puppet-agent packages for macOS are signed
with a developer ID and certificate. You can verify the package signature using the pkgutil tool or the
installer.
Use one of these methods to verify the package
signature:
- Download and mount the
puppet-agentdisk image, and then use thepkgutiltool to check the package's signature:
The tool confirms the signature and outputs fingerprints for each certificate in the chain:pkgutil --check-signature /Volumes/puppet-agent-<AGENT-VERSION>-1.osx10.10/puppet-agent-<AGENT-VERSION>-1-installer.pkgPackage "puppet-agent-<AGENT-VERSION>-1-installer.pkg": Status: signed by a certificate trusted by macOS Certificate Chain: 1. Developer ID Installer: PUPPET LABS, INC. (VKGLGN2B6Y) SHA1 fingerprint: AF 91 BF B7 7E CF 87 9F A8 0A 06 C3 03 5A B4 C7 11 34 0A 6F ----------------------------------------------------------------------------- 2. Developer ID Certification Authority SHA1 fingerprint: 3B 16 6C 3B 7D C4 B7 51 C9 FE 2A FA B9 13 56 41 E3 88 E1 86 ----------------------------------------------------------------------------- 3. Apple Root CA SHA1 fingerprint: 61 1E 5B 66 2C 59 3A 08 FF 58 D1 4A E2 24 52 D1 98 DF 6C 60 - When you install the package, click the lock
icon in the top right corner of the installer.
The installer displays details about the package's certificate.