Apple for distribution
Notarization: trusted by the Apple notary service
Signed with a trusted timestamp on: 2023-04-24 20:00:30 +0000
Certificate Chain:
1. Developer ID Installer: Name of Comman name (TeamID)
Expires: 2028-09-04 17:12:15 +0000
SHA256 Fingerprint:
23 5B E7 06 DD 8F 3D D8 4B 4D 45 ED 2A 7B 66 E2 30 BD D7 30 4B 3F
F6 D7 16 98 EE C1 82 89 78 A4
------------------------------------------------------------------------
2. Developer ID Certification Authority
Expires: 2029-02-01 22:12:15 +0000
SHA256 Fingerprint:
2A FC 9D 01 A6 1E 03 A2 DE 96 37 93 6D 4A FE 68 09 0D 2D E1 8D 03
C2 9C 58 CF F0 B1 FF 93 58 7F
------------------------------------------------------------------------
3. Apple Root CA
Expires: 2035-02-09 21:40:36 +0000
SHA256 Fingerprint:
A0 B1 13 0E CB C7 FF 45 05 A0 2C 49 F1 29 5E 6E DA 6A CA 9D 7E 2C
98 B5 BE 91 B5 A1 10 34 F0 12
If you’ve ever installed a .pkg file on your Mac, you might think the installation is invisible once it’s done. But behind the scenes, macOS keeps a detailed record called a receipt. Think of it as a digital footprint of every package your system installs.
There are several common ways to find the Bundle ID / CFBundleIdentifier of a macOS app. We'll focus on utilizing the Apple onboard macOS software tools Terminal and Finder. Terminal with osascript You can find the Bundle ID of an application on a macOS system using…
In this guide we will go through two ways to use the application Packages to create a macOS packages from a pkg or dmg. Package can after its build be used to distribute with your favorite MDM. The Packages application used to create the pkg…
Comments