Home > Mac administration, macOS > Third-party installer packages may not be installable by the macOS 10.12.4 OS installer

Third-party installer packages may not be installable by the macOS 10.12.4 OS installer

With the release of macOS 10.12.4, it appears that Apple has made a change to the OS installer that blocks the installation of third-party packages which have been added to the OS installer. In my testing, I’ve verified the following tools are affected:

Note: There may be others, this list is what I’ve tested.

In each case, the OS install process proceeds without issues until the OS installer tries to install the third party installer package. At that point, the installation process fails and displays the message shown below:

The package "Package Name Goes Here" is not signed.
Quit the installer to restart your computer and try again.

Screen Shot 2017 03 28 at 8 45 36 AM

The error message displayed is misleading however, as this message may also appear if the package has been signed with a Developer ID Installer certificate.

In testing done by myself and others, we have found that there is one circumstance where you can still add a third-party installer package:

  1. If you are building a NetInstall NetBoot set using System Image Utility
  2. If the package is signed with a Developer ID Installer certificate.

Otherwise, the only installer packages I’ve seen which install correctly are packages which have been signed by Apple itself.

Screen Shot 2017 03 28 at 9 25 52 PM

For more details, see below the jump.

As mentioned previously, Apple’s System Image Utility is affected by this issue. To replicate the failure behavior, use the process shown below:

Pre-requisites:

  • A Mac upgraded to macOS 10.12.4
  • System Image Utility
  • A macOS 10.12.4 installer
  • A unsigned third-party installer package

For my third-party installer package, I used one created by First Boot Package Install Generator.app.

1. Launch System Image Utility
2. Select the macOS 10.12.4 installer as the source.

Screen Shot 2017 03 27 at 11 22 33 PM

3. Select option to build a NetInstall Image

Screen Shot 2017 03 27 at 11 22 38 PM

4. Select option to add an additional installer and add the unsigned third-party installer package.

Screen Shot 2017 03 27 at 11 24 04 PM

5. Change no other options from their default settings.
6. Build the NetInstall set.

Screen Shot 2017 03 27 at 11 24 23 PM

Screen Shot 2017 03 27 at 11 26 21 PM

Once the NetInstall set is built, boot a Mac or VM from the NetInstall set and run the OS installation process. In my testing, the OS install process has consistently failed when trying to install the unsigned third-party installer package. To show what this behavior looks like, please see the video below:

Note: The video has been edited to artificially reduce the amount of time the OS installation process takes to run. Run time of the pre-edited video was 21 minutes 18 seconds.

To replicate the successful install behavior, use the process shown below:

Pre-requisites

  • A Mac upgraded to macOS 10.12.4
  • System Image Utility
  • A macOS 10.12.4 installer
  • A third-party installer package which has been signed with a Developer ID Installer certificate.

For my third-party installer package, I used the same firstboot package created earlier and signed it using the productsign utility and my Developer ID Installer certificate.

/usr/bin/productsign --sign 'Developer ID Installer: Name Goes Here (FT45CST65F)' "/path/to/First Boot Package Install.pkg" "/path/to/other/place/First Boot Package Install.pkg"

Screen Shot 2017-03-28 at 8.45.56 AM

1. Launch System Image Utility
2. Select the macOS 10.12.4 installer as the source.

Screen Shot 2017 03 27 at 11 22 33 PM

3. Select option to build a NetInstall Image

Screen Shot 2017 03 27 at 11 22 38 PM

4. Select option to add an additional installer and add the signed third-party installer package.

Screen Shot 2017 03 27 at 11 24 04 PM

5. Change no other options from their defaults.
6. Build NetInstall set

Screen Shot 2017 03 27 at 11 24 23 PM

Screen Shot 2017 03 27 at 11 26 21 PM

Once the NetInstall set is built, boot a Mac or VM from the NetInstall set and run the OS installation process. This time, the installation process of the third party installer package should succeed. To show what this behavior looks like, please see the video below:

Note: The video has been edited to artificially reduce the amount of time the OS installation process takes to run. Run time of the pre-edited video was 20 minutes 9 seconds.

Workarounds

Since the new behavior is specific to the 10.12.4 installer, my recommendation at this point is to use the macOS 10.12.3 installer where needed. Once the OS is installed, update to later versions of macOS Sierra as a post-installation task.

Categories: Mac administration, macOS
  1. March 29, 2017 at 7:58 am

    Thorough analysis. I suppose this was probably made by Apple on purpose and not by accident. Possibly to thwart Hackintosh installers?

  2. Todd Ness
    March 29, 2017 at 1:40 pm

    I have been using this method. NetRestore is kind of nice too, essentially does what autodmg does. If you bless the nbi folder and put it on USB, add in a partition disk and auto install step, you can get a USB installer that you boot from and push no buttons to get a system restored in under 10 minutes typically. Maybe I can send some screen shots to you Rich and you could add that bit if you are interested. ping me nessts on slack if you want to discuss this more, because i know i can be confusing at times.

  3. March 29, 2017 at 10:04 pm

    We never added installers in AutoDMG, but hopefully this doesn’t break its ability to cache/install any pending updates.

  4. Wei
    April 26, 2017 at 8:02 am

    for me, error message is “netInstallApplyConfigurationSettings.sh.pkg is not signed”. I think the image utility generates this pkg. Do you know how to resolve this error?

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: