Osquery uses basic SQL commands to leverage a relational data-model to describe a device.

osquery

Hey folks, quick question
``` --notarize                                      Whether to notarize macOS packages (default: false)```
Whats the use for this? I get those annoying messages when I try to install fleet agents on a mac, is this a fix for that?

Part of Gatekeeper etc. <https://developer.apple.com/documentation/security/notarizing-macos-software-before-distribution>

You shouldn't need to notarize packages. It's mainly for software that you might have developed. Packages can be signed, but depends on how you're distributing them.

Right now we serve the package just from a download link for our users

It works fine, but they do get a notif that they have to go into settings and allow the software to run, was hoping to find a way to get around that

Yes, that is part of the setup for creating a signed and notarized package :<https://fleetdm.com/guides/enroll-hosts#signing-fleetd>

Then you'll want to just sign the package.

orbit itself is probably already signed and notarized.

Yes, the individual components are all signed. It's just the customized package that is not. 

Gotcha, so just with this:
```  AC_USERNAME=appleid@example.com AC_PASSWORD=app-specific-password fleetctl package --type pkg --sign-identity=[PATH TO SIGN IDENTITY] --notarize --fleet-url=[YOUR FLEET URL] --enroll-secret=[YOUR ENROLLMENT SECRET]```


We have an apple developer account we can probably get these from

I would skip the notarize part, that would only be needed if you modified the fleet components.

<@U07NFJT01FG> you would have to use the Apple developer account for this. Make sure you grab the "installer" identity cert, not the app signing cert.

And you could sign your existing package with the `productsign` command, don't need to create a new one. But keep that in your back pocket for future packages you create.

Are you using orbit standalone or with fleet?

No with fleet, its just when I generate `.pkg`

image.png

So it'd be an installer distribution cert?

Install it into your keychain along with the private key. Then when you reference it in your commands, you'll use the full name of the cert (for mine it's `Developer ID Installer: The Home Depot, Inc (B45A84TY66)`)