0 Replies
      Latest reply on May 17, 2019 3:01 PM by eskimo
      eskimo Apple Staff Apple Staff (11,225 points)

        The question about how to notarise an installer package (.pkg) containing a KEXT has come up on a number of threads [1] over the past few weeks.  Unfortunately my answers have been less than clear, so I sat down with the notarisation team to fix that.

        The fundamental question here is the order in which you notarise things.  Do you:

        • Sign the KEXT, wrap the KEXT in a signed installer package, then notarise the package, then staple the ticket to the package (option A).

        • Sign the KEXT, then notarise it, then staple the ticket to the KEXT, then wrap the KEXT in a signed installer package, then notarise the package, then staple the ticket to the package (option B).

        We generally recommend option A, because option B requires multiple round trips to the notarisation servers.

        For installer packages that don’t contain a KEXT, this is the end of the story.  For installer packages that contain a KEXT, there is one extra gotcha.  The gotcha, and its workaround, are described in the macOS Mojave 10.14.5 Release Notes (search for “50205533”).

        I’ve locked this post so that I can update if there are any further developments.  If you have follow-up questions, either post them to your existing thread or, if you don’t have an existing thread, create a new thread here on Distribution > Mac Apps.

        Share and Enjoy

        Quinn “The Eskimo!”
        Apple Developer Relations, Developer Technical Support, Core OS/Hardware
        let myEmail = "eskimo" + "1" + "@apple.com"

        [1] Including this, this, this, and this.