Supporting notarization services in the installer

If the application is packaged into the installer package and it is deployed, the installer package also need to support the Notarization Services.

This article explains that how to support Notarization Services for the installer.

Overview of How to make the installer

The installer of macOS is created with following 2 steps.

  1. Create the component package with pkgbuild.
  2. Create the deployment installer with productbuild.

If the deployment file is disk image format, the step to create the dmg file with hdiutils will be followed.

And you will upload it to the Apple Notarization Services.

Prerequirements of the Notarization

In prerequirements of the notarization, following things are related to the installer.

  • Code-sign with the Developer ID Application Certificate or the Developer ID Installer Certificate.
  • Contains the secure-timestamp.

I have used Developer ID Installer Certificate. I don’t know the Developer ID Application can be used.

The Component Package and The Deployment Installer

The deployment installer consists with some of component packages.

The component package is created per selection of the custom install. The custom install is a function that the user can select to install or skip.

If the installer only have express install and doesn’t have a custom install, required component package is only one.

In general, the component package is created per the installation target directory. For example:

  • Main Application
  • Extensions such as a driver
  • Additional module such as a plugin module
  • Document files such as a reference, help, and so on

Notarize the installer

To notarize the installer, the both of the component package and the deployment installer satisfy the prerequirements.

Code-Signing of the Component Package

To code-sign the component package, add the --sign option and the --timestamp option to the pkgbuild argument.

For example:

pkgbuild --root root_dir \
         --component-plist components.plist \
         --identifier "" \
         --version "1.0.0" \
         --install-location "/Applications" \
         --sign "Developer ID Installer: Example" \
         --timestamp \

Specify the certification with --sign option and contains the secure-timestamp with --timestamp option.

Code-Signing of the Deployment Installer

To code-sign the deployment installer, add the --sign option and the --timestamp option to the productbuild argument.

For example:

productbuild --distribution "distribution.xml" \
             --package-path "./" \
             --resources "Resources" \
             --sign "Developer ID Installer: Example" \
             --timestamp \

Same as the pkgbuild argument. Specify the certification with --sign option and contains the secure-timestamp with --timestamp option.

Sponsored Links
Get the Latest News !