Gatekeeper is a new mechanism introduced by Apple with OS X 10.8 to protect against malware.
What you need to know is that Gatekeeper, when it's enabled, will "block" installation packages if they are not signed with a Developer ID certificate.
You can find more information about the goal and protection levels of Gatekeeper on the dedicated safety page for OS X Mountain Lion.
Here is what you have to do to make your installation packages compatible with Gatekeeper:
Bundle packages or metapackages built with PackageMaker (Mac OS X 10.3/10.4 targets) or Iceberg can not be signed.
To build a flat package or distribution, can use one of the following solutions:
pkgbuild(1)
and/or productbuild(1)
command lines toolsYou have to be a paying memberMac Developer Program to be able to get a Developer ID Installer certificate (and the required intermediate certificates).
productsign
(1):
PackageMaker does not "correctly" sign flat packages and distributions for Gatekeeper. Neither does Packages at the time of this writing.
Signing a flat package or distribution with productsign is easy and can be integrated in an automatic build process:
/usr/bin/productsign --sign "Developer ID Installer: xxxxx" your_unsigned_package_or_distribution.pkg your_newly_signed_package_or_distribution.pkg
To check the signing process was successful:
pkgutil(1)
tool:
/usr/sbin/pkgutil --check-signature your_signed_package_or_distribution.pkg
Please, remember to:
productsign(1)
to sign your installation packages. Do not use codesign(1)
.According to the security recommendations from Apple, every single executable is supposed to be signed on Mac OS X. So it would make sense to also sign your Installer plugins, wouldn't it?
DO NOT SIGN Installer plugins included in flat distributions.
When you codesign an Installer plugin, Installer.app will crash when you open the flat distribution.
No, you can still install non-signed installation packages, metapackages or distributions:
curl
), it will not be detected by Gatekeeper.
/System/Library/CoreServices/
) and then select the package through the standard open panel, Gatekeeper will not detect it.