Notarizing a Flat Package containing another Flat Package?

Hello!


This isn't so much a Developer issue, but developers are far more knowledgable about Notarization than anyone else, so here I am! :-)


I'm creating a pkg with another (signed, notarized) pkg as its payload and a postinstall.sh to install that pkg (using /usr/sbin/installer) with particular configuration options. I can sign the resulting pkg just fine, but it has yet to pass Notarization. The original pkg installs fine with no warnings, but a pkg containing that original pkg fails Notarization with "The executable does not have the hardened runtime enabled" errors.


Does anyone have any ideas on how to achieve what I'm trying to do? I'd really rather not have to re-package the original pkg's payload, likely having to edit its preinstall and postinstall scripts to add my configuration options. Is it possible that I'm just getting caught in the timeline issue with original apps and pkgs that were Notarized before Feb 1, 2020?


Thanks for any info or pointers you can give!

That is sure what it seems like from here.

It could be possible to avoid to repackage the original package by ruining the original package on purpose.


Since the package is a xar file, it could be possible to:


1. edit the the first 4 bytes of the original .pkg to hide its file type to the notarization server.

2. from your pre or post-installation script, fix the first 4 bytes by putting back the "xar!: data.

3. then you can call the installer command line tool.


Side Note:


Do you really need the original .pkg to be part of your payload? If it's there only to be able to run installer and then remove the original .pkg, it might be better to have the original .pkg be part of the resources of your own package.

Notarizing a Flat Package containing another Flat Package?
 
 
Q