Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to upload Escrow Buddy to Hexnode MDM due to the package was not signed by Apple Developer #12

Open
jameshoangng opened this issue Jun 26, 2024 · 5 comments · May be fixed by #13
Open

Unable to upload Escrow Buddy to Hexnode MDM due to the package was not signed by Apple Developer #12

jameshoangng opened this issue Jun 26, 2024 · 5 comments · May be fixed by #13

Comments

@jameshoangng
Copy link

jameshoangng commented Jun 26, 2024
edited
Loading

Hi Team, please assist us with below context.
Summary

As we wanted to deploy Escrow Buddy to our employees' MacOS, but we are unable to upload the PKG package to Hexnode MDM Enterprise App repository. Hexnode MDM reported back that the application has not been signed by an Apple Developer.

Can you please help to assist us on this?

Appreciate for your response.

Regards,
James.
Steps to Reproduce
Please see the below screenshots from Hexnode. After uploading PKG file to the Hexnode MDM Enterprise App page, the status showed as "failed" as it reported back of requiring to sign by An Apple Developer.
image (3)
image

Expected Behavior

The PKG file is signed and successfully uploaded to Hexnode MDM Enterprise App

Environment

  • Escrow Buddy version: 1.0.0
  • macOS version: Sonoma 14.5
  • MDM version: Hexnode MDM 13.1.0

Additional Context
Reference link from Hexnode: https://www.hexnode.com/mobile-device-management/help/how-to-sign-macos-pkg-files-for-deployment-with-hexnode-mdm/
@homebysix
Copy link
Collaborator

The Escrow Buddy pkg downloadable from GitHub is indeed signed.

% pkgutil --check-signature ~/Downloads/Escrow.Buddy-1.0.0.pkg 
Package "Escrow.Buddy-1.0.0.pkg":
   Status: signed by a developer certificate issued by Apple for distribution
   Notarization: trusted by the Apple notary service
   Signed with a trusted timestamp on: 2023-06-11 23:33:47 +0000
   Certificate Chain:
    1. Developer ID Installer: Mac Admins Open Source (T4SK8ZXCXG)
       Expires: 2028-02-09 02:34:05 +0000
       SHA256 Fingerprint:
           B1 06 B6 26 DA 3B A8 48 34 F3 DF D2 CC 5E AC 03 91 31 05 3F A9 A2 
           B7 BA 2A 5E 33 3C 3B 05 53 7A
       ------------------------------------------------------------------------
    2. Developer ID Certification Authority
       Expires: 2031-09-17 00:00:00 +0000
       SHA256 Fingerprint:
           F1 6C D3 C5 4C 7F 83 CE A4 BF 1A 3E 6A 08 19 C8 AA A8 E4 A1 52 8F 
           D1 44 71 5F 35 06 43 D2 DF 3A
       ------------------------------------------------------------------------
    3. Apple Root CA
       Expires: 2035-02-09 21:40:36 +0000
       SHA256 Fingerprint:
           B0 B1 73 0E CB C7 FF 45 05 14 2C 49 F1 29 5E 6E DA 6B CA ED 7E 2C 
           68 C5 BE 91 B5 A1 10 01 F0 24

If that's the same pkg you're uploading, you may want to open a support request with Hexnode about why they don't detect its signing status.

@homebysix homebysix closed this as not planned Won't fix, can't repro, duplicate, stale Jun 28, 2024
@jameshoangng
Copy link
Author

Hi Elliot,

I just received Hexnode's response as below. Is it possible if you can support us on this please?
image

Regards,
James.

@homebysix
Copy link
Collaborator

I think what the support person meant to say is that the package must be a "distribution" style package in order to be sent via MDM, if the MDM is using the InstallApplication command to do so.

You can find a great resource about distribution packages in this post, which includes the steps you'll need to do to convert the existing component package to a distribution format. Hexnode provides similar instructions here. Basically, it's:

productbuild --sign "Developer ID Installer: PretendCo (ABCDE12345)" --package Escrow.Buddy-1.0.0.pkg Escrow.Buddy.Dist-1.0.0.pkg

You'll need a developer ID signing certificate from Apple to do this — either via a regular Developer account or via an Apple Enterprise Developer Program account. If you have neither, let me know and I may be able to help.

I would also suggest giving feedback to Hexnode that their error message is misleading. The problem wasn't that the package wasn't signed, it's that the package was not the distribution type package that Hexnode expected. They should be able to detect this condition and provide a link to their above support article in the resulting error message.

@homebysix homebysix reopened this Jul 2, 2024
@jameshoangng
Copy link
Author

Hi Elliot,

Thanks for your prompt response and detail explanation. Unfortunately, I currently don't have any Apple Developer accounts to execute the above command. I would need a little help from you on this. Appreciate if you can upload it back to the repo.

Also, I would give feedback to Hexnode team on fixing the error message and provide a support link on this issue.

Thank you,
James.

@homebysix homebysix linked a pull request Jul 21, 2024 that will close this issue
Open
@homebysix
Copy link
Collaborator

Hi @jameshoangng - May you try uploading the attached pkg (after unzipping it) to Hexnode and let me know whether that works? If so, I believe we'll have a permanent solution when #13 merges.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Create signed distribution package during release workflow macadmins/escrow-buddy
2 participants
@homebysix @jameshoangng