Notarizing Installer package/DMG of notarized DeveloperID app

We build a notarized Developer ID app as part of our CI process and everything works fine. The app is distributed inside a DMG.

A customer requested an installer package (.pkg) so we made one of the notarized app. But now I'm assailed by doubts - should we sign the package? Should we notarize it?

Why?

The installer is very simple, it puts the notarized app in /Applications. Gatekeeper doesn't seem to have anything bad to say about it on Catalina, so case closed?

It turns out that the DMG too is unsigned and not notarized and no-one has ever complained.

Does this mean we should carry on this way?

There seems to be a praxis of "notarizing the outer container", but we distribute two separate containers and I don't understand if there's any advantage to notarizing anything beyond the app.
Up vote post of rhythmicfistman Down vote post of rhythmicfistman
2k views
Posted by
rhythmicfistman
Reply
Add a Comment

Replies

You will need to sign the .pkg installer with Developer ID and notarize it in order for it to install on macOS 10.14.5 and newer. The reason why it may have appeared to work locally was that the pkg wasn't quarantined.

The recommended QA procedure for installation is to start with a fresh macOS VM instance and use Air Drop or a web browser to download the file into it. Then double click on it like a user would. If it installs and runs properly, you can ship it.

DMGs are like zip files -- notarization is not required to open them. However, their contents must be notarized in order to run. You can do one of two approaches:

  • Sign the app, put it in the DMG, sign the DMG, then upload the dmg to be notarized.

  • Zip up the app and notarize the app separately, then put it in a DMG and distribute the DMG without notarizing it

When you notarize a DMG, pkg, or bundle, everything inside is automatically unpacked and notarized as well. So you only need to upload the "top level" file for notarizing in a single pass, not the contents separately.

You can read a lot more here: https://developer.apple.com/documentation/xcode/notarizing_macos_software_before_distribution
Posted by
haikeeba
Up vote reply of haikeeba Down vote reply of haikeeba
Add a Comment

You will need to sign the .pkg installer with Developer ID and notarize it in order for it to install on macOS 10.14.5 and newer. The reason why it may have appeared to work locally was that the pkg wasn't quarantined.

Urk - I downloaded the package from s3 using the aws cli tool! I guess that's not a valid test.

Thanks for your answer!
Posted by
rhythmicfistman
Up vote reply of rhythmicfistman Down vote reply of rhythmicfistman
Add a Comment

I guess that's not a valid test.

Indeed. For my advice on that front, see Testing a Notarised Product (sorry about the formatting, I hope to get that fixed soon after WWDC (r. 64523131)).

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment