Creating Apple Developer ID-signed Casper QuickAdd installer packages
With 10.8, Apple introduced Gatekeeper as a way to allow users to define which sources they would trust for downloading applications. This functionality was also available by 10.7.x, but not turned on by default.
By default, Gatekeeper allows applications downloaded from the Mac App Store and applications signed by certified Apple developers to be launched. This restriction also applies to application installers. If a downloaded installer package is not signed with an Apple developer certificate, Gatekeeper treats it as an unknown installer and does not allow it to launch without being manually overridden.
As part of supporting OS X 10.8, Casper 8.6 includes the ability to sign Casper QuickAdd agent installer packages. If you need to have signed QuickAdd packages for your own Casper environment, see below the jump for how to obtain the needed certificates.
Creating a Developer ID certificate using the Apple Developer site’s Developer Certificate Utility
1. Log into a 10.7.x or 10.8.x Mac.
2. Sign into the Apple Developer website using a paid ADC account and click on the Get Started link for the Developer Certificate Utility.
Note: Free ADC accounts don’t have the needed access to the Developer Certificate Utility page.
3. In the Developer Certificate Utility page, click on the Create Certificates link.
4. Under Certificates, select Developer ID and check off both boxes for Developer ID Application Certificate and Developer ID Installer Certificate.
5. Follow the instructions to create a certificate signing request. Begin by launching Keychain Access.
6. In Keychain Access, go to the Certificate Assistant and select Request a Certificate from a Certificate Authority.
7. Fill in the User Email Address and Common Name fields as appropriate, select Saved to disk, then click the Continue button.
8. Save the certificate signing request file to an appropriate place.
9. Once the certificate signing request has been saved, go back to your browser and click the Continue button to access the Submit Your Certificate Signing Request page.
10. On the Submit Your Certificate Signing Request page, click the Choose File button and choose the certificate signing request file you just created with Keychain Access.
11. Once the certificate signing request file has been selected, click the Generate button to create the certificate.
12. Once the Developer ID certificate has been generated, download the Developer ID Installer certificate and double-click on it to add it to your 10.7.x or 10.8.x Mac’s login keychain.
Creating a signed QuickAdd package with Recon
1. If not already installed, install JAMF’s Recon application on the 10.7.x or 10.8.x Mac.
Note: If you’re building on a 10.7.x Mac, you may also need to install the Apple Developer ID Certification Authority Intermediate Certificate into the Mac’s system keychain. Instructions on how to that are available here at JAMF Nation.
2. In the QuickAdd Package section of Recon, click the Sign with: checkbox then select your Developer ID Installer certificate from the accompanying drop-down menu.
3. Configure the other options you want for your QuickAdd package and then click the Create… button.
4. Check your QuickAdd package to verify that it has a lock icon in the top-right corner.
5. Click the lock icon to verify that the certificate is showing up as a valid Apple Developer ID Installer certificate.
Leave a comment
Recent Comments
 | Ben LeRoy on Losing a giant |
 | Peter-Erik on Downloading installer packages… |
 | nathanhaggard on Losing a giant |
 | andras0602 on Disabling login window clock d… |
 | Jeff on Losing a giant |
Der Flounder 
With JSS 8.6 you can also upload your certificate to the JSS Enrollment Process for signing the QuickAdd package that users download via the /enroll page.
Hey mate just an FYI, doesn’t seem that this works any more, I needed to cerate a Mac App Store Signing certificate. Have a look at the popup window that Recon gives me when trying to use the Developer Cert https://dl.dropbox.com/u/6841/dev-cert-error.png
It seems now that you need to create a Mac Installer Cert for this to work.
That’s correct, you do need the Installer signing certificate available in order to sign the QuickAdd package.
If you take another look at the post above, the Installer certificate is the one being referenced when signing the installer package
Okay, weird I followed the tutorial and I am getting that error but if I do it with this https://dl.dropbox.com/u/6841/1111.png then it works… Will have another go later today
I see the issue; you’re signing an installer that’s intended for distribution in the Mac App Store. That’s a different set of signing certificates than the Developer ID certificates that I’m referencing here.
The Developer ID signing procedure I’m describing is for an installer that’s not going to be posted to the Mac App Store.
Again I might have screwed it up… gonna retry this in a sec will get back to you
Cheers
Okay, ignore my crack comments! Thanks for the clarification! Cheers mate
Thanks for this post Rich! Just a quick note that on the developer site it only lets you choose “Developer ID Application Certificate” OR “Developer ID Installer Certificate” now. I chose the Installer Certificate and it worked fine for me. Just wanted to share my findings. Thanks again!
FYI – these directions are still good to go. As of this reply you can only select Application Cert or Install Cert…not both like in the screenshot. Also, I couldn’t get it to work with a preexisting cert my company already had laying around. It worked when I did the Cert request from my machine…not sure if that was the key or not, but be sure to make a fresh one from your machine if you’re having trouble.