Apple requires packages that are delivered via Mobile Device Manager (MDM) are signed for package integrity. It is not enough to just check the file size hash to ensure that the whole package arrived. The package needs to have been cryptographically signed to ensure it's a valid package. This doesn't require that Apple review its contents, only that a certificate from their valid certificate authority has handled that signing process.
You will need an [Apple Developer] (https://developer.apple.com) Account. If you do not have one, you will need a paid account with Apple (https://developer.apple.com/support/compare-memberships/) to generate the necessary code-signing certificates required for signing packages. The cost is $99 USD per year.
- Developer Identifier – This is a ten digit alphanumeric identifier associated with your Developer Account.
- Signing Certificate – This certificate is created using Apple’s Xcode tool. Apple has detailed instructions on creating these certificate identities in their Xcode documentation (https://help.apple.com/xcode/mac/current/#/dev154b28f09).
Xcode is required for this process.
Signing Software Packages for MDM delivery
Once the signing certificate is created, as outlined above, it will be visible in the Keychain Access utility located in `/Applications/Utilities`. The certificate name starts with Developer ID Installer: and is followed by your company name and the ten digit alphanumeric identifier.
With the Developer Account and the created Signing Identity you are now ready to sign the package using the productsign command. (In the example below we will use the company name 'PretendCo Inc.' and the alphanumeric identifier 'ABC123DEF4'.)
productsign --sign "Developer ID Installer: PretendCo Inc. (ABC123DEF4)" /path/to/my/unsigned.pkg /path/to/my/signed.pkg
If you want to check that a package is signed properly, you can open the package with Apple's Installer app, then click on the lock icon in the upper right hand corner. That will then show you the certificate authority chain for that package. It should resolve to the Apple Root CA