Unable to upload Escrow Buddy to Hexnode MDM due to the package was not signed by Apple Developer

[jameshoangng]

Hi Team, please assist us with below context. Summary

As we wanted to deploy Escrow Buddy to our employees' MacOS, but we are unable to upload the PKG package to Hexnode MDM Enterprise App repository. Hexnode MDM reported back that the application has not been signed by an Apple Developer.

Can you please help to assist us on this?

Appreciate for your response.

Regards, James. Steps to Reproduce Please see the below screenshots from Hexnode. After uploading PKG file to the Hexnode MDM Enterprise App page, the status showed as "failed" as it reported back of requiring to sign by An Apple Developer.

Expected Behavior

The PKG file is signed and successfully uploaded to Hexnode MDM Enterprise App

Environment

• Escrow Buddy version: 1.0.0
• macOS version: Sonoma 14.5
• MDM version: Hexnode MDM 13.1.0

Additional Context Reference link from Hexnode: https://www.hexnode.com/mobile-device-management/help/how-to-sign-macos-pkg-files-for-deployment-with-hexnode-mdm/

[homebysix]

The Escrow Buddy pkg downloadable from GitHub is indeed signed.

% pkgutil --check-signature ~/Downloads/Escrow.Buddy-1.0.0.pkg 
Package "Escrow.Buddy-1.0.0.pkg":
   Status: signed by a developer certificate issued by Apple for distribution
   Notarization: trusted by the Apple notary service
   Signed with a trusted timestamp on: 2023-06-11 23:33:47 +0000
   Certificate Chain:
    1. Developer ID Installer: Mac Admins Open Source (T4SK8ZXCXG)
       Expires: 2028-02-09 02:34:05 +0000
       SHA256 Fingerprint:
           B1 06 B6 26 DA 3B A8 48 34 F3 DF D2 CC 5E AC 03 91 31 05 3F A9 A2 
           B7 BA 2A 5E 33 3C 3B 05 53 7A
       ------------------------------------------------------------------------
    2. Developer ID Certification Authority
       Expires: 2031-09-17 00:00:00 +0000
       SHA256 Fingerprint:
           F1 6C D3 C5 4C 7F 83 CE A4 BF 1A 3E 6A 08 19 C8 AA A8 E4 A1 52 8F 
           D1 44 71 5F 35 06 43 D2 DF 3A
       ------------------------------------------------------------------------
    3. Apple Root CA
       Expires: 2035-02-09 21:40:36 +0000
       SHA256 Fingerprint:
           B0 B1 73 0E CB C7 FF 45 05 14 2C 49 F1 29 5E 6E DA 6B CA ED 7E 2C 
           68 C5 BE 91 B5 A1 10 01 F0 24

If that's the same pkg you're uploading, you may want to open a support request with Hexnode about why they don't detect its signing status.

[jameshoangng]

Hi Elliot,

I just received Hexnode's response as below. Is it possible if you can support us on this please?

Regards, James.

[homebysix]

I think what the support person meant to say is that the package must be a "distribution" style package in order to be sent via MDM, if the MDM is using the InstallApplication command to do so.

You can find a great resource about distribution packages in this post, which includes the steps you'll need to do to convert the existing component package to a distribution format. Hexnode provides similar instructions here. Basically, it's:

productbuild --sign "Developer ID Installer: PretendCo (ABCDE12345)" --package Escrow.Buddy-1.0.0.pkg Escrow.Buddy.Dist-1.0.0.pkg

You'll need a developer ID signing certificate from Apple to do this — either via a regular Developer account or via an Apple Enterprise Developer Program account. If you have neither, let me know and I may be able to help.

I would also suggest giving feedback to Hexnode that their error message is misleading. The problem wasn't that the package wasn't signed, it's that the package was not the distribution type package that Hexnode expected. They should be able to detect this condition and provide a link to their above support article in the resulting error message.

[jameshoangng]

Hi Elliot,

Thanks for your prompt response and detail explanation. Unfortunately, I currently don't have any Apple Developer accounts to execute the above command. I would need a little help from you on this. Appreciate if you can upload it back to the repo.

Also, I would give feedback to Hexnode team on fixing the error message and provide a support link on this issue.

Thank you, James.