Sign Software Packages for MDM Delivery

Apple requires packages that are delivered via Mobile Device Manager (MDM) are signed for package integrity. It is not enough to just check the file size hash to ensure that the whole package arrived. The package needs to have been cryptographically signed to ensure it's a valid package. This doesn't require that Apple review its contents, only that a certificate from their valid certificate authority has handled that signing process.

Prerequisites:

You will need an [Apple Developer] (https://developer.apple.com) Account. If you do not have one, you will need a paid account with Apple (https://developer.apple.com/support/compare-memberships/) to generate the necessary code-signing certificates required for signing packages. The cost is $99 USD per year.

Requirements:

1. Developer Identifier – This is a ten digit alphanumeric identifier associated with your Developer Account.
2. Signing Certificate – This certificate is created using Apple’s Xcode tool. Apple has detailed instructions on creating these certificate identities in their Xcode documentation (https://help.apple.com/xcode/mac/current/#/dev154b28f09).

Signing Software Packages for MDM delivery

Once the signing certificate is created, as outlined above, it will be visible in the Keychain Access utility located in `/Applications/Utilities`. The certificate name starts with Developer ID Installer: and is followed by your company name and the ten digit alphanumeric identifier.

With the Developer Account and the created Signing Identity you are now ready to sign the package using the productsign command. (In the example below we will use the company name 'PretendCo Inc.' and the alphanumeric identifier 'ABC123DEF4'.)