Create a package installer for an application in Apple Business Essentials

If you don’t have a signing identity, you can create one. The identity will have a name you choose and a random serial number to identify it (should you create more than one). If at any point these steps fail, close the Terminal window and open a new one. You must run these steps on macOS 13 or later.

1. Create a folder on your Desktop named temp.

2. Open the Terminal app, then enter cd and press the Space bar once.

3. Drag the temp folder into the Terminal app window.

   You should see a path similar to:

   cd /Users/[YourShortUserName]Desktop/packages

4. Press Return.

5. Enter ID="name", where name is a short name for your organization. Don’t use spaces in the name without quotes. For example, My Company should be MyCo or “My Company” (with quotes).

6. Press Return.

   Important: All further commands must take place inside this window.

7. Paste in all the commands below, then press Return.

   KEY="InstallerCertificate_${ID}_PrivateKey.pem"openssl req -x509 -nodes -days 365 -newkey rsa:4096 -sha256 \-addext basicConstraints=critical,CA:false \-addext keyUsage=critical,digitalSignature \-set_serial "0x$(openssl rand -hex 4)" \-subj "/CN=Installer Certificate ($ID)" \-out InstallerCertificate_"$ID".pem \-keyout "$KEY"

8. In the same Terminal window, paste in all the commands below, then press Return. Enter your password to set the new identity’s certificate as trusted.

   security import "InstallerCertificate_$ID.pem"security import "$KEY" \-T /usr/bin/productbuild -T /usr/bin/pkgbuildsecurity add-trusted-cert -d InstallerCertificate_"$ID".pem

9. Open the temp folder to see your new certificate, named InstallerCertificate_name.pem, and its private key, named InstallerCertificate_name_PrivateKey.pem, where name is the name chosen earlier in step 4.

10. Keep a copy of the certificate for your records because it’s needed to configure devices to trust packages signed with it.

    The private key has been imported into your keychain for secure storage and should be deleted from this folder.

    Important: It’s important that you delete the certificate’s key so no one else can pretend to be from your organization and sign packages.

The identity expires one year after its creation. At that time you must follow this process again and re-sign any packages that were signed by the previous identity and are still being distributed. The RSA private key for your identity is saved in your keychain for security. If you need to build and sign packages on another Mac, you must export the private key for import on the other Mac.

After creating a signing identify, your devices must be configured to trust it. You can do this by distributing the identity’s certificate as a setting.

1. Retrieve the InstallerCertificate_name.pem for the identity, where name is the name chosen when creating it.

2. Follow the task Configure a Certificate setting, and assign it to all devices where you’re installing packages you create.

   Important: Anyone who has the private key for a signing identity can create packages that configured devices trust without warning. Therefore if there’s any reason to believe the private key that matches the certificate has been lost or copied without authorization, you should delete the certificate setting and create a new signing identity.

After you have a signing identity that your devices are configured to trust, you can create packages with it so you can distribute apps to those devices. When you do, keep in mind that applications contained within a single .app bundle are the easiest to distribute.

1. Make sure the application is in your /Applications folder.

2. Create a folder on your Desktop named packages.

3. Open the Terminal app, then type cd and press the Space bar once.

4. Drag the packages folder into the Terminal app window, then press Return.

   You should see a path similar to:

   $ /Users/[YourShortUserName]Desktop/packages

5. Enter productbuild --sign, then press the Space bar once.

6. Add the name of your identity (where “name” is the name you entered in step 4 of the “Create an installer identity” task), press the Space bar once, type --component, then press the Space bar once again.

7. Drag the application from /Applications into the Terminal window, then press the Space bar once.

8. Enter a name for the package, which must end in .pkg and which is generally the same name as the application.

   An example should look like this:

   productbuild --sign MyCo --component /Applications/AppName AppName.pkg

9. Press Return.

   The productbuild command prints information as it processes the application and builds the package in your packages folder.

10. If this is the first time you’re using an identity you created, you may be prompted to enter your password to grant it permission to use the identity’s key. If so, enter your password and select Always Allow.

11. Quit the Terminal app.

    Note: Packages signed with an identity created outside of the Apple Developer Program will be rejected unless they’re delivered by a mobile device management (MDM) solution to a managed device that’s already configured to trust the identity. If you attempt to install a package created by this method on other devices, the installation will fail.

Apple devices must be configured to trust the new signing identity before the package can be sent to users to install the application.

1. Distribute the certificate. See Configure a Certificate setting.

2. After all devices have the new certificate, you can upload the package. See Create a package.