2

Is there a method that would allow the creation of custom apple .pkg files that could be generated on the fly that is compatible with the new signing/notarization processes? Is there a recommended apple method?

Currently, I am able to change the post/preinstall scripts and repackage my pkg file with xar on linux.

With the new notarization process, I run into a couple of problems.

  1. It takes quite a while to notarize a package.

  2. I cannot run the notarization tools from linux and apple does not allow virtualized osx instances.

rileymat
  • 503
  • 4
  • 13
  • You can sign a pkg from linux using the open source xar project: http://mackyle.github.io/xar/ There is a guide here: http://users.wfu.edu/cottrell/productsign/productsign_linux.html The public cert portion is tricky, the above guide has you sign it on Mac and then extract the cert chain, then you run `xar --sign`, `openssl rsautl -sign`, and `xar --inject-sig` However, while I have been able to notarize the pkg, I have been unable to staple the notarization, as I have reported here: https://github.com/mackyle/xar/issues/24 – Ian Butler Jan 27 '20 at 22:52

1 Answers1

0

I haven't see a non-macOS tool for notarization submission. Though, there's not much for codesigning either. (Do you have a cross platform codesign tool?)

But... Do you need to notarize? Or sign at all? As I understand it, at least for now, those requirements only apple for files with the gatekeeper quarantine attribute set. (And probably kernel extensions)

If you're re-creating pkgs, are you doing it on the endpoints where you could remove the quarantine bit?

Also not quite the same, but if you wanted to pay money there is fairly inexpensive hosted apple machines. (I use some of those for my codesigning pipeline, for just this reason)

seph
  • 813
  • 6
  • 16