PKG Installer postinstall script not executing in Sonoma

Hi, we have an app that has been in development since Catalina and ever since Sonoma came out we noticed that when executing our pkg installer the application is installed correctly but the postinstall script is not executed.

The weird thing is that if I run the pkg for the first time the postinstall does not execute BUT if I run it again then it DOES!!

Looking through the logs I found these ones that confirm the execution of the script is being blocked. We haven't changed anything in the way we build the installer so I'm not quite sure how to fix this.

2024-04-25 16:29:51.570662-0300 0x1c62     Error       0x0                  308    0    syspolicyd: [com.apple.syspolicy.exec:default] Unable (errno: 2) to read file at <private> for pid: 784 process path: <private> library path: (null)
2024-04-25 16:29:51.570662-0300 0x1c62     Error       0x0                  308    0    syspolicyd: [com.apple.syspolicy.exec:default] Terminating process due to Malware rejection: 784, <private>
2024-04-25 16:29:51.570679-0300 0x1d13     Default     0x0                  0      0    kernel: (AppleSystemPolicy) ASP: Sleep interrupted, signal 0x100
2024-04-25 16:29:51.570682-0300 0x1d13     Default     0x0                  0      0    kernel: (AppleSystemPolicy) ASP: Security policy would not allow process: 784, /private/tmp/PKInstallSandbox.m5Av3O/Scripts/com.mycompany.myapp.pkg.BSOjtt/postinstall

The app as well as the installer are both signed, notarized and stapled. Here you can see the script which just simply executes the app.

#!/bin/bash

echo "Running postinstall"

/Applications/myapp.app/Contents/MacOS/myapp --load-system-extension &

exit 0

Any help would be much appreciated. Thanks!

Up vote post of santalvarez Down vote post of santalvarez
215 views
Posted by
santalvarez
Reply
Add a Comment

Accepted Reply

After many tests I finally found a solution. Apparently the & at the end of the command is whats causing the issue in Sonoma.

So I had to replace this command:

/Applications/myapp.app/Contents/MacOS/myapp --load-system-extension &

With this one:

/usr/bin/open /Applications/myapp.app --args --load-system-extension

And now it works perfectly! Im still curious about those better ways to activate an extension.

Posted by
santalvarez
Up vote reply of santalvarez Down vote reply of santalvarez
Post marked as solved
Add a Comment

Replies

I’ve no idea what’s going on with the installer side of this, but this is a concern:

/Applications/myapp.app/Contents/MacOS/myapp --load-system-extension &

Loading a system extension like this is something I actively recommend against.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo

  • Hi Quinn, we only deploy on managed environments and we've never had problems loading the extension like that. Also if I remove that line from the script the issue persists.

    santalvarez
Add a Comment

we only deploy on managed environments and we've never had problems loading the extension like that.

If you only deploy in managed environments, there are better ways to activate your system extension.

Also if I remove that line from the script the issue persists.

What else does your script do?

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo

  • Nothing else, that is the only thing the script does. What are those better ways to activate the extension? We already have profiles deployed that grant the extension permission and full disk access if that is what you mean

    santalvarez

  • Actually I made a mistake before, If I remove that line from the script the issue disappears. Why could this be? Did something change in Sonoma regarding this?

    santalvarez
Add a Comment

After many tests I finally found a solution. Apparently the & at the end of the command is whats causing the issue in Sonoma.

So I had to replace this command:

/Applications/myapp.app/Contents/MacOS/myapp --load-system-extension &

With this one:

/usr/bin/open /Applications/myapp.app --args --load-system-extension

And now it works perfectly! Im still curious about those better ways to activate an extension.

Posted by
santalvarez
Up vote reply of santalvarez Down vote reply of santalvarez
Post marked as solved
Add a Comment

Im still curious about those better ways to activate an extension.

Device management isn’t really my forte, but I am aware of two relevant configuration profile payloads:

  • com.apple.system-extension-policy

  • com.apple.TCC.configuration-profile-policy

If you can’t get this working, there are a bunch of paths forward:

  • Ask around in your organisation. Given the nature of your business, it’s likely that you have in-house expertise with this sort of stuff.

  • There’s a Device Management tag here on DevForums, and I’ve definitely seen folks get answers there. If you start a new thread with this, please also add the System Extensions tag so that I can monitor your thread.

  • There’s the Business and Education topic area of Apple Support Community, run by Apple Support.

  • There are numerous Mac sysadmin resources out there on the wider Internet.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment