Publishing Software on Mac (2015)
Chapter 6: Validation package
OVERVIEW
Once we have the installer package built, we need to create a validation package. The validation package contains the validation app, a script to run it, the installer package, and an optional validationINI.txt file that contains the product code for this Package (for multiple product builds.)
This validation package will install the files we need, and as a post-installation task, execute validation.app. Validation app will verify that the name and email address match the registration code entered by the user. If so, it will contact the web server with that information along with the machine fingerprint (serial numbers). If the authorization is granted, the web server will respond affirmatively. With that affirmation, the validation app will create a file, Install.txt, to serve as an authorization flag to the Installer Package. Then it will finally call the executable Apple Installer.app to run our Installer package (that we built before) where all the files needed to run our Microsoft Word Add-in will be installed on the target Mac. As we noted earlier, after the install is complete, the Installer.pkg post-installation script will delete Installer.pkg and Install.txt to frustrate the wannabe hackers.
Creating the Validation
Open Packages, and open the Validation.pkgproj in Users/JoeDeveloper/Development/Packages.
Click on Project>Settings. Notice the settings on Exclusions & Format.
Now click on Presentation. Here we can see the text of dialogs the user will see as he progresses through the install. The first graphic below shows the Title. Enter the title you desire by double-clicking on the title dropdown. The second graphic is Introduction. Create a text file with your content. The third is the Read Me where you enter the text file with that content. You can also enter a EULA (End user license agreement).
You can enter other dialogs as needed. Most have defaults that are adequate.
You can now click on Requirements and resources. Note the check mark.
Next, click on Validation (under Packages). Note that password and overwrite are checked and others are not. We also install on startup disk, as this project is an add-on to MS Word that should exist on the startup disk.
Next, we click on Payload. Here we find a new folder under the Global Application Support folder named "JoeD". We then added 4 files to JoeD. First is Validation.app that does the validation we described earlier. Second is Validation.sh, a simple script to run the app:
#!/bin/bash
cd "/library/application support/JoeD"
open validation.app
Third, we also have the optional ValidationINI file that contains a product code. Finally, we have the InstallPackage.pkg that we built earlier. This will install our Microsoft Word Add-on application.
Now click on Scripts. Here the post-installation script executes the validation app.
If one were to build and run this package (assuming all the files were present), a two-phase installer package will result. The Validation phase would install the necessary files that verify the user has the proper credentials to install, and, upon approval, the second phase would install the necessary files for the project.
Other things might be added to enhance the security. For example, use SSL to send/receive the https stream. You could compress and password protect the Installer Package. Use AES encryption for the registration code. Do a monthly verify on application startup to see the package is still valid (Microsoft does this with Office 365.)
Packages has many other features that you can explore in the Users Guide. I would like to thank Stephane Sudre for developing this application and saving us all from Apple's PackageMaker.
I hope this book, along with the Packages User Guide, will help guide to package, sign, and protect your application.