Question: Is Apple adding any restrictions to the Installer process to prevent abuses of preinstall scripts, such as those seen used by Zoom? For context, Zoom's preinstall script would detect if your account had admin privileges and do the following during the installation check phase:
A. Install the Zoom app without requesting admin credentials.
B. Kill the Installer process.
C. Launch the Zoom app
Answer: Apple cannot comment on future plans, but they are aware of the problem. At this time, no changes.
Question: What is the best practice for signing and notarizing packages you build of third-party applications? For context, some vendors prefer to build their own applications to install their apps, rather than using an installer package. It is possible to package up the installer application, then use a postinstall script associated with the installer package to run the vendor's installer application using command line tools.
In this case, the vendor would have signed and notarized their installer application, but I would also like to sign and notarize my installer package so that Gatekeeper is OK with it.
Answer: It should be fine to sign and notarize the installer package, the notarization of the third-party application should be fine and there shouldn't be a conflict.
Question: Why do payload-free packages need to be notarized? There's no payload.
Answer: What's in an installer package is recorded during notarization of that installer package. That's when Apple can say for certain whether they've detected something malicious inside an installer package.
A. Install the Zoom app without requesting admin credentials.
B. Kill the Installer process.
C. Launch the Zoom app
Answer: Apple cannot comment on future plans, but they are aware of the problem. At this time, no changes.
Question: What is the best practice for signing and notarizing packages you build of third-party applications? For context, some vendors prefer to build their own applications to install their apps, rather than using an installer package. It is possible to package up the installer application, then use a postinstall script associated with the installer package to run the vendor's installer application using command line tools.
In this case, the vendor would have signed and notarized their installer application, but I would also like to sign and notarize my installer package so that Gatekeeper is OK with it.
Answer: It should be fine to sign and notarize the installer package, the notarization of the third-party application should be fine and there shouldn't be a conflict.
Question: Why do payload-free packages need to be notarized? There's no payload.
Answer: What's in an installer package is recorded during notarization of that installer package. That's when Apple can say for certain whether they've detected something malicious inside an installer package.