Which contents of an installer package gets notarized?

Based on discussions on the forum, it is recommended to only notarize the installation package and not the contents of the payload and then the installation package.


This means that the payload of a package submitted to the notarization server will be inspected and the appropriate items in the payload can be stapled.


Question:


What about the Installer Plugins and the contents of the Scripts archive inside a distribution and a package?


Are they also inspected and notarized by the server?


Is the stapling process able to add the tickets to the Installer Plugins and the contents of the Scripts archive?

Up vote post of tartempion Down vote post of tartempion
361 views
Posted by
tartempion
Reply
Add a Comment

Replies

Are they also inspected and notarized by the server?

I believe that plug-ins and tools are, but scripts aren’t. If you want to know for sure though, you should inspect the notarisation log. It lists the cdhashes of everything that’s included in the ticket.

Is the stapling process able to add the tickets to the Installer Plugins and the contents of the Scripts archive?

No. The ticket should cover everything within the installer package and stapled to the package itself. You don’t need to staple an installer plug-in for the same reason you don’t need to staple an app that’s part of the payload.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment