Mountain Lion Signing packages

The intention of this blog is to guide you through signing of the packages(pkg) or installer for Mac OS X 10.8 (Mountain Lion). There are different ways to make installer for Macintosh and one of the most preferred way is to use PackageMaker. PackageMaker is an application released by Apple for making installer. It’s pretty easy to do basic things with PackageMaker but customized things aren’t very easy to do. The problem being there is very little useful documentation from Apple.

Coming back to task at hand, We need to sign our package using Apple’s Developer ID Installer Certificate for the Gatekeeper to allow the installer to run. There are two simple steps.

Step 1: Create a normal (unsigned) installer using either the UI or the command-line version of PackageMaker

Step 2: Use productsign to sign the Package

Usage: productsign [options] –sign identity input-product-path output-product-path

This would work as long as the installer is of PKG format (flat). Signing of MPKG format is not supported.

Properly Signed Installer

Avoid using any of these methods.

1. Signing the Package using PackageMaker’s UI

2. Signing the Package using PackageMaker’s command line tool

Incorrectly signed installer

If you compare the incorrectly signed installer image with the correctly signed installer image, you would find one difference. Incorrectly signed installer does not have Developer ID Certification Authority certificate. Without this certificate the Gatekeeper cannot verify the signed installer and hence rejects it. The problem is with PackageMaker, it doesn’t add the Developer ID Certification Authority certificate while signing the installer.

Exporting Apple Developer Certificate

According to Apple only an Agent can generate and download the developer certificates. Once the certificates are installed in a machine it can be shared with other users. KeyChain Access application has a simple feature for exporting the certificates.

Steps involved in exporting the Apple Developer Certificates.
1. Go to “/Applications/Utilities/” and Launch Keychain Access.app
2. Click on the “Certificates” Tab

3. Select “Developer ID Installer: My Company” certificate.
4. Right Click on the certificate and select Export “Developer ID Installer: My Company”

5. A dialog would appear select Personal Information Exchange (.p12) format and give the certificate an identifiable name. By default the new certificate will be saved in Documents folder.

6. Keychain Access application would ask for a password. Enter a password, this password would be asked when you try to install the certificate on the other machine. So remember the password!

Your certificate would have been exported to the selected folder (By default the “Documents” Folder). Repeat the same steps to export “Developer ID Application: My Company.

While exporting Developer ID Certification Authority certificate Keychain Access access would not ask for the password and the File Format should be Certificate (.cer).

Installing the certificate
Double click on the exported certificate. Keychain Access application will launch and display a dialog asking for the password. Enter the password set in step 6.

That is it for this post! You now know to export and install Apple Developer certificate.

Mountain Lion Certificates

Before starting up Certificate generation, there are some important concepts to be understood. There are three possible roles that can be assigned to Apple Developer Program members: Agent, Admin, or Member.

Borrowed from Apple’s website.
1. Agent
The Agent (the original enrollee accepted into an Apple Developer Program) is the primary contact for the development team, is responsible for accepting all Developer Program Agreements, and can enroll their team in additional Apple Developer Programs.

2. Admin (company/organization only)
Developers assigned the Admin role serve as a secondary contact for teams enrolled in an Apple Developer Program as a company. Team Admins can invite members to the team, assign roles, and have access to the resources and benefits of the developer program they are enrolled in.

3. Member (company/organization only)
Developers assigned the Member role have access to the resources and benefits of the developer program they are enrolled in.

Now that you know the rules. So if an “Admin” user goes to certificate creation page, the option is disabled.

Disabled option to generate certificate

The rule also means that the Admin user cannot download the certificates either. It is the responsibility of “Agent” to generate and download the certificate and share it with the team.

Download option is also disabled.

Generating Certificates
If you are logged in as an Agent the button in first image will be enabled. Click on it and APPLE will guide you through the process to generate the certificates. But remember you have to generate 2 certificates: Developer ID Application Certificate and Developer ID Installer Certificate (First time I tried, I missed out on generating Developer ID Installer Certificate). Developer ID Application Certificate is used for signing the application and Developer ID Installer Certificate is used for signing the installer. While you are at it make it a point to download Developer ID Intermediate Certificate. Without Developer ID Intermediate Certificate Gatekeeper wouldn’t allow your application to launch.

As mentioned earlier only an Agent can download the certificates. So it is the duty of agent to generate the certificate and share it with his team.

Mountain Lion Gatekeeper

This is the first in a series of 3 posts documenting the working of Gatekeeper and signing of the plug-ins and the installers.

Gatekeeper is Apple’s security feature that is designed to protect Mac OS X users from malicious software.

Gatekeeper will be able to run in three modes:
1. Mac App Store: The default mode, a stricter mode in which users will only be able to install applications downloaded from the Mac App Store.
2. Mac App Store and identified developers: Relaxed mode that allows users to install applications downloaded from the Mac App Store or identified developers (Applications signed using certificate generated by Apple.)
3. Anywhere: Any application can be installed.

Gatekeeper options

While option 1 is the safest, option 3 is like being back on Lion or any other previous version of Macintosh. Option 2 seems like a good middle path which quite a few developers will take.

Important points to remember regarding Gatekeeper:
1. The Gatekeeper does not check or restrict Plug-ins, Frameworks etc.
2. Any software already installed—and that has been run at least once—will continue to run even after Gatekeeper is enabled. Gatekeeper checks on first launch of an application.
3. Gatekeeper uses OCSP (Online Certificate Status Protocol) to verify the certificate, OCSP talks to servers over the Internet.
4. Gatekeeper validates/checks all the installer.

For more information on Gatekeeper behaviour refer: Macworld article and tidbits article

I did few experiments to understand the Gatekeeper better.

Check 1: Downloaded a pkg installer (unsigned) on 10.6 and ran it on 10.8 from a pen drive
I Downloaded a pkg installer which doesn’t work (not signed) on 10.8 (Mountain Lion) on 10.6 (Snow Leopard) using Google Chrome and transferred it to a pen drive next day and tried installing it. The Gatekeeper detected that the pkg was not signed. The behavior was same when I downloaded the installer from a mail server.

Downloaded on Snow Leopard but Gatekeeper detected it.

Check 2: Downloaded a pkg installer (unsigned) on 10.8
I Downloaded an pkg installer which doesn’t work (not signed) on 10.8 on 10.8 and tried installing it again Gatekeeper was up to the task. The behavior was same when I downloaded the installer from a mail server.

Check 3: Downloaded a signed pkg installer on a fresh 10.8 machine without internet
Basically this machine had Mountain Lion Preview 4 and my signed installer was not used on this machine. I pulled out the LAN cable (WiFi was turned off) and I tried to install my package using the pkg installer. Gatekeeper allowed the installer to run without any warning. Looks like OCSP (Online Certificate Status Protocol) is not the only check Gatekeeper performs. Good news is that Gatekeeper doesn’t need the machine to be connected to internet for it to verify the certificates. The behavior was same when I downloaded the installer from a mail server.

Check 4: Downloaded an application (unsigned) on 10.6 and ran it on 10.8 from a pen drive
The application didn’t have a pkg installer. I just had to drag and drop the app into “Applications” folder. Copy worked fine but when I tried to launch the application, Gatekeeper kicked in. I used an older version of TextWrangler to generate the issue.

Check 5: Downloaded an application (unsigned) on 10.8
Same as Check 4. Gatekeeper wouldn’t allow me run the application. I used an older version of TextWrangler to generate the issue.

Check 4 and 5

Check 6: Downloaded a signed application on a fresh 10.8 machine without internet
Gatekeeper verified and allowed the application to launch.

Gatekeepers doesn’t quite meets my expectation. I would be very happy if it starts validating frameworks, plug-ins and command line tools that the user can download from internet. There are already improvements in Gatekeeper implementation in Mountain Lion GM over Mountain Lion Preview 3. But it is a good start none the less.