Security warning while installing .pkg file in mac OS desktop

Your spctl command returns "rejected" because --assess defaults to --type=execute, and you need to write --type=install.

Your installer probably includes a pre-install script. If you didn't have one, you wouldn't see the warning during installation.

Thanks for opening a forums thread about this.

First up, this has nothing to do with notarisation. No amount of better code signing or notarisation will address this issue. Rather, this alert is due to the way that you’re installer package is constructed.

I’m not an installer expert but I believe this is caused by your installer package using the allow-external-scripts property. Quoting the the docs:

Specifies whether the run and runOnce JavaScript functions can be executed.

That, in turn, leads to:

• The run routine

• The runOnce routine

And it’s that capability that’s triggering this alert. Indeed, it’s actually documented as such:

the Installer application asks the user’s permission before launching the program

If you don’t want that alert, you’ll have to rework your installer package to avoid this facility.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

@ssmith_c

Thanks for your response. We tried the "assess command with install as type," and it returned the result as "accepted." Yes, we have included pre- and post-install scripts in our package.

@DTS Engineer Thanks for your detailed response.

As you mentioned, we haven't encountered any issues with notarization, and it was accepted. We do have pre- and post-install scripts. Do you know if this warning is purely informational and not a security concern?

Would you recommend an alternative approach to replace the pre-install script?

Well, it’s a security concern for the user, which is why they have to explicitly allow you to do it.

Again, I’m not really an installer expert, so I don’t have specific recommendations for you here. But my general advice is that you have to trade off the pros of this pre-install script against the cons of that alert.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Hello @rakesh_selvam, regarding

Yes, we have included pre- and post-install scripts in our package.

Pre and post-install scripts are just shell scripts that you provide to productbuild via a flag. Per Quinn's comments above, they are not what's causing the alert. Rather, it's allowing certain JavaScript functions in your distribution XML manifest. Are you able to share here the distribution.xml file you are using to build your installer product?

Hi @Engineer

We are using a GUI-based packaging tool called "Packages" to create the .pkg file.

I extracted the signed pkg file to check distribution.xml, here are the contents from the file:

 
<?xml version="1.0" encoding="UTF-8"?>
 
<installer-gui-script authoringTool="Packages" authoringToolVersion="1.2.10" authoringToolBuild="732" minSpecVersion="1.0">
 
    <options hostArchitectures="x86_64"/>
 
    <!--+==========================+
 
        |       Presentation       |
 
        +==========================+-->
 
    <title>DISTRIBUTION_TITLE</title>
 
    <background file="background" uti="public.png" scaling="proportional" alignment="bottomleft"/>
 
    <background-darkAqua file="background" uti="public.png" scaling="proportional" alignment="bottomleft"/>
 
    <!--+==========================+
 
        |         Installer        |
 
        +==========================+-->
 
    <choices-outline>
 
        <line choice="installer_choice_1"/>
 
    </choices-outline>
 
    <choice id="installer_choice_1" title="app title" description="">
 
        <pkg-ref id="app_bundle_id"/>
 
    </choice>
 
    <!--+==========================+
 
        |    Package References    |
 
        +==========================+-->
 
    <pkg-ref id="app_bundle_id" version="22.11.0" auth="Root" installKBytes="563402">#app.pkg</pkg-ref>
 
    <pkg-ref id="app_bundle_id">
 
        <must-close>
 
            <app id="app_bundle_id"/>
 
        </must-close>
 
    </pkg-ref>
 
</installer-gui-script>
 
```
```
 

Hello @rakesh_selvam, thank you for sharing your distribution manifest. I don't see allow-external-scripts being used. Besides this flag, the Installer app can still prompt the user with "This package will run a program to determine if the software can be installed" if your installer has plug-ins. Are you including any plug-ins?

@Engineer Yes, we have included OpenJDK as a plugin. I would like to inform you that the OpenJDK files are code-signed prior to notarization.

Hello @rakesh_selvam, thank you for confirming. So the alert you are seeing is a natural consequence of adding a plug-in. Since plug-ins are loadable bundles, the Installer app requires an additional confirmation step from the user.

Hello @rakesh_selvam, just to clarify, when I say installer plug-in, I mean a bundle created in Xcode to present a custom installation step to the user:

It seems OpenJDK might not be the same thing. Besides OpenJDK, are you including a custom installation step that could be causing the alert?

@Engineer Thank you for the clarification. Yes, we are using our own plugin to present a custom installation step.

Hello @rakesh_selvam, thank you for confirming. Since you are able to notarize your installer and the alert is a consequence of the installer plug-in, it seems things are working correctly.