Notarising an Installer Package Containing a KEXT

This thread has been locked by a moderator.

The question about how to notarise an installer package (

.pkg
) containing a KEXT has come up on a number of threads [1] over the past few weeks. Unfortunately my answers have been less than clear, so I sat down with the notarisation team to fix that.

The fundamental question here is the order in which you notarise things. Do you:

  • Sign the KEXT, wrap the KEXT in a signed installer package, then notarise the package, then staple the ticket to the package (option A).

  • Sign the KEXT, then notarise it, then staple the ticket to the KEXT, then wrap the KEXT in a signed installer package, then notarise the package, then staple the ticket to the package (option B).

We generally recommend option A, because option B requires multiple round trips to the notarisation servers.

For installer packages that don’t contain a KEXT, this is the end of the story. For installer packages that contain a KEXT, there is one extra gotcha. The gotcha, and its workaround, are described in the macOS Mojave 10.14.5 Release Notes (search for “50205533”).

I’ve locked this post so that I can update if there are any further developments. If you have follow-up questions, either post them to your existing thread or, if you don’t have an existing thread, create a new thread here on Distribution > Mac Apps.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"

[1] Including this, this, this, and this.

Up vote post of eskimo
2.6k views
Posted by
eskimo
Reply
Add a Comment