-
Notifications
You must be signed in to change notification settings - Fork 62
Packaging
Included in this repo is a munki-pkg build file. You will need to sign the final package either a Developer ID Installer
or Mac Installer
signing certificate.
This package must be signed for use with DEP/MDM. To acquire a signing certificate, join the Apple Developers Program or join the Apple Developer Enterprise Program.
Open the build-info.json file and specify your signing certificate.
"signing_info": {
"identity": "Mac Installer: Erik Gomez (XXXXXXXXXXX)",
"timestamp": true
},
Note that you cannot use a Mac Developer: signing identity as that is used for application signing and not package signing. Attempting to use this will result in the following error:
An installer signing identity (not an application signing identity) is required for signing flat-style products.
If one chooses, you can also build the package for testing and then sign it with Hancock.
- Open Hancock and choose the correct signing certificate from the dropdown. It will have a ✅ next to acceptable certificates.
- Click sign and choose the package you wish to sign OR drag the package onto the Hancock window.
- Hancock will ask you where to save the signed version.
In certain situations, it may be necessary to combine the InstallApplications package with one or more additional packages. While this is generally discouraged as it defeats much of the purpose of InstallApplications, it may be a requirement for certain workflows. For example, if you are using munki on AWS CloudFront and need to deploy a CloudFront middleware and private key or other confidential information to client machines.
There are several things to be aware of for packages deployed in this manner:
- All bundled packages will install concurrently, so you will have no control over installation ordering. Be wary of race conditions.
- Packages cannot require a user session, as they will be installed immediately. For DEP workflows, this means during SetupAssistant.
- Additional packages will be installed and their scripts will run regardless of the results of the InstallApplications preflight script.
Ideally, additional packages should be limited to only those that absolutely require it (most likely secrets such as private keys). This not only allows you to take full advantage of InstallApplications, but also requires the final distribution package be signed and uploaded to your MDM less frequently.
Fortunately, this process is fairly simple.
- Build your InstallApplications package using the munki-pkg build file. You do not need to sign it.
- Build any additional packages you require that meet the requirements above.
- Combine the component packages into a signed distribution package using the
productbuild
command:
$ productbuild --sign "Mac Installer: Erik Gomez (XXXXXXXXXXX)" --package InstallApplications.pkg --package Additional.pkg Distribution.pkg
More information on building distribution packages from multiple pkgs can be found here.
MacOS Monterey (as of Beta 6) will not launch the provided Python.framework if it still has the quarantine bit set. This can happen if you download release files from GitHub onto a build machine and do not strip the quarantine bit before packaging for your MDM. To strip these run
sudo xattr -r -d com.apple.quarantine /path/to/installapplications-x.y.z
before packaging.