Third-party installer packages may not be installable by the macOS 10.12.4 OS installer
With the release of macOS 10.12.4, it appears that Apple has made a change to the OS installer that blocks the installation of third-party packages which have been added to the OS installer. In my testing, I’ve verified the following tools are affected:
Note: There may be others, this list is what I’ve tested.
In each case, the OS install process proceeds without issues until the OS installer tries to install the third party installer package. At that point, the installation process fails and displays the message shown below:
The package "Package Name Goes Here" is not signed. Quit the installer to restart your computer and try again.
The error message displayed is misleading however, as this message may also appear if the package has been signed with a Developer ID Installer certificate.
In testing done by myself and others, we have found that there is one circumstance where you can still add a third-party installer package:
- If you are building a NetInstall NetBoot set using System Image Utility
- If the package is signed with a Developer ID Installer certificate.
Otherwise, the only installer packages I’ve seen which install correctly are packages which have been signed by Apple itself.
For more details, see below the jump.
As mentioned previously, Apple’s System Image Utility is affected by this issue. To replicate the failure behavior, use the process shown below:
Pre-requisites:
- A Mac upgraded to macOS 10.12.4
- System Image Utility
- A macOS 10.12.4 installer
- A unsigned third-party installer package
For my third-party installer package, I used one created by First Boot Package Install Generator.app.
1. Launch System Image Utility
2. Select the macOS 10.12.4 installer as the source.
3. Select option to build a NetInstall Image
4. Select option to add an additional installer and add the unsigned third-party installer package.
5. Change no other options from their default settings.
6. Build the NetInstall set.
Once the NetInstall set is built, boot a Mac or VM from the NetInstall set and run the OS installation process. In my testing, the OS install process has consistently failed when trying to install the unsigned third-party installer package. To show what this behavior looks like, please see the video below:
Note: The video has been edited to artificially reduce the amount of time the OS installation process takes to run. Run time of the pre-edited video was 21 minutes 18 seconds.
To replicate the successful install behavior, use the process shown below:
Pre-requisites
- A Mac upgraded to macOS 10.12.4
- System Image Utility
- A macOS 10.12.4 installer
- A third-party installer package which has been signed with a Developer ID Installer certificate.
For my third-party installer package, I used the same firstboot package created earlier and signed it using the productsign utility and my Developer ID Installer certificate.
/usr/bin/productsign --sign 'Developer ID Installer: Name Goes Here (FT45CST65F)' "/path/to/First Boot Package Install.pkg" "/path/to/other/place/First Boot Package Install.pkg"
1. Launch System Image Utility
2. Select the macOS 10.12.4 installer as the source.
3. Select option to build a NetInstall Image
4. Select option to add an additional installer and add the signed third-party installer package.
5. Change no other options from their defaults.
6. Build NetInstall set
Once the NetInstall set is built, boot a Mac or VM from the NetInstall set and run the OS installation process. This time, the installation process of the third party installer package should succeed. To show what this behavior looks like, please see the video below:
Note: The video has been edited to artificially reduce the amount of time the OS installation process takes to run. Run time of the pre-edited video was 20 minutes 9 seconds.
Workarounds
Since the new behavior is specific to the 10.12.4 installer, my recommendation at this point is to use the macOS 10.12.3 installer where needed. Once the OS is installed, update to later versions of macOS Sierra as a post-installation task.
Leave a comment
Recent Comments
 | Ben LeRoy on Losing a giant |
 | Peter-Erik on Downloading installer packages… |
 | nathanhaggard on Losing a giant |
 | andras0602 on Disabling login window clock d… |
 | Jeff on Losing a giant |
Der Flounder 
Thorough analysis. I suppose this was probably made by Apple on purpose and not by accident. Possibly to thwart Hackintosh installers?
I have been using this method. NetRestore is kind of nice too, essentially does what autodmg does. If you bless the nbi folder and put it on USB, add in a partition disk and auto install step, you can get a USB installer that you boot from and push no buttons to get a system restored in under 10 minutes typically. Maybe I can send some screen shots to you Rich and you could add that bit if you are interested. ping me nessts on slack if you want to discuss this more, because i know i can be confusing at times.
We never added installers in AutoDMG, but hopefully this doesn’t break its ability to cache/install any pending updates.
for me, error message is “netInstallApplyConfigurationSettings.sh.pkg is not signed”. I think the image utility generates this pkg. Do you know how to resolve this error?
Still no workaround?
I have been seeing that Apple has fallen into it’s own trap so to speak where even vanilla net installs for 10.12.4-6 will not complete with ” netInstallApplyConfigurationSettings.sh.pkg is not signed” error. There is a radar for the issue. See https://www.jamf.com/jamf-nation/discussions/24173/netinstallapplyconfigurationsettings-sh-pkg-is-not-signed-on-vanilla-netinstall
On High Sierra too 😦
Is this still an issue on High Sierra (10.13.4)? I have a System Image Utility NetInstall creation that is failing with ‘error 2’ and when reviewing the System Image Utility log, the error seems to come from the CreateConfigurationProfilesInstallerPkg phase…
Yes. This is a unresolved issue
Pretty frustrating. I just made a vanillla 10.12.6 netInstall iamge and am getting the “netInstallApplyConfigurationSettings.sh.pkg is not signed” issue