Home > AutoPkg, Mac administration, macOS > Adding installer package code-signing to AutoPkg workflows

Adding installer package code-signing to AutoPkg workflows

As part of building an AutoPkg workflow to create installer packages, one of the requirements I was given was that any packages that weren’t already signed by the vendor needed to be signed using a Developer ID Installer signing certificate.

Screen Shot 2017 11 09 at 9 58 53 PM

Signing installer package is not usually an outcome of most AutoPkg workflows, since code signature verification can be used at the download end to make sure that the application is what it is supposed to be. However, there were several good reasons for adding a package signing step to the workflow, including:

  1. It is now necessary to sign packages before you’ll be able to use them as part of NetInstall sets
  2. The InstallApplication MDM command requires that macOS installer packages be signed with an appropriate certificate

After some research and testing, I was able to incorporate installer package signing into my AutoPkg workflow and am now able to automatically sign installer package as they’re generated by my package creation workflows. For more details, see below the jump.

To enable AutoPkg to sign the packages it creates, I’m using an AutoPkg processer named PkgSigner to add the needed code signing. PkgSigner was written by Paul Suh and it uses Apple’s productsign tool to access a Developer ID Installer certificate stored in the login keychain. For those who need it, I have a copy of the PkgSigner processor available via the link below:


Preparing to use the PkgSigner processor

Before the PkgSigner processor can be used, the Developer ID Installer certificate needs to be added to the login keychain of the account being used to run AutoPkg. For more information about adding Apple Developer certificates to an account, please see the link below:


It is also necessary to run Apple’s productsign tool manually once before using the PkgSigner processor. The reason for this is so that you can be prompted to always allow productsign access to the Developer ID Installer certificate stored in the login keychain.

Screen Shot 2017 11 09 at 9 56 42 PM

You can do this by running a command similar to the one shown below to sign an unsigned package.

productsign --sign 'Developer ID Installer: Developer Name Here (756DF992DDB6)' "/path/to/unsigned_package_here.pkg" "/path/to/signed_package_here.pkg"

Using the PkgSigner processor in AutoPkg recipes

Once you’ve prepared productsign to be able to access the Developer ID Installer certificate stored in the login keychain, you should be ready to start using the PkgSigner AutoPkg processor by placing a copy of the PkgSigner.py file in the same directory as your AutoPkg .pkg recipe.

Screen Shot 2017 11 09 at 10 27 47 PM

As an example of how the PkgSigner processor can be used, I’ve written an AutoPkg recipe for Google Chrome which generates an installer package. In this recipe, a variable called SIGNINGCERTIFICATE is being defined as being where the certificate name is being referenced.

Screen Shot 2017 11 09 at 9 52 04 PM

Because we don’t want to include the actual signing certificate name in the recipe, a placeholder value is there. The actual certificate name should be added via an AutoPkg override. The SIGNINGCERTIFICATE variable in the override should look like this:

Screen Shot 2017 11 09 at 10 02 46 PM

The SIGNINGCERTIFICATE variable is then called later in the recipe by the PkgSigner processor, to sign the referenced package using Apple’s productsign tool. The way it should be set up in the recipe is to first generate the package using a name defined by variables elsewhere in the recipe:

Screen Shot 2017 11 09 at 10 11 09 PM

Next, the PkgSigner processor will locate the package by its location and do the following:

  1. Rename the unsigned package from /path/to/package_name_here.pkg to /path/to/package_name_here-unsigned.pkg
  2. Sign the package
  3. Save the signed package as /path/to/package_name_here.pkg, so that the name matches the original package. Renaming the signed package to match the original unsigned package’s name allows AutoPkg to continue to work with the now-signed installer package.

Screen Shot 2017 11 09 at 10 11 10 PM

Certificate ID formatting

When referencing the Developer ID Installer certificate in an AutoPkg recipe, special characters should be replaced by their percent encoding equivalent. For example, my personal Developer ID Installer certificate is referenced by productsign by using the following identifier:

Developer ID Installer: Rich Trouton (XF95CST45F)

AutoPkg recipes are written in XML though, which uses colons and parentheses for its own purposes. Instead, the colons and parantheses should be translated into their percent encoded equivalents:

Please see below for a link to a table of percent encoding codes and the special characters they map to:


For those who want to examine the example AutoPkg recipe and override, they’re available below:

Google Chrome .pkg recipe:

Google Chrome .pkg recipe override:

  1. November 10, 2017 at 3:54 am

    That’s hot.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: