Home > Casper, Packaging > Creating Apple Developer ID-signed Casper QuickAdd installer packages

Creating Apple Developer ID-signed Casper QuickAdd installer packages

With 10.8, Apple introduced Gatekeeper as a way to allow users to define which sources they would trust for downloading applications. This functionality was also available by 10.7.x, but not turned on by default.

By default, Gatekeeper allows applications downloaded from the Mac App Store and applications signed by certified Apple developers to be launched. This restriction also applies to application installers. If a downloaded installer package is not signed with an Apple developer certificate, Gatekeeper treats it as an unknown installer and does not allow it to launch without being manually overridden.

As part of supporting OS X 10.8, Casper 8.6 includes the ability to sign Casper QuickAdd agent installer packages. If you need to have signed QuickAdd packages for your own Casper environment, see below the jump for how to obtain the needed certificates.

Creating a Developer ID certificate using the Apple Developer site’s Developer Certificate Utility

1. Log into a 10.7.x or 10.8.x Mac.

2. Sign into the Apple Developer website using a paid ADC account and click on the Get Started link for the Developer Certificate Utility.

Note: Free ADC accounts don’t have the needed access to the Developer Certificate Utility page.

Screen Shot 2012-08-11 at 8.28.01 AM

3. In the Developer Certificate Utility page, click on the Create Certificates link.

Screen Shot 2012-08-11 at 8.29.05 AM

4. Under Certificates, select Developer ID and check off both boxes for Developer ID Application Certificate and Developer ID Installer Certificate.

Screen Shot 2012-08-11 at 8.29.48 AM

5. Follow the instructions to create a certificate signing request. Begin by launching Keychain Access.

6. In Keychain Access, go to the Certificate Assistant and select Request a Certificate from a Certificate Authority.

Screen Shot 2012-08-11 at 8.33.07 AM

7. Fill in the User Email Address and Common Name fields as appropriate, select Saved to disk, then click the Continue button.

Screen Shot 2012-08-11 at 8.37.12 AM

8. Save the certificate signing request file to an appropriate place.

Screen Shot 2012-08-11 at 8.37.28 AM

9. Once the certificate signing request has been saved, go back to your browser and click the Continue button to access the Submit Your Certificate Signing Request page.

10. On the Submit Your Certificate Signing Request page, click the Choose File button and choose the certificate signing request file you just created with Keychain Access.

Screen Shot 2012-08-11 at 8.37.56 AM

11. Once the certificate signing request file has been selected, click the Generate button to create the certificate.

12. Once the Developer ID certificate has been generated, download the Developer ID Installer certificate and double-click on it to add it to your 10.7.x or 10.8.x Mac’s login keychain.

Creating a signed QuickAdd package with Recon

1. If not already installed, install JAMF’s Recon application on the 10.7.x or 10.8.x Mac.

Note: If you’re building on a 10.7.x Mac, you may also need to install the Apple Developer ID Certification Authority Intermediate Certificate into the Mac’s system keychain. Instructions on how to that are available here at JAMF Nation.

2. In the QuickAdd Package section of Recon, click the Sign with: checkbox then select your Developer ID Installer certificate from the accompanying drop-down menu.

Screen Shot 2012-08-11 at 9.25.41 AM

3. Configure the other options you want for your QuickAdd package and then click the Create… button.

4. Check your QuickAdd package to verify that it has a lock icon in the top-right corner.

Screen Shot 2012-08-11 at 9.26.34 AM

5. Click the lock icon to verify that the certificate is showing up as a valid Apple Developer ID Installer certificate.

Screen Shot 2012-08-11 at 9.26.23 AM

Categories: Casper, Packaging
  1. Walter
    August 17, 2012 at 12:12 pm

    With JSS 8.6 you can also upload your certificate to the JSS Enrollment Process for signing the QuickAdd package that users download via the /enroll page.

  2. January 18, 2013 at 8:54 am

    Hey mate just an FYI, doesn’t seem that this works any more, I needed to cerate a Mac App Store Signing certificate. Have a look at the popup window that Recon gives me when trying to use the Developer Cert https://dl.dropbox.com/u/6841/dev-cert-error.png

    It seems now that you need to create a Mac Installer Cert for this to work.

    • January 18, 2013 at 10:14 am

      That’s correct, you do need the Installer signing certificate available in order to sign the QuickAdd package.

      If you take another look at the post above, the Installer certificate is the one being referenced when signing the installer package

      • January 18, 2013 at 10:32 am

        Okay, weird I followed the tutorial and I am getting that error but if I do it with this https://dl.dropbox.com/u/6841/1111.png then it works… Will have another go later today

      • January 18, 2013 at 10:40 am

        I see the issue; you’re signing an installer that’s intended for distribution in the Mac App Store. That’s a different set of signing certificates than the Developer ID certificates that I’m referencing here.

        The Developer ID signing procedure I’m describing is for an installer that’s not going to be posted to the Mac App Store.

      • January 18, 2013 at 10:42 am

        Again I might have screwed it up… gonna retry this in a sec will get back to you


      • January 18, 2013 at 10:59 am

        Okay, ignore my crack comments! Thanks for the clarification! Cheers mate

  3. Tom H
    September 4, 2013 at 12:48 pm

    Thanks for this post Rich! Just a quick note that on the developer site it only lets you choose “Developer ID Application Certificate” OR “Developer ID Installer Certificate” now. I chose the Installer Certificate and it worked fine for me. Just wanted to share my findings. Thanks again!

  4. Jordan F
    September 9, 2015 at 10:36 pm

    FYI – these directions are still good to go. As of this reply you can only select Application Cert or Install Cert…not both like in the screenshot. Also, I couldn’t get it to work with a preexisting cert my company already had laying around. It worked when I did the Cert request from my machine…not sure if that was the key or not, but be sure to make a fresh one from your machine if you’re having trouble.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: