If the application is packaged into the installer package and it is deployed, the installer package also need to support the Notarization Services.
This article explains that how to support Notarization Services for the installer.
Overview of How to make the installer
The installer of macOS is created with following 2 steps.
- Create the component package with
pkgbuild
. - Create the deployment installer with
productbuild
.
If the deployment file is disk image format, the step to create the dmg file with hdiutils
will be followed.
And you will upload it to the Apple Notarization Services.
Prerequirements of the Notarization
In prerequirements of the notarization, following things are related to the installer.
- Code-sign with the Developer ID Application Certificate or the Developer ID Installer Certificate.
- Contains the secure-timestamp.
I have used Developer ID Installer Certificate. I don’t know the Developer ID Application can be used.
The Component Package and The Deployment Installer
The deployment installer consists with some of component packages.
The component package is created per selection of the custom install. The custom install is a function that the user can select to install or skip.
If the installer only have express install and doesn’t have a custom install, required component package is only one.
In general, the component package is created per the installation target directory. For example:
- Main Application
- Extensions such as a driver
- Additional module such as a plugin module
- Document files such as a reference, help, and so on
Notarize the installer
To notarize the installer, the both of the component package and the deployment installer satisfy the prerequirements.
Code-Signing of the Component Package
To code-sign the component package, add the --sign
option and the --timestamp
option to the pkgbuild
argument.
For example:
pkgbuild --root root_dir \
--component-plist components.plist \
--identifier "com.example.app" \
--version "1.0.0" \
--install-location "/Applications" \
--sign "Developer ID Installer: Example" \
--timestamp \
com.example.app.pkg
Specify the certification with --sign
option and contains the secure-timestamp with --timestamp
option.
Code-Signing of the Deployment Installer
To code-sign the deployment installer, add the --sign
option and the --timestamp
option to the productbuild
argument.
For example:
productbuild --distribution "distribution.xml" \
--package-path "./" \
--resources "Resources" \
--sign "Developer ID Installer: Example" \
--timestamp \
ExampleApp.pkg
Same as the pkgbuild
argument. Specify the certification with --sign
option and contains the secure-timestamp with --timestamp
option.
Author Profile

- A professional developer specializing in macOS Apps, iOS Apps, SDKs and middleware development.
- Representative of RK Kaihatsu. I am a professional developer specializing in macOS Apps, iOS Apps, SDKs and middleware development. I often use ObjC, Swift and C++. Based on development experience, I provide e-learning contents, technical books and technical guidance. I am also a technical seminar instructor, in-house training instructor, and administrative / local goverment staff training instructor.