Extracts the package table of contents as an XML file
xar --dump-toc={header.xml} -f {file.pkg}
Clean up the TOC to just the RSA signature information
/usr/bin/xmllint --xpath '//signature[@style="RSA"]' {header.xml} > {rsa.raw}
Open the {rsa.raw} file and manually remove stray XML tagging. example:
<?xml version="1.0" encoding="UTF-8"?>
<xar>
<toc>
<checksum style="sha1">
<size>20</size>
<offset>0</offset>
</checksum>
<creation-time>2020-12-14T20:50:03</creation-time>
<signature style="RSA">
<offset>20</offset>
<size>256</size>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<X509Data>
<X509Certificate>
Example:
MIIFoTCCBImgAwIBAgIIOX/snTX23xYwDQYJKoZIhvcNAQELBQAweTEtMCsGA1UEAwwkRGV2
ZWxvcGVyIElEIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MSYwJAYDVQQLDB1BcHBsZSBDZXJ0
aWZpY2F0aW9uIEF1dGhvcml0eTETMBEGA1UECgwKQXBwbGUgSW5jLjELMAkGA1UEBhMCVVMw
...
Next, add -----BEGIN CERTIFICATE----- to the top of the file.
Example
-----BEGIN CERTIFICATE-----
MIIFoTCCBImgAwIBAgIIOX/snTX23xYwDQYJKoZIhvcNAQELBQAweTEtMCsGA1UEAwwkRGV2
ZWxvcGVyIElEIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MSYwJAYDVQQLDB1BcHBsZSBDZXJ0
aWZpY2F0aW9uIEF1dGhvcml0eTETMBEGA1UECgwKQXBwbGUgSW5jLjELMAkGA1UEBhMCVVMw
...
Continue to the bottom of the block and remove other XML tags, like </X509Certificate>.
Example:
...
i3Y7n1Jd6pj/o3l5AMJvsEelwxp5EbrEHnphhw3dGDeEmYoie5IK2tCOHWKDKMnacS81PJ+l
nSBfj1APTJpwjQCatkPRKkeJSTY5VcRe5jFfxr0BX9yXOEfevC5gbFZ598gTNs23Q1mCT911
j83ztaSjleuo3NfbbgXqeLi2rQCiHzpwhv7aHnIwSwugQK6TLM0YVnk=
Add -----END CERTIFICATE----- to the bottom of the block.
Example:
...
i3Y7n1Jd6pj/o3l5AMJvsEelwxp5EbrEHnphhw3dGDeEmYoie5IK2tCOHWKDKMnacS81PJ+l
nSBfj1APTJpwjQCatkPRKkeJSTY5VcRe5jFfxr0BX9yXOEfevC5gbFZ598gTNs23Q1mCT911
j83ztaSjleuo3NfbbgXqeLi2rQCiHzpwhv7aHnIwSwugQK6TLM0YVnk=
-----END CERTIFICATE-----
Repeat for each block, save as {file.x509.cert}.
Example:
-----BEGIN CERTIFICATE-----
MIIEBDCCAuygAwIBAgIIGHqpqMKWIQwwDQYJKoZIhvcNAQELBQAwYjELMAkGA1UEBhMCVVMx
EzARBgNVBAoTCkFwcGxlIEluYy4xJjAkBgNVBAsTHUFwcGxlIENlcnRpZmljYXRpb24gQXV0
aG9yaXR5MRYwFAYDVQQDEw1BcHBsZSBSb290IENBMB4XDTEyMDIwMTIyMTIxNVoXDTI3MDIw
...
...
i3Y7n1Jd6pj/o3l5AMJvsEelwxp5EbrEHnphhw3dGDeEmYoie5IK2tCOHWKDKMnacS81PJ+l
nSBfj1APTJpwjQCatkPRKkeJSTY5VcRe5jFfxr0BX9yXOEfevC5gbFZ598gTNs23Q1mCT911
j83ztaSjleuo3NfbbgXqeLi2rQCiHzpwhv7aHnIwSwugQK6TLM0YVnk=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEBDCCAuygAwIBAgIIGHqpqMKWIQwwDQYJKoZIhvcNAQELBQAwYjELMAkGA1UEBhMCVVMx
EzARBgNVBAoTCkFwcGxlIEluYy4xJjAkBgNVBAsTHUFwcGxlIENlcnRpZmljYXRpb24gQXV0
aG9yaXR5MRYwFAYDVQQDEw1BcHBsZSBSb290IENBMB4XDTEyMDIwMTIyMTIxNVoXDTI3MDIw
...
...
i3Y7n1Jd6pj/o3l5AMJvsEelwxp5EbrEHnphhw3dGDeEmYoie5IK2tCOHWKDKMnacS81PJ+l
nSBfj1APTJpwjQCatkPRKkeJSTY5VcRe5jFfxr0BX9yXOEfevC5gbFZ598gTNs23Q1mCT911
j83ztaSjleuo3NfbbgXqeLi2rQCiHzpwhv7aHnIwSwugQK6TLM0YVnk=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEBDCCAuygAwIBAgIIGHqpqMKWIQwwDQYJKoZIhvcNAQELBQAwYjELMAkGA1UEBhMCVVMx
EzARBgNVBAoTCkFwcGxlIEluYy4xJjAkBgNVBAsTHUFwcGxlIENlcnRpZmljYXRpb24gQXV0
aG9yaXR5MRYwFAYDVQQDEw1BcHBsZSBSb290IENBMB4XDTEyMDIwMTIyMTIxNVoXDTI3MDIw
...
...
i3Y7n1Jd6pj/o3l5AMJvsEelwxp5EbrEHnphhw3dGDeEmYoie5IK2tCOHWKDKMnacS81PJ+l
nSBfj1APTJpwjQCatkPRKkeJSTY5VcRe5jFfxr0BX9yXOEfevC5gbFZ598gTNs23Q1mCT911
j83ztaSjleuo3NfbbgXqeLi2rQCiHzpwhv7aHnIwSwugQK6TLM0YVnk=
-----END CERTIFICATE-----
Use OpenSSL to validate that the file is a valid x509 certificate.
openssl x509 -text <{file.x509.cert}
Example:
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 4143290342163537686 (0x397fec9d35f6df16)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=Developer ID Certification Authority, OU=Apple Certification Authority, O=Apple Inc., C=US
Validity
Not Before: Aug 25 19:56:37 2020 GMT
Not After : Aug 26 19:56:37 2025 GMT
...
Add the valid x509 certificate to Keychain
sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain {file.x509.cert}
Finally, open Keychain and trust the x509 certificate.
- Open Keychain Access
- Find the certificate in System
- Right-click and select View Info
- Expand the Trust tree
- Change to Always Trust
Install your .pkg.
installer -pkg {file.pkg} -target CurrentUserHomeDirectory -verboseR
Alternatively, you can strip the code-signing certificates by using the pkgutil utility.
Expand the .pkg file.
pkgutil --expand {file.pkg} {expand-dir}
Flatten the .pkg file (without the code-signing certificate).
pkgutil --flatten {expand-dir} {flattened.pkg}
Install your .pkg.
installer -pkg {flattened.pkg} -target CurrentUserHomeDirectory -verboseR
Big thanks to @dcode for the help!