Closed arubdesu closed 3 years ago
russellhancox
commented
3 years ago Interesting, I wasn't aware it popped the UI as soon as the files exist; santad removes it again as soon as it loads the sysext for the first time. Making a distribution package with min/max versions should be easy enough.
russellhancox
commented
3 years ago This is completed, the next release will be a distribution package where the kext is a sub-package that is not installed on 10.15+. The package remains signed and notarized, along with the DMG that contains it.
There aren't any artifacts of this change on GitHub as our packaging, signing and notarizing script is internal. However, I've realized that there are some old bits lying around in the repo for making packages that are woefully out of date so at some point I'll try and make the script we're using somewhat generic and upload it for transparency.
Scenario: on devices with sysext support, we do not deliver the kext-allowing MDM payload. This prevents installs of the current stable Santa package to be silent, as the moment the unused kext payload hits /Library/Extensions, Apple triggers the prompt in the GUI to allow it. Some products with sysext and kext options use the distribution package format and have components with min/max_os_version metadata so Installer doesn't push that payload onto the disk, which would be one way to address this 'automagically'.
Another proposed solution would be to produce multiple pkgs for each release, one with only the sysext and the other with only the kext. I could then add an option for selecting whichever to the autopkg recipe. Thanks for your consideration!