Jamf Pro – Notarize a package

Since the release of macOS 10.15 Catalina, Apple made the notarization of apps a requirement for distribution out of the App Store. But distributing packages through JAMF Pro didn’t need the notarization of packages.

Recently, we wanted to use the Prestage packages for our enrollment. Impossible to deploy it on our test machine as it’s blocked by Gatekeeper. When opening the package, I got this error :

Gatekeeper_blocked

I checked the package with this command :

spctl -a -vvv -t install "<path/to/the/package.pkg>"

I got this return :

/Users/home/Desktop/PrestagePackage.pkg: rejected
source=Unnotarized Developer ID
origin=Developer ID Installer: Me (XXXXXX)

Let’s see how we can fix it.

We will need some prerequisites before going further :

First, be sure your package is signed with your developer certificate. You must use the Developer ID Installer certificate for that.

Now, you’ll have to submit your package to Apple so they will approve it. Use the following command :

xcrun altool --notarize-app -f "/Users/home/Desktop/PrestagePackage.pkg" --primary-bundle-id com.company.package --username "YourAppleID" --password "YourAppSpecificPassword"

If you have this error :

xcrun: error: unable to find utility "altool", not a developer tool or in PATH

run the following command

sudo xcode-select -s /Applications/Xcode.app

Wait a little and you should get a return telling you there was no errors uploading your package, with a request UUID.

You’ll soon receive a mail from Apple :

That means your package is notarized. But there is one last step : staple this package. 

Why are we doing this ? The notarization creates a ticket on Apple servers. This ticket is retrieved by Gatekeeper each time you open the package.

But if you’re offline, you won’t be able to check your package is notarized and you’ll be blocked. By stapling this ticket to the package, Gatekeeper can validate the notarization, even offline.

Type the following command :

xcrun stapler staple "/Users/home/Desktop/PrestagePackage.pkg"

Now verify your package is correctly notarized by typing again

spctl -a -vvv -t install "<path/to/the/package.pkg>"

This time, you should get the following output :

/Users/home/Desktop/PrestagePackage.pkg: accepted
source=Notarized Developer ID
origin=Developer ID Installer: Me (XXXXXX)
 
You can now upload the package to the JAMF console and set it in your Prestage content.

Laisser un commentaire

Votre adresse e-mail ne sera pas publiée.

Ce site utilise Akismet pour réduire les indésirables. En savoir plus sur comment les données de vos commentaires sont utilisées.