osx pkg files are

xar

format. Sometimes

tar

will read them, else

xar

will.

https://gist.github.com/directionless/767825510afc3cce99dfeb1d4eadb67a has some of the notes…

Much of what I know is encoded into https://github.com/kolide/launcher/blob/master/Makefile that tool is kinda terrible (being make), but it’s easier to point at than the go code. Though I can find the go if we want to use that tooling

codesign and notarize snippets are https://github.com/kolide/launcher/blob/master/Makefile#L147-L168

Which is very similar to https://github.com/trailofbits/sinter/blob/master/packaging/scripts/notarize.sh#L97

windows side, from linux, you can do https://github.com/kolide/launcher/blob/master/Makefile#L171-L182

My go code for this is a bit sprawling, but https://github.com/kolide/launcher/blob/master/pkg/packagekit/package_pkg.go is the core of the pkg generation. It runs: 1.

pkgbuild

to get a “flat package” 2.

productbuild

to get a “distribution package” 3.

xcrun altool

to submit it to notary (And the larger framework sets the notarization uuid as storage metadata which something else comes along to check later on)

All the rest of that code is error handling and setup and whatnot

If you want the gritty notarization code, it recently moved to a public repo. https://github.com/kolide/launcher/blob/master/pkg/packagekit/applenotarization/applenotarization.go the only real callout is that

--output-format xml

makes it way easier to parse