Mountain Lion Signing packages

The intention of this blog is to guide you through signing of the packages(pkg) or installer for Mac OS X 10.8 (Mountain Lion). There are different ways to make installer for Macintosh and one of the most preferred way is to use PackageMaker. PackageMaker is an application released by Apple for making installer. It’s pretty easy to do basic things with PackageMaker but customized things aren’t very easy to do. The problem being there is very little useful documentation from Apple.

Coming back to task at hand, We need to sign our package using Apple’s Developer ID Installer Certificate for the Gatekeeper to allow the installer to run. There are two simple steps.

Step 1: Create a normal (unsigned) installer using either the UI or the command-line version of PackageMaker

Step 2: Use productsign to sign the Package

Usage: productsign [options] –sign identity input-product-path output-product-path

This would work as long as the installer is of PKG format (flat). Signing of MPKG format is not supported.

Properly Signed Installer

Avoid using any of these methods.

1. Signing the Package using PackageMaker’s UI

2. Signing the Package using PackageMaker’s command line tool

Incorrectly signed installer

If you compare the incorrectly signed installer image with the correctly signed installer image, you would find one difference. Incorrectly signed installer does not have Developer ID Certification Authority certificate. Without this certificate the Gatekeeper cannot verify the signed installer and hence rejects it. The problem is with PackageMaker, it doesn’t add the Developer ID Certification Authority certificate while signing the installer.

Exporting Apple Developer Certificate

According to Apple only an Agent can generate and download the developer certificates. Once the certificates are installed in a machine it can be shared with other users. KeyChain Access application has a simple feature for exporting the certificates.

Steps involved in exporting the Apple Developer Certificates.
1. Go to “/Applications/Utilities/” and Launch Keychain Access.app
2. Click on the “Certificates” Tab

3. Select “Developer ID Installer: My Company” certificate.
4. Right Click on the certificate and select Export “Developer ID Installer: My Company”

5. A dialog would appear select Personal Information Exchange (.p12) format and give the certificate an identifiable name. By default the new certificate will be saved in Documents folder.

6. Keychain Access application would ask for a password. Enter a password, this password would be asked when you try to install the certificate on the other machine. So remember the password!

Your certificate would have been exported to the selected folder (By default the “Documents” Folder). Repeat the same steps to export “Developer ID Application: My Company.

While exporting Developer ID Certification Authority certificate Keychain Access access would not ask for the password and the File Format should be Certificate (.cer).

Installing the certificate
Double click on the exported certificate. Keychain Access application will launch and display a dialog asking for the password. Enter the password set in step 6.

That is it for this post! You now know to export and install Apple Developer certificate.

Mountain Lion Certificates

Before starting up Certificate generation, there are some important concepts to be understood. There are three possible roles that can be assigned to Apple Developer Program members: Agent, Admin, or Member.

Borrowed from Apple’s website.
1. Agent
The Agent (the original enrollee accepted into an Apple Developer Program) is the primary contact for the development team, is responsible for accepting all Developer Program Agreements, and can enroll their team in additional Apple Developer Programs.

2. Admin (company/organization only)
Developers assigned the Admin role serve as a secondary contact for teams enrolled in an Apple Developer Program as a company. Team Admins can invite members to the team, assign roles, and have access to the resources and benefits of the developer program they are enrolled in.

3. Member (company/organization only)
Developers assigned the Member role have access to the resources and benefits of the developer program they are enrolled in.

Now that you know the rules. So if an “Admin” user goes to certificate creation page, the option is disabled.

Disabled option to generate certificate

The rule also means that the Admin user cannot download the certificates either. It is the responsibility of “Agent” to generate and download the certificate and share it with the team.

Download option is also disabled.

Generating Certificates
If you are logged in as an Agent the button in first image will be enabled. Click on it and APPLE will guide you through the process to generate the certificates. But remember you have to generate 2 certificates: Developer ID Application Certificate and Developer ID Installer Certificate (First time I tried, I missed out on generating Developer ID Installer Certificate). Developer ID Application Certificate is used for signing the application and Developer ID Installer Certificate is used for signing the installer. While you are at it make it a point to download Developer ID Intermediate Certificate. Without Developer ID Intermediate Certificate Gatekeeper wouldn’t allow your application to launch.

As mentioned earlier only an Agent can download the certificates. So it is the duty of agent to generate the certificate and share it with his team.