notarizing and stapling apps in pkgs in a dmg

We provide our software on a single dmg that contains several pkgs that are then used individually on customer computers. That is, the installers will usually not be run directly from the dmg. So I think the correct approach is to notarize and staple each pkg before creating the dmg. In this case, is it unnecessary to notarize the dmg?


And a similar question / request for clarification: I understand that notarizing a pkg will also notarize the apps contained therein, but is it the case that we only have to staple the pkg, and this will include whatever is needed for the apps as well?


Thanks for any insights,


Mark

Up vote post of kurash Down vote post of kurash
830 views
Posted by
kurash
Reply
Add a Comment

Replies

In this case, is it unnecessary to notarize the dmg?

Our general advice is that you only notarise the outermost container, which would be the disk image in this case. Whether that makes sense here depends on how the specific installer packages get installed. If your users download the disk image, mount it, copy off the installer package, and then open the package on the same machine that mounted the disk image, notarising just the disk image will be fine. If the workflow is more complex, can you elaborate on what that is?

I understand that notarizing a pkg will also notarize the apps contained therein, but is it the case that we only have to staple the pkg, and this will include whatever is needed for the apps as well?

Correct. When you open a container (other than a zip file, which can’t be stapled to), the system ingests any ticket attached to that container. As long as the ticket covers the app (which it should, and you can check by looking at the notarisation logs), there’s no need to staple the app itself.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

Thanks for the clarification on stapling the pkgs. As for the dmg:


If your users download the disk image, mount it, copy off the installer package, and then open the package on the same machine that mounted the disk image, notarising just the disk image will be fine. If the workflow is more complex, can you elaborate on what that is?


We provide a dmg so there is just one file to download. The dmg contains installers for our server, admin tool, client, etc. So typically our customers will download the dmg and copy the installers to be used/distributed individually to various computers. The dmg also contains installers for Windows, LInux, etc. So the dmg is just a convenient container for those of our customers who prefer Macs. We also build a zip file with the exact same contents so customers who prefer other platforms can get all of our software in a single download. Also too, we provide each installer as a separate download for those who just need one component or another instead of all the things.

Posted by
kurash
Up vote reply of kurash Down vote reply of kurash
Add a Comment

So typically our customers will download the dmg and copy the installers to be used/distributed individually to various computers.

Yeah, I’ve seen this sort of thing before. In this case the disk image isn’t really buying you anything, but I’m reluctant to recommend that you ship it without signing and notarising it first.

Have you thought about switching to a zip archive for all your customers, Mac and non-Mac? That’d simplify your distribution model and avoid this question.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment