Since the release of macOS 10.15 Catalina, Apple made the notarization of apps a requirement for distribution out of the App Store. But distributing packages through JAMF Pro didn’t need the notarization of packages.
Recently, we wanted to use the Prestage packages for our enrollment. Impossible to deploy it on our test machine as it’s blocked by Gatekeeper. When opening the package, I got this error :
I checked the package with this command :
spctl -a -vvv -t install "<path/to/the/package.pkg>"
I got this return :
/Users/home/Desktop/PrestagePackage.pkg: rejectedsource=Unnotarized Developer IDorigin=Developer ID Installer: Me (XXXXXX)
Let’s see how we can fix it.
We will need some prerequisites before going further :
- Xcode installed
- Xcode command line tools
- A paid developer account (99€/$ / year)
- A app-specific password
First, be sure your package is signed with your developer certificate. You must use the Developer ID Installer certificate for that.
Now, you’ll have to submit your package to Apple so they will approve it. Use the following command :
xcrun altool --notarize-app -f "/Users/home/Desktop/PrestagePackage.pkg" --primary-bundle-id com.company.package --username "YourAppleID" --password "YourAppSpecificPassword"
If you have this error :
xcrun: error: unable to find utility "altool", not a developer tool or in PATH
run the following command
sudo xcode-select -s /Applications/Xcode.app
Wait a little and you should get a return telling you there was no errors uploading your package, with a request UUID.
You’ll soon receive a mail from Apple :
That means your package is notarized. But there is one last step : staple this package.
Why are we doing this ? The notarization creates a ticket on Apple servers. This ticket is retrieved by Gatekeeper each time you open the package.
But if you’re offline, you won’t be able to check your package is notarized and you’ll be blocked. By stapling this ticket to the package, Gatekeeper can validate the notarization, even offline.
Type the following command :
xcrun stapler staple "/Users/home/Desktop/PrestagePackage.pkg"
Now verify your package is correctly notarized by typing again
spctl -a -vvv -t install "<path/to/the/package.pkg>"
This time, you should get the following output :
/Users/home/Desktop/PrestagePackage.pkg: acceptedsource=Notarized Developer IDorigin=Developer ID Installer: Me (XXXXXX)