Notarizing Installer package/DMG of notarized DeveloperID app

You will need to sign the .pkg installer with Developer ID and notarize it in order for it to install on macOS 10.14.5 and newer. The reason why it may have appeared to work locally was that the pkg wasn't quarantined.

The recommended QA procedure for installation is to start with a fresh macOS VM instance and use Air Drop or a web browser to download the file into it. Then double click on it like a user would. If it installs and runs properly, you can ship it.

DMGs are like zip files -- notarization is not required to open them. However, their contents must be notarized in order to run. You can do one of two approaches:

• Sign the app, put it in the DMG, sign the DMG, then upload the dmg to be notarized.

• Zip up the app and notarize the app separately, then put it in a DMG and distribute the DMG without notarizing it

When you notarize a DMG, pkg, or bundle, everything inside is automatically unpacked and notarized as well. So you only need to upload the "top level" file for notarizing in a single pass, not the contents separately.

You can read a lot more here: https://developer.apple.com/documentation/xcode/notarizing_macos_software_before_distribution

You will need to sign the .pkg installer with Developer ID and notarize it in order for it to install on macOS 10.14.5 and newer. The reason why it may have appeared to work locally was that the pkg wasn't quarantined.

Urk - I downloaded the package from s3 using the aws cli tool! I guess that's not a valid test.

Thanks for your answer!

I guess that's not a valid test.

Indeed. For my advice on that front, see Testing a Notarised Product (sorry about the formatting, I hope to get that fixed soon after WWDC (r. 64523131)).

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"