Home > AutoPkg, autopkg-conductor, Mac administration, macOS, Signing Manager > Using Signing Manager with autopkg-conductor

Using Signing Manager with autopkg-conductor

I’ve recently been working with Twocanoes Software’s Signing Manager in combination with my autopkg-conductor tool for managing AutoPkg runs. I’m happy to report it’s possible, but you may need to make some adjustments to how autopkg-conductor is being launched. For more details, please see below the jump.

As originally written, autopkg-conductor uses a LaunchDaemon to manage when the autopkg-conductor script is run. This was an idea I adopted from AutoPkgr, which also uses a LaunchDaemon to perform AutoPkg runs. The reason for using a LaunchDaemon is that the LaunchDaemon will be able to perform the scheduled AutoPkg run regardless of if the Mac is logged in at the loginwindow or not.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"&gt;
<plist version="1.0">
<dict>
<key>AbandonProcessGroup</key>
<true/>
<key>EnvironmentVariables</key>
<dict>
<key>PATH</key>
<string>/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin</string>
</dict>
<key>Label</key>
<string>com.github.autopkg-nightly-run</string>
<key>ProgramArguments</key>
<array>
<string>/usr/local/bin/autopkg-conductor.sh</string>
</array>
<key>RunAtLoad</key>
<false/>
<key>StartCalendarInterval</key>
<array>
<dict>
<key>Hour</key>
<integer>2</integer>
<key>Minute</key>
<integer>0</integer>
</dict>
</array>
<key>UserName</key>
<string>autopkg</string>
</dict>
</plist>

For the most part, this works fine to successfully trigger the autopkg-conductor script. However, a problem occurred once Signing Manager was added to the mix and I tried using it with the PkgSigner AutoPkg processor. The reason for this is that Signing Manager puts credentials into the login keychain and the user context was not correct to access those credentials. Instead, I was seeing errors like this when the LaunchDaemon triggered a run of autopkg-conductor:

productsign: error: Could not find appropriate signing identity for "6116291774E14F3E8A4CB6266F560C07".
productsign: error: Could not find appropriate signing identity for "6116291774E14F3E8A4CB6266F560C07".
productsign: error: Could not find appropriate signing identity for "6116291774E14F3E8A4CB6266F560C07".
productsign: error: Could not find appropriate signing identity for "6116291774E14F3E8A4CB6266F560C07".
productsign: error: Could not find appropriate signing identity for "6116291774E14F3E8A4CB6266F560C07".
productsign: error: Could not find appropriate signing identity for "6116291774E14F3E8A4CB6266F560C07".
productsign: error: Could not find appropriate signing identity for "6116291774E14F3E8A4CB6266F560C07".
productsign: error: Could not find appropriate signing identity for "6116291774E14F3E8A4CB6266F560C07".
productsign: error: Could not find appropriate signing identity for "6116291774E14F3E8A4CB6266F560C07".
productsign: error: Could not find appropriate signing identity for "6116291774E14F3E8A4CB6266F560C07".
productsign: error: Could not find appropriate signing identity for "6116291774E14F3E8A4CB6266F560C07".
JSSImporter can't find a package at '/Users/autopkg/Library/AutoPkg/Cache/local.jss.Postman-AutoUpdate/Postman_Labs_Postman_8.3.1.pkg'!
Failed.
JSSImporter can't find a package at '/Users/autopkg/Library/AutoPkg/Cache/local.jss.Atom-AutoUpdate/GitHub_Atom_1.56.0.pkg'!
Failed.
JSSImporter can't find a package at '/Users/autopkg/Library/AutoPkg/Cache/local.jss.SapMachineJDK11/SAP_SapMachine_11.0.11.pkg'!
Failed.
JSSImporter can't find a package at '/Users/autopkg/Library/AutoPkg/Cache/local.jss.FioriLaunchpad/Fiori_Launchpad_1.0.9.pkg'!
Failed.
JSSImporter can't find a package at '/Users/autopkg/Library/AutoPkg/Cache/local.jss.Code42/Code42_8.6.0.pkg'!
Failed.
JSSImporter can't find a package at '/Users/autopkg/Library/AutoPkg/Cache/local.jss.CitrixWorkspace/Citrix_Workspace_21.04.0.pkg'!
Failed.
JSSImporter can't find a package at '/Users/autopkg/Library/AutoPkg/Cache/local.jss.VMwareFusion/VMware_Fusion_12.1.1.pkg'!
Failed.
JSSImporter can't find a package at '/Users/autopkg/Library/AutoPkg/Cache/local.jss.Slack/Slack_4.16.2.pkg'!
Failed.
JSSImporter can't find a package at '/Users/autopkg/Library/AutoPkg/Cache/local.jss.SAPGUI/SAP_SAPGUI_7.70rev1.pkg'!
Failed.
JSSImporter can't find a package at '/Users/autopkg/Library/AutoPkg/Cache/local.jss.CiscoAnyConnect/Cisco_AnyConnectSecureMobilityClient_4.9.06037.pkg'!
Failed.
JSSImporter can't find a package at '/Users/autopkg/Library/AutoPkg/Cache/local.jss.MURAL/MURAL_1.0.10.pkg'!
Failed.

view raw
gistfile1.txt
hosted with ❤ by GitHub

After Twocanoes Support did some research, they recommended adding the following key to autopkg-conductor‘s LaunchDaemon:

Key: SessionCreate
Value: true

My LaunchDaemon now looked like this:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"&gt;
<plist version="1.0">
<dict>
<key>AbandonProcessGroup</key>
<true/>
<key>EnvironmentVariables</key>
<dict>
<key>PATH</key>
<string>/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin</string>
</dict>
<key>Label</key>
<string>com.github.autopkg-nightly-run</string>
<key>ProgramArguments</key>
<array>
<string>/usr/local/bin/autopkg-conductor.sh</string>
</array>
<key>RunAtLoad</key>
<false/>
<key>StartCalendarInterval</key>
<array>
<dict>
<key>Hour</key>
<integer>2</integer>
<key>Minute</key>
<integer>0</integer>
</dict>
</array>
<key>UserName</key>
<string>autopkg</string>
<key>SessionCreate</key>
<true/>
</dict>
</plist>

view raw
gistfile1.txt
hosted with ❤ by GitHub

With renewed hope, I used the LaunchDaemon to trigger a run. Same errors:

productsign: error: Could not find appropriate signing identity for "6116291774E14F3E8A4CB6266F560C07".
productsign: error: Could not find appropriate signing identity for "6116291774E14F3E8A4CB6266F560C07".
productsign: error: Could not find appropriate signing identity for "6116291774E14F3E8A4CB6266F560C07".
productsign: error: Could not find appropriate signing identity for "6116291774E14F3E8A4CB6266F560C07".
productsign: error: Could not find appropriate signing identity for "6116291774E14F3E8A4CB6266F560C07".
productsign: error: Could not find appropriate signing identity for "6116291774E14F3E8A4CB6266F560C07".
productsign: error: Could not find appropriate signing identity for "6116291774E14F3E8A4CB6266F560C07".
productsign: error: Could not find appropriate signing identity for "6116291774E14F3E8A4CB6266F560C07".
productsign: error: Could not find appropriate signing identity for "6116291774E14F3E8A4CB6266F560C07".
productsign: error: Could not find appropriate signing identity for "6116291774E14F3E8A4CB6266F560C07".
productsign: error: Could not find appropriate signing identity for "6116291774E14F3E8A4CB6266F560C07".
JSSImporter can't find a package at '/Users/autopkg/Library/AutoPkg/Cache/local.jss.Postman-AutoUpdate/Postman_Labs_Postman_8.3.1.pkg'!
Failed.
JSSImporter can't find a package at '/Users/autopkg/Library/AutoPkg/Cache/local.jss.Atom-AutoUpdate/GitHub_Atom_1.56.0.pkg'!
Failed.
JSSImporter can't find a package at '/Users/autopkg/Library/AutoPkg/Cache/local.jss.SapMachineJDK11/SAP_SapMachine_11.0.11.pkg'!
Failed.
JSSImporter can't find a package at '/Users/autopkg/Library/AutoPkg/Cache/local.jss.FioriLaunchpad/Fiori_Launchpad_1.0.9.pkg'!
Failed.
JSSImporter can't find a package at '/Users/autopkg/Library/AutoPkg/Cache/local.jss.Code42/Code42_8.6.0.pkg'!
Failed.
JSSImporter can't find a package at '/Users/autopkg/Library/AutoPkg/Cache/local.jss.CitrixWorkspace/Citrix_Workspace_21.04.0.pkg'!
Failed.
JSSImporter can't find a package at '/Users/autopkg/Library/AutoPkg/Cache/local.jss.VMwareFusion/VMware_Fusion_12.1.1.pkg'!
Failed.
JSSImporter can't find a package at '/Users/autopkg/Library/AutoPkg/Cache/local.jss.Slack/Slack_4.16.2.pkg'!
Failed.
JSSImporter can't find a package at '/Users/autopkg/Library/AutoPkg/Cache/local.jss.SAPGUI/SAP_SAPGUI_7.70rev1.pkg'!
Failed.
JSSImporter can't find a package at '/Users/autopkg/Library/AutoPkg/Cache/local.jss.CiscoAnyConnect/Cisco_AnyConnectSecureMobilityClient_4.9.06037.pkg'!
Failed.
JSSImporter can't find a package at '/Users/autopkg/Library/AutoPkg/Cache/local.jss.MURAL/MURAL_1.0.10.pkg'!
Failed.

view raw
gistfile1.txt
hosted with ❤ by GitHub

This was clearly a case of context. I was running as the right user, but something about the session context wasn’t quite right to allow me access to the login keychain and access the Signing Manager credential.

After some additional research, Twocanoes Support recommended the following:

  1. Have the user account be logged in at the login window (as opposed to running logged out.)
  2. Replace the LaunchDaemon with a LaunchAgent.

I then unloaded the LaunchDaemon and replaced it with a practically identical LaunchAgent, with the two following keys removed:

Key: UserName
Value: Account which I was running AutoPkg from (in this case, the user account was named autopkg)

Key: SessionCreate
Value: true

The LaunchAgent appeared as shown below:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"&gt;
<plist version="1.0">
<dict>
<key>AbandonProcessGroup</key>
<true/>
<key>EnvironmentVariables</key>
<dict>
<key>PATH</key>
<string>/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin</string>
</dict>
<key>Label</key>
<string>com.github.autopkg-nightly-run</string>
<key>ProgramArguments</key>
<array>
<string>/usr/local/bin/autopkg-conductor.sh</string>
</array>
<key>RunAtLoad</key>
<false/>
<key>StartCalendarInterval</key>
<array>
<dict>
<key>Hour</key>
<integer>2</integer>
<key>Minute</key>
<integer>0</integer>
</dict>
</array>
</dict>
</plist>

view raw
gistfile1.txt
hosted with ❤ by GitHub

To test it out, I changed the following value in the LaunchAgent:

Key: RunAtLoad

From: false
To: true

After making that change, I logged out, logged in and * bang * my AutoPkg runs started being able to access the signing identity provided by Signing Manager and sign my packages using the PkgSigner AutoPkg processor.

productsign: using timestamp authority for signature
productsign: signing product with identity "Developer ID Installer: Rich Trouton (XF95CST45F)" from keychain (null)
productsign: adding certificate "Developer ID Certification Authority"
productsign: adding certificate "Apple Root CA"
productsign: Wrote signed product archive to /Users/ec2-user/Library/AutoPkg/Cache/local.jss.Postman-AutoUpdate/Postman_Labs_Postman_8.3.1.pkg
productsign: using timestamp authority for signature
productsign: signing product with identity "Developer ID Installer: Rich Trouton (XF95CST45F)" from keychain (null)
productsign: adding certificate "Developer ID Certification Authority"
productsign: adding certificate "Apple Root CA"
productsign: Wrote signed product archive to /Users/autopkg/Library/AutoPkg/Cache/local.jss.Atom-AutoUpdate/GitHub_Atom_1.56.0.pkg
productsign: using timestamp authority for signature
productsign: signing product with identity "Developer ID Installer: Rich Trouton (XF95CST45F)" from keychain (null)
productsign: adding certificate "Developer ID Certification Authority"
productsign: adding certificate "Apple Root CA"
productsign: Wrote signed product archive to /Users/autopkg/Library/AutoPkg/Cache/local.jss.SapMachineJDK11/SAP_SapMachine_11.0.11.pkg
productsign: using timestamp authority for signature
productsign: signing product with identity "Developer ID Installer: Rich Trouton (XF95CST45F)" from keychain (null)
productsign: adding certificate "Developer ID Certification Authority"
productsign: adding certificate "Apple Root CA"
productsign: Wrote signed product archive to /Users/autopkg/Library/AutoPkg/Cache/local.jss.FioriLaunchpad/Fiori_Launchpad_1.0.9.pkg
productsign: using timestamp authority for signature
productsign: signing product with identity "Developer ID Installer: Rich Trouton (XF95CST45F)" from keychain (null)
productsign: adding certificate "Developer ID Certification Authority"
productsign: adding certificate "Apple Root CA"
productsign: Wrote signed product archive to /Users/autopkg/Library/AutoPkg/Cache/local.jss.Code42/Code42_8.6.0.pkg
productsign: using timestamp authority for signature
productsign: signing product with identity "Developer ID Installer: Rich Trouton (XF95CST45F)" from keychain (null)
productsign: adding certificate "Developer ID Certification Authority"
productsign: adding certificate "Apple Root CA"
productsign: Wrote signed product archive to /Users/autopkg/Library/AutoPkg/Cache/local.jss.CitrixWorkspace/Citrix_Workspace_21.04.0.pkg
productsign: using timestamp authority for signature
productsign: signing product with identity "Developer ID Installer: Rich Trouton (XF95CST45F)" from keychain (null)
productsign: adding certificate "Developer ID Certification Authority"
productsign: adding certificate "Apple Root CA"
productsign: Wrote signed product archive to /Users/autopkg/Library/AutoPkg/Cache/local.jss.VMwareFusion/VMware_Fusion_12.1.1.pkg
productsign: using timestamp authority for signature
productsign: signing product with identity "Developer ID Installer: Rich Trouton (XF95CST45F)" from keychain (null)
productsign: adding certificate "Developer ID Certification Authority"
productsign: adding certificate "Apple Root CA"
productsign: Wrote signed product archive to /Users/autopkg/Library/AutoPkg/Cache/local.jss.Slack/Slack_4.16.2.pkg
productsign: using timestamp authority for signature
productsign: signing product with identity "Developer ID Installer: Rich Trouton (XF95CST45F)" from keychain (null)
productsign: adding certificate "Developer ID Certification Authority"
productsign: adding certificate "Apple Root CA"
productsign: Wrote signed product archive to /Users/autopkg/Library/AutoPkg/Cache/local.jss.SAPGUI/SAP_SAPGUI_7.70rev1.pkg
productsign: using timestamp authority for signature
productsign: signing product with identity "Developer ID Installer: Rich Trouton (XF95CST45F)" from keychain (null)
productsign: adding certificate "Developer ID Certification Authority"
productsign: adding certificate "Apple Root CA"
productsign: Wrote signed product archive to /Users/autopkg/Library/AutoPkg/Cache/local.jss.CiscoAnyConnect/Cisco_AnyConnectSecureMobilityClient_4.9.06037.pkg
productsign: using timestamp authority for signature
productsign: signing product with identity "Developer ID Installer: Rich Trouton (XF95CST45F)" from keychain (null)
productsign: adding certificate "Developer ID Certification Authority"
productsign: adding certificate "Apple Root CA"
productsign: Wrote signed product archive to /Users/autopkg/Library/AutoPkg/Cache/local.jss.MURAL/MURAL_1.0.10.pkg

view raw
gistfile1.txt
hosted with ❤ by GitHub

Once my testing was completed, I changed the RunAtLoad key’s value back to false.

Transitioning from a LaunchDaemon to a LaunchAgent does mean I will need to leave the account I’m using for AutoPkg logged in at the login window, which has security implications to consider carefully.

In my particular case, AutoPkg is being run on a virtual machine where there is not a physical display attached and access to screen sharing is restricted, so for my particular case my opinion is that the trade-off is worth it.

With regards to Signing Manager’s operation, I also had some additional questions about it with regards to my AutoPkg runs which got answered during testing:

  • Question: Does the Signing Manager app need to be launched, or will productsign (used by the AutoPkg PkgSigner processor) be able to get the certificate without the app being launched?
  • Answer: After configuring Signing Manager, there’s no need to launch the app. As long as productsign is given the right signing identity (which Signing Manager refers to as a “fingerprint”), signing will work.
  • Question: If you need to reboot your Mac, do you need to do anything following the reboot in order to having signing work?
  • Answer: No
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: