Inspecting Downloads for Notarization

If you run

spctl

install

-t

$ spctl -a -t install -vvvv /path/to/some.pkg

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Hi Quinn!

Thanks for responding. This is what I get when I inspect the installer package:

Persephone:~ tom$ spctl -a -t install -vvvv /Volumes/Kerio\ Control\ VPN\ Client\ 9.3.0/Kerio\ Control\ VPN\ Client\ Installer.pkg 
/Volumes/Kerio Control VPN Client 9.3.0/Kerio Control VPN Client Installer.pkg: accepted
source=Developer ID
origin=Developer ID Installer: Kerio Technologies (7WC9K73933)

There should be a failure notice, though, as the kext inside the package is un-notarized?

Though, the machine I'm testing on now has a kernel extension whitelist that includes Kerio's Team ID...

Tom

This is what I get when I inspect the installer package

On 10.14.4? Or 10.14.5 beta?

Though, the machine I'm testing on now has a kernel extension whitelist that includes Kerio's Team ID...

OK, that’s another wrinkle I hadn’t considered. It’s probably best to run these tests on a fresh machine. I tend to use a VM for this, so I can quickly bounce between, say, 10.14.4 and 10.14.5 beta snapshots.

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Please forgive the late reply, I've done some additional research during Spring Break here, and it's been instructive.

Since we started this process, DisplayLink has released 5.1.1 of its kext, and the installer that they have posted is supposed to be notarized. Looking at the package:

Persephone:Extensions tom$ spctl -a -t install -vvvv /Volumes/DisplayLink\ Installer/DisplayLink\ Software\ Installer.pkg 
/Volumes/DisplayLink Installer/DisplayLink Software Installer.pkg: accepted
source=Notarized Developer ID
origin=Developer ID Installer: DisplayLink Corp (73YQY62QM3)

However, the package itself doesn't have a ticket stapled to it, which means that you must have access to the internet if you want it to install correctly. The spctl action itself isn't enough for you to know you have a viable package that will install offline. However, it appears that stapler can tell you:

Persephone:Extensions tom$ stapler validate -v /Volumes/DisplayLink\ Installer/DisplayLink\ Software\ Installer.pkg 
Processing: /Volumes/DisplayLink Installer/DisplayLink Software Installer.pkg
Properties are {
    NSURLIsDirectoryKey = 0;
    NSURLIsPackageKey = 0;
    NSURLIsSymbolicLinkKey = 0;
    NSURLLocalizedTypeDescriptionKey = "Installer package";
    NSURLTypeIdentifierKey = "com.apple.installer-package-archive";
    "_NSURLIsApplicationKey" = 0;
}
Sig Type is RSA. Length is 3
Sig Type is CMS. Length is 3
Package DisplayLink Software Installer.pkg uses a checksum of size 20
We do not know how to deal with trailer version 41376. Exepected 1
DisplayLink Software Installer.pkg does not have a ticket stapled to it.

And that's going to be what we need to do at that point.

Thanks again, Eskimo!