search

gregneagle / pycreateuserpkg

Python tool to create macOS packages that create user accounts
Other
292 stars 44 forks source link

Notarization fails on MacOS Catalina #55

Closed jelimoore closed 4 years ago

jelimoore commented 4 years ago

Just cloned this tool and I'm using it to test pkgs for our new Mac deployment. I used pkgsign to sign the package out of the installer, but the Apple notarization is refusing to notarize my package. It's saying that the createuser script is not signed. What steps should I be taking to sign the script?

Output of the notarization error: `"issues": [

{

  "severity": "error",

  "code": null,

  "path": "create_admin_0.1_signed.pkg/create_admin_0.1_signed.pkg Contents/Scripts/createuser",

  "message": "The binary is not signed.",

  "docUrl": null,

  "architecture": "x86_64"

},

{

  "severity": "error",

  "code": null,

  "path": "create_admin_0.1_signed.pkg/create_admin_0.1_signed.pkg Contents/Scripts/createuser",

  "message": "The signature does not include a secure timestamp.",

  "docUrl": null,

  "architecture": "x86_64"

},

{

  "severity": "error",

  "code": null,

  "path": "create_admin_0.1_signed.pkg/create_admin_0.1_signed.pkg Contents/Scripts/createuser",

  "message": "The executable does not have the hardened runtime enabled.",

  "docUrl": null,

  "architecture": "x86_64"

}`

Output of pkgsign --check-signature:

` Package "create_admin_0.1_signed.pkg":

Status: signed by a developer certificate issued by Apple for distribution

Signed with a trusted timestamp on: 2020-08-12 14:42:58 +0000

Certificate Chain:

1. Developer ID Installer: [REDACTED], Inc. (ABC123)

   Expires: 2025-nn-nn nn:nn:nn +0000

   SHA256 Fingerprint:

       [redacted]

   ------------------------------------------------------------------------

2. Developer ID Certification Authority

   Expires: 2027-02-01 22:12:15 +0000

   SHA256 Fingerprint:

       7A FC 9D 01 A6 2F 03 A2 DE 96 37 93 6D 4A FE 68 09 0D 2D E1 8D 03 

       F2 9C 88 CF B0 B1 BA 63 58 7F

   ------------------------------------------------------------------------

3. Apple Root CA

   Expires: 2035-02-09 21:40:36 +0000

   SHA256 Fingerprint:

       B0 B1 73 0E CB C7 FF 45 05 14 2C 49 F1 29 5E 6E DA 6B CA ED 7E 2C 

       68 C5 BE 91 B5 A1 10 01 F0 24

`

gregneagle commented 4 years ago

What problem are you trying to solve by notarizing the package? It’s not needed for any non-manual deployment method. Are you sure it’s worth the effort?

gregneagle commented 4 years ago

In any case I’d expect you’d need to use codesign to sign the createuser binary.

jelimoore commented 4 years ago

What problem are you trying to solve by notarizing the package? It’s not needed for any non-manual deployment method. Are you sure it’s worth the effort?

I was under the impression that all Mac software downloaded from the internet had to be notarized. Even our MDM says this: https://techcommunity.microsoft.com/t5/intune-customer-success/support-tip-notarizing-your-macos-apps-to-prepare-for-macos/ba-p/808579

gregneagle commented 4 years ago

You plan to have people download this package you are creating from the Internet?

jelimoore commented 4 years ago

No, just distributed through MDM

gregneagle commented 4 years ago

Then notarization is unneeded.

gregneagle commented 4 years ago

I'm going to close this, since the question has been answered and there is no code issue here to address.