Problem with Installer being quarantined on MacOS

Michael Houlberg michael at houlbergdevelopment.com
Thu Mar 10 19:10:23 UTC 2022


Hey All,

I too experienced many problems using Omnis 10.2 with Monterrey and Packages to create installers.  I used the certification built into Packages, but started receiving messages that it would not build.  Later I left off the built in certification and instead used productsign in Terminal.  It verified, but when used, it failed to pass Gatekeeper saying the internal omnis app was not code signed properly.  After trying many other combinations of steps, I decided to jump into the tools from Apple and it’s been working out, but I still need to learn more to add more sophistication to my installers.

https://www.unix.com/man-page/osx/1/pkgbuild/
Use mode 3 of pkgbuild to create a component package from an app bundle.
pkgbuild [options] {--component component-path} package-output-path

https://www.unix.com/man-page/osx/1/productbuild/
Use mode 3 of productbuild to create a product package using a distribution file with the component package created with pkgbuild.
productbuild [options] --distribution dist-path [--package-path search-path] product-output-path

https://www.unix.com/man-page/osx/1/productsign/
Sign your product package with product sign instead of code sign

Example:

1. Package Build the application component

pkgbuild --scripts scripts --identifier com.HoulbergDevelopment.pkg.SMSware --version 7.1 --install-location /Applications --component SMSware.app SMSComponent.pkg

Basically I created a component package which includes the customized, code-signed Omnis runtime and specifies the identifier, version, where I want it to install, and allows me to include a preinstall and postinstall script.  Scripts with those exact names are in a folder named “scripts”.

2. Product Build the product package
productbuild --resources resources --distribution distribution.dist SMSProduct.pkg

This step creates the product installer package including the component I created with pkgbuild and a script which must be named distribution.dist.  The tricky part is figuring out the exact format for distribution.dist.  I found some help in the links below for Apple’s Distribution Definition Files and How to unpack an installer.  I unpacked the installer built by Packages to learn how it is structured.  I noticed that Packages uses minSpecVersion =“1” and Apple recommends using “2” now.  Was that part of my problem?  Including the readme and license files (in a folder named “resources") in the distribution file makes that a part of the installation presentation, pretty cool!

distribution.dist simple example

<?xml version="1.0" encoding="utf-8"?>
<installer-gui-script minSpecVersion="2">
    <options customize="never" require-scripts="false"/>
    <title>SMSware</title>
    <readme file="readme.rtf"/>
    <license file="license.rtf"/>
    <choices-outline>
        <line choice="default">
            <line choice="com.HoulbergDevelopment.pkg.SMSware"/>
        </line>
    </choices-outline>
    <choice id="default"/>
    <choice id="com.HoulbergDevelopment.pkg.SMSware" visible="false">
        <pkg-ref id="com.HoulbergDevelopment.pkg.SMSware"/>
    </choice>
    <pkg-ref id="com.HoulbergDevelopment.pkg.SMSware" version="7.1" onConclusion="none">SMSComponent.pkg</pkg-ref>
</installer-gui-script>

3. Product Sign the installer package using your installer certificate.
productsign --sign "Developer ID Installer: Houlberg Development, LLC (<your dev num>)" SMSProduct.pkg SMSware\ 7.1.pkg

This doesn’t sign the package you created, it creates another package which is signed.

4. Verify the signature
pkgutil --check-signature SMSware\ 7.1.pkg

5. Move the signed installer into the respective folder, create the Disk Image using Disk Utility.

6. Sign the disk image
codesign -f --timestamp --verbose -s "Developer ID Application: Houlberg Development, LLC (<your dev num>)" SMSware\ 7.1.dmg

7. Notarize the signed disk image
xcrun altool --notarize-app --primary-bundle-id com.HoulbergDevelopment.SMSware --file SMSware\ 7.1.dmg --username mholby at mac.com --password @keychain:SMSware

Somewhere on the Developer forums it was stated that you don’t notarize multiple levels for your application.  If are using a drag install, notarize the app, if it is in a container like a package or disk image or a package in a disk image, notarize the outer container only.  I’m putting the app in a package in a disk image, so I just notarize at that level.

8. After getting the email saying the application is notarized, Staple the dmg
xcrun stapler staple SMSware\ 7.1.dmg

More info that helped me

Apple’s Distribution Definition Files
https://developer.apple.com/library/archive/documentation/DeveloperTools/Reference/DistributionDefinitionRef/Chapters/Introduction.html

How to unpack an installer
https://stackoverflow.com/questions/7905884/where-can-i-find-out-about-a-macos-product-distribution-file#9784855

Michael Houlberg
Houlberg Development, LLC

> On Mar 9, 2022, at 5:47 AM, Paul Mulroney via omnisdev-en <omnisdev-en at lists.omnis-dev.com> wrote:
> 
> Hi David,
> 
> I had a similar problem with Packages and Studio 10.2.   You productsign the installer, as opposed to codesigning the application.
> 
> This is the snippet from my bash script that I use to Notarise my installer.  ($appname is the path to the .pkg file, $bundleid is the installer bundle id, @zipname is the path to the compressed file ... you get the idea.  I also have my keychain setup with my developer identity so that I don't need to hard-code my certificate info into the script)
> 
> # Strip any extended information eg finder information - fixes "resource fork, Finder information, or similar detritus not allowed"
> xattr -r -d com.apple.FinderInfo $appname
> 
> # Sign
> echo "** Productsign the installer **"
> productsign --sign "$identity" $appname ./installer_signed.pkg >>results.txt 2>>errors.txt
> # Shuffle files around -> appname is now the signed version
> rm -f $appname.unsigned
> mv $appname $appname.unsigned
> mv ./installer_signed.pkg $appname
> 
> # Verify
> echo "** Verify the productsign result **"
> pkgutil --check-signature $appname
> 
> echo "Read the above output, and then"
> read -p "Press any key to resume ..."
> 
> # Create a zip archive
> echo "** Creating a zip archive backup for notarising **"
> /usr/bin/ditto -c -k --keepParent $appname $zipname
> 
> # Notarise
> echo "** Submitting file for notarisation **"
> xcrun altool --notarize-app --primary-bundle-id "$bundleid" --file $zipname --username "$username" --password "@keychain:AC_PASSWORD" >>results.txt 2>>errors.txt
> 
> echo "You need to check the status of notarisation at a later time."
> echo "Script complete"
> 
> 
>> On 9 Mar 2022, at 8:36 pm, David Blaymires <davidb at jobbag.com> wrote:
>> 
>> Hi Phil,
>> 
>> Sorry, something I wasn’t very clear about, we also Notarize the resulting installer.  Here’s the text from the log of the process.  The Staple and Validate action (prior to line 4268) is for the application that we have created, it has worked, we then create the installer, it builds successfully using VMWare InstallBuilder v21.12.0, but then we have this error at line 4273 “Nesteds code is modified or invalid”.  (3 letter expletive acronym is uttered at this point…).
>> The staple and validate action worked!
>> 4268<http://gitlab.instinctdev.local/it/installers/-/jobs/4396#L4268> Staple status: 0
>> 4269<http://gitlab.instinctdev.local/it/installers/-/jobs/4396#L4269> Create installer
>> 4270<http://gitlab.instinctdev.local/it/installers/-/jobs/4396#L4270>  Building JobBag osx
>> 4271<http://gitlab.instinctdev.local/it/installers/-/jobs/4396#L4271>  0% ______________ 50% ______________ 100%
>> 4272<http://gitlab.instinctdev.local/it/installers/-/jobs/4396#L4272>  ########################################
>> 4273<http://gitlab.instinctdev.local/it/installers/-/jobs/4396#L4273> Error: Error signing /Build files/Temp/ae46bbbb/JobBagv81.146-10.2-osx-installer.app: Invalid signature: /Build files/Temp/ae46bbbb/JobBagv81.146-10.2-osx-installer.app: nested code is modified or invalid
>> 4274<http://gitlab.instinctdev.local/it/installers/-/jobs/4396#L4274> #
>> 4275<http://gitlab.instinctdev.local/it/installers/-/jobs/4396#L4275> Notarize
>> 4276<http://gitlab.instinctdev.local/it/installers/-/jobs/4396#L4276> No errors uploading 'JobBag.zip'.
>> 
>> I can’t think of any nested code that has changed or is invalid, especially as the 10.1 and 10.2 (3r30204) RT have not changed..
>> Note: This error started with the previous version of VMWare InstallBuilder (20.12.0) so it’s not the mew version of VMWIB.  This happens with a 10.1 and 10.2 (r30204 and r31315) RT.  Just thought someone here may have come across this problem.
>> 
>> Regards,
>> 
>> David Blaymires
>> CEO : Instinct Systems : JobBag
>> 
>> Phone +61 2 8115 8001
>> Mobile +61 (0)416 183 848
>> davidb at jobbag.com
>> http://www.jobbag.com
>> 
>> From: omnisdev-en <omnisdev-en-bounces at lists.omnis-dev.com> on behalf of Phil (OmnisList) <phil at pgpotter.co.uk>
>> Date: Wednesday, 9 March 2022 at 8:03 pm
>> To: omnisdev-en at lists.omnis-dev.com <omnisdev-en at lists.omnis-dev.com>
>> Subject: Re: Problem with Installer being quarantined on MacOS
>> Hi David,
>> 
>> Sounds like you have not certified your installer.
>> 
>> I use packages which does that step for me.
>> 
>> regards
>> Phil Potter
>> Based in Chester in the UK.
>> 
>> On 09/03/2022 06:51, David Blaymires wrote:
>>> Hi,
>>> 
>>> Late in 2021 two things occurred - Apple changed their requirements in the Apple Developer program (we had to accept new terms and conditions) and we had to create new developer certificates for the notarizing process.  We build our application integrating our xcomps into the bundle, customising the logo, name, building the contents of the First Run folder etc and build a ZIP file that is then uploaded to Apple for notarizing.
>>> 
>>> Once we receive the successful notarizing notification back, we then use Install Builder to build our application installer which is downloaded automatically by existing copies of JobBag and run without any problem.  However when the resulting installer is downloaded from a website, the checks that Apple is doing as part of the download process is resulting in the installer being quarantined, and the only way to release it is to run the terminal command.  Frustrating.
>>> 
>>> Has anyone else come across this problem and been able to solve it?  I’m sure we are missing something very simple but it is so blindingly obvious we can’t see it.
>>> 
>>> Regards,
>>> 
>>> David Blaymires
>>> CEO : Instinct Systems : JobBag
>>> 
>>> Phone +61 2 8115 8001
>>> Mobile +61 (0)416 183 848
>>> davidb at jobbag.com
>>> http://www.jobbag.com
>>> 
>>> _____________________________________________________________
>>> Manage your list subscriptions athttps://lists.omnis-dev.com
>>> Start a new message ->mailto:omnisdev-en at lists.omnis-dev.com
>> _____________________________________________________________
>> Manage your list subscriptions at https://lists.omnis-dev.com
>> Start a new message -> mailto:omnisdev-en at lists.omnis-dev.com
>> _____________________________________________________________
>> Manage your list subscriptions at https://lists.omnis-dev.com
>> Start a new message -> mailto:omnisdev-en at lists.omnis-dev.com 
> 
> 
> I told my wife she was drawing her eyebrows too high. She looked surprised.
> -- 
> Paul W. Mulroney                                            We Don't Do Simple Pty Ltd 
> pmulroney at logicaldevelopments.com.au       Trading as Logical Developments
> www.logicaldevelopments.com.au                   ACN 161 009 374 
> Ph: +61 8 9458 3889                                       86 Coolgardie Street
>                                                                         BENTLEY  WA  6102
> 
> 
> _____________________________________________________________
> Manage your list subscriptions at https://lists.omnis-dev.com
> Start a new message -> mailto:omnisdev-en at lists.omnis-dev.com 



More information about the omnisdev-en mailing list