With the release of macOS 10.12.4, it appears that Apple has made a change to the OS installer that blocks the installation of third-party packages which have been added to the OS installer. In my testing, I’ve verified the following tools are affected:
Note: There may be others, this list is what I’ve tested.
In each case, the OS install process proceeds without issues until the OS installer tries to install the third party installer package. At that point, the installation process fails and displays the message shown below:
The package "Package Name Goes Here" is not signed. Quit the installer to restart your computer and try again.
The error message displayed is misleading however, as this message may also appear if the package has been signed with a Developer ID Installer certificate.
In testing done by myself and others, we have found that there is one circumstance where you can still add a third-party installer package:
- If you are building a NetInstall NetBoot set using System Image Utility
- If the package is signed with a Developer ID Installer certificate.
Otherwise, the only installer packages I’ve seen which install correctly are packages which have been signed by Apple itself.
For more details, see below the jump.
As mentioned previously, Apple’s System Image Utility is affected by this issue. To replicate the failure behavior, use the process shown below:
Pre-requisites:
- A Mac upgraded to macOS 10.12.4
- System Image Utility
- A macOS 10.12.4 installer
- A unsigned third-party installer package
For my third-party installer package, I used one created by First Boot Package Install Generator.app.
1. Launch System Image Utility
2. Select the macOS 10.12.4 installer as the source.
3. Select option to build a NetInstall Image
4. Select option to add an additional installer and add the unsigned third-party installer package.
5. Change no other options from their default settings.
6. Build the NetInstall set.
Once the NetInstall set is built, boot a Mac or VM from the NetInstall set and run the OS installation process. In my testing, the OS install process has consistently failed when trying to install the unsigned third-party installer package. To show what this behavior looks like, please see the video below:
Note: The video has been edited to artificially reduce the amount of time the OS installation process takes to run. Run time of the pre-edited video was 21 minutes 18 seconds.
To replicate the successful install behavior, use the process shown below:
Pre-requisites
- A Mac upgraded to macOS 10.12.4
- System Image Utility
- A macOS 10.12.4 installer
- A third-party installer package which has been signed with a Developer ID Installer certificate.
For my third-party installer package, I used the same firstboot package created earlier and signed it using the productsign utility and my Developer ID Installer certificate.
/usr/bin/productsign --sign 'Developer ID Installer: Name Goes Here (FT45CST65F)' "/path/to/First Boot Package Install.pkg" "/path/to/other/place/First Boot Package Install.pkg"
1. Launch System Image Utility
2. Select the macOS 10.12.4 installer as the source.
3. Select option to build a NetInstall Image
4. Select option to add an additional installer and add the signed third-party installer package.
5. Change no other options from their defaults.
6. Build NetInstall set
Once the NetInstall set is built, boot a Mac or VM from the NetInstall set and run the OS installation process. This time, the installation process of the third party installer package should succeed. To show what this behavior looks like, please see the video below:
Note: The video has been edited to artificially reduce the amount of time the OS installation process takes to run. Run time of the pre-edited video was 20 minutes 9 seconds.
Workarounds
Since the new behavior is specific to the 10.12.4 installer, my recommendation at this point is to use the macOS 10.12.3 installer where needed. Once the OS is installed, update to later versions of macOS Sierra as a post-installation task.
