The Escrow Buddy pkg downloadable from GitHub is indeed signed.

% pkgutil --check-signature ~/Downloads/Escrow.Buddy-1.0.0.pkg 
Package "Escrow.Buddy-1.0.0.pkg":
   Status: signed by a developer certificate issued by Apple for distribution
   Notarization: trusted by the Apple notary service
   Signed with a trusted timestamp on: 2023-06-11 23:33:47 +0000
   Certificate Chain:
    1. Developer ID Installer: Mac Admins Open Source (T4SK8ZXCXG)
       Expires: 2028-02-09 02:34:05 +0000
       SHA256 Fingerprint:
           B1 06 B6 26 DA 3B A8 48 34 F3 DF D2 CC 5E AC 03 91 31 05 3F A9 A2 
           B7 BA 2A 5E 33 3C 3B 05 53 7A
       ------------------------------------------------------------------------
    2. Developer ID Certification Authority
       Expires: 2031-09-17 00:00:00 +0000
       SHA256 Fingerprint:
           F1 6C D3 C5 4C 7F 83 CE A4 BF 1A 3E 6A 08 19 C8 AA A8 E4 A1 52 8F 
           D1 44 71 5F 35 06 43 D2 DF 3A
       ------------------------------------------------------------------------
    3. Apple Root CA
       Expires: 2035-02-09 21:40:36 +0000
       SHA256 Fingerprint:
           B0 B1 73 0E CB C7 FF 45 05 14 2C 49 F1 29 5E 6E DA 6B CA ED 7E 2C 
           68 C5 BE 91 B5 A1 10 01 F0 24

If that's the same pkg you're uploading, you may want to open a support request with Hexnode about why they don't detect its signing status.

Hi Elliot,

I just received Hexnode's response as below. Is it possible if you can support us on this please?

Regards,
James.

I think what the support person meant to say is that the package must be a "distribution" style package in order to be sent via MDM, if the MDM is using the InstallApplication command to do so.

You can find a great resource about distribution packages in this post, which includes the steps you'll need to do to convert the existing component package to a distribution format. Hexnode provides similar instructions here. Basically, it's:

productbuild --sign "Developer ID Installer: PretendCo (ABCDE12345)" --package Escrow.Buddy-1.0.0.pkg Escrow.Buddy.Dist-1.0.0.pkg

You'll need a developer ID signing certificate from Apple to do this — either via a regular Developer account or via an Apple Enterprise Developer Program account. If you have neither, let me know and I may be able to help.

I would also suggest giving feedback to Hexnode that their error message is misleading. The problem wasn't that the package wasn't signed, it's that the package was not the distribution type package that Hexnode expected. They should be able to detect this condition and provide a link to their above support article in the resulting error message.

Hi Elliot,

Thanks for your prompt response and detail explanation. Unfortunately, I currently don't have any Apple Developer accounts to execute the above command. I would need a little help from you on this. Appreciate if you can upload it back to the repo.

Also, I would give feedback to Hexnode team on fixing the error message and provide a support link on this issue.

Thank you,
James.

Hi @jameshoangng - May you try uploading the attached pkg (after unzipping it) to Hexnode and let me know whether that works? If so, I believe we'll have a permanent solution when #13 merges.

• Escrow Buddy-1.0.0-dist.pkg.zip

Hi @jameshoangng — Have you had a chance to try the package linked above?

Hi @homebysix , apologies for the late response. It works like magic. I am able to escrow the FileVault recovery key as needed. Thank you so much for your support.