Creating payload-free packages with pkgbuild
One of the tools that Apple included with Lion and Mountain Lion is the command-line tool pkgbuild. This tool was designed to work by itself or in conjunction with another tool, productbuild, to build Apple installer packages.
pkgbuild has a number of options associated with it (see the man page for details on the available options) and the –nopayload option makes it very useful for building payload-free packages. This option tells pkgbuild that the package being built will be a payload-free package that contains only scripts. See below the jump for an example process.
Here’s an example of how you can use pkgbuild to create a payload-free package that runs the following script:
#!/bin/sh softwareupdate -i -a shutdown -r now
1. Log into an account that has administrator rights
2. Create a folder on your desktop named Run_Software_Update
3. Inside the Run_Software_Update folder, create a new directory called scripts
4. Open Terminal and run the following command to change to the scripts directory:
cd /Users/username/Desktop/Run_Software_Update/scripts
5. Run the following command to create a new file inside scripts named postinstall (By default, the pkgbuild command will use scripts named postinstall for a package’s post-installation action):
pico postinstall
6. Add the following to the postinstall file:
#!/bin/sh softwareupdate -i -a shutdown -r now
7. Once the script’s content has been added to the postinstall file, run the following command to make the script executable:
chmod a+x /Users/username/Desktop/Run_Software_Update/scripts/postinstall
To build the package, open Terminal and run the following command:
sudo pkgbuild --identifier com.company.run_software_update --nopayload --scripts /Users/username/Desktop/Run_Software_Update/scripts "/Users/username/Desktop/Run_Software_Update/Run Apple Software Update and Restart.pkg"
This will create a payload-free package named Run Apple Software Update and Restart that will incorporate the postinstall script you created earlier. The Run Apple Software Update and Restart installer package will be saved to /Users/username/Desktop/Run_Software_Update
To help avoid problems with 10.8’s Gatekeeper, you may want to sign your payload-free package with an Apple Developer ID Installer certificate as part of creating it. Signing with an Developer ID Installer certificate will cue Gatekeeper that this is a “known” installer that can be opened without a problem.
To create the payload-free package and sign it with a Apple Developer ID Installer certificate as part of the build process, open Terminal and run the following command:
sudo pkgbuild --identifier com.company.run_software_update --nopayload --scripts /Users/username/Desktop/Run_Software_Update/scripts --sign "Developer ID Installer: Your Name" "/Users/username/Desktop/Run_Software_Update/Run Apple Software Update and Restart.pkg"
You should be prompted to sign using private keys; click Allow each time.
This will create a signed payload-free package named Run Apple Software Update and Restart that will incorporate the postinstall script you created earlier.
To verify that it’s been properly signed, check your payload-free package to verify that it has a lock icon in the top-right corner.
If the lock is there, click the lock icon to verify that the signing certificate is showing up as a valid Apple Developer ID Installer certificate.
Leave a comment
Recent Comments
 | Ben LeRoy on Losing a giant |
 | Peter-Erik on Downloading installer packages… |
 | nathanhaggard on Losing a giant |
 | andras0602 on Disabling login window clock d… |
 | Jeff on Losing a giant |
Der Flounder 
Is this an alternate solution that I can use to build payload free packages for use in Casper or InstaUp2DatePackages folder? If not do you have documentation on how I can do this with PackageMaker.
Thanks
Thanks for the tips. For Absolute Manage user, you can simply add a shell script as payload and don’t need to create a package. The script will be execute when running the installation.
Great information. I’ve used this to create a payload free package a couple times. However, when adding it to munki the package will continuously run. It seems as though munki doesn’t realize it’s already run it and each time it checks in, it runs again. Has anyone run into this? Is there something I need to add to the command when building the package that will add more information to fix the issue?
Use Packages, http://www.macupdate.com/download/34613/Packages.dmg
Setup New Raw project,Select “Payload” add folder to root with /tmp/bash.sh, select “Scripts”, execute bash.sh by setting it with Pre- Installation script. Use Post-Installation script to delete /bash.sh from /tmp.
Thanks for this great tutorial. I do have a short question. I made a couple of packages following your methodology, but when viewing them with Pacifist I find an unwanted “.DS_Store” file as well as the “postinstall”. I understood that pkgbuild should ignore them. Any ideas?
First of all, thanks once again Rich for a simple, linear, instruction set without assumptions of intuitive leaps of logic.
I am trying to figure out how to make payload free .pkg based on script that need sudo to run. Would like to use them in task server (ard). I see a lot of material but nothing I can grasp yet.
Hi, I created the pkg with and without a valid Developer ID and GateKeeper allowed it all the time.