Packaging

Jacob F. Grant edited this page Jun 6, 2018 · 2 revisions

Included in this repo is a munki-pkg build file. You will need to sign the final package either a Developer ID Installer or Mac Installer signing certificate.

Signing with the build file

This package must be signed for use with DEP/MDM. To acquire a signing certificate, join the Apple Developers Program or join the Apple Developer Enterprise Program.

Open the build-info.json file and specify your signing certificate.

"signing_info": {
    "identity": "Mac Installer: Erik Gomez (XXXXXXXXXXX)",
    "timestamp": true
},

Note that you cannot use a Mac Developer: signing identity as that is used for application signing and not package signing. Attempting to use this will result in the following error:

An installer signing identity (not an application signing identity) is required for signing flat-style products.

Signing with Hancock

If one chooses, you can also build the package for testing and then sign it with Hancock.

  1. Open Hancock and choose the correct signing certificate from the dropdown. It will have a ✅ next to acceptable certificates.
  2. Click sign and choose the package you wish to sign OR drag the package onto the Hancock window.
  3. Hancock will ask you where to save the signed version.

Combining InstallApplications with additional packages

In certain situations, it may be necessary to combine the InstallApplications package with one or more additional packages. While this is generally discouraged as it defeats much of the purpose of InstallApplications, it may be a requirement for certain workflows. For example, if you are using munki on AWS CloudFront and need to deploy a CloudFront middleware and private key or other confidential information to client machines.

There are several things to be aware of for packages deployed in this manner:

  • All bundled packages will install concurrently, so you will have no control over installation ordering. Be wary of race conditions.
  • Packages cannot require a user session, as they will be installed immediately. For DEP workflows, this means during SetupAssistant.
  • Additional packages will be installed and their scripts will run regardless of the results of the InstallApplications preflight script.

Ideally, additional packages should be limited to only those that absolutely require it (most likely secrets such as private keys). This not only allows you to take full advantage of InstallApplications, but also requires the final distribution package be signed and uploaded to your MDM less frequently.

Fortunately, this process is fairly simple.

  1. Build your InstallApplications package using the munki-pkg build file. You do not need to sign it.
  2. Build any additional packages you require that meet the requirements above.
  3. Combine the component packages into a signed distribution package using the productbuild command:

$ productbuild --sign "Mac Installer: Erik Gomez (XXXXXXXXXXX)" --package InstallApplications.pkg --package Additional.pkg Distribution.pkg

More information on building distribution packages from multiple pkgs can be found here.

You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.