Converting DMG files to PKG files for Enterprise Distribution

Scalefusion offers support to distribute Apple VPP apps and PKG (product archive packages) natively using the Dashboard. Most Enterprise apps use either of the above mechanisms for distribution in an enterprise scenario, however there might be certain cases where the developer has made the installer available in the form of a DMG (Disk Image File).

In such cases where only a DMG file is available, IT Admins can convert the DMG file to a PKG file and Sign in on it using their Apple Developer certificate and then deploy it via Scalefusion Dashboard.

Most Enterprise applications do offer a PKG installer for macOS devices, so it may be worthwhile to contact the developer to get an official version of their app. This document is a general guideline in the absence of PKG distribution file.


  1. Access to a macOS device where you can convert and sign the PKG file.
  2. DMG File that needs to be converted
  3. Apple Developer account

Step 1: Install or Extract the DMG file

  1. The first step is to double click on the DMG file and extract the *.App to Applications folder. This would install the application on your device.
  2. This would install the application and copy the app to Applications. Open Applications to get the path to the installed application. Select the app and press CMD + C to copy the path to clipboard

Step 2: Convert the App to PKG file

  1. Open a Terminal window and execute the following command, where is the name of the app (you can use CMD + V if you have copied the path as per Step 1) and the OUTPUT_FOLDER and CONVERTED_APP are the output folder and name for the converted app respectively.
    sudo productbuild --component /Application/ /OUTPUT_FOLDER/CONVERTED_APP.pkg

    sudo productbuild --component /Applications/ ~/Desktop/Wordpress.pkg
  2. Executing the command will ask you the password for your macOS device and once provided the PKG file will be generated in the output folder provided above.

Step 3: Signing a PKG File

macOS does not allow for applications from unidentified developers to be installed. Hence a PKG file would have to be signed with a developer certificate to provide an identity. Follow the steps below to sign a PKG file.

Step 3.1: Creating a Certificate Signing Request
  1. Navigate to /Applications/Utilities and launch Keychain Access.
  2. Go to Keychain Access > Certificate Assistant > Request a Certificate from a Certificate Authority
  3. This opens the Certificate Assistant dialog box. Enter the following Certificate Information,
    1. User Email Address: Enter an email address
    2. Common Name: Enter a name for the key (for example, John Doe)
    3. CA Email Address: Leave this field empty
    4. Request Is: Choose Saved to disk
  4. Click Continue after entering above details.
  1. Select the path where you want the CSR(Certificate Signing Request) to be saved and save it. The Certificate Signing Request file gets created. This file would be required in Step 3.2. For more information on this, click here
Step 3.2: Generate a Installer Certificate
  1. Sign In to Apple Developer Portal.
  2. Navigate to Certificates, Identifiers & Profiles and click on the + symbol to create a new certificate
  3. Select Developer ID Application as you would need to distribute the app outside of App Store and click Continue
    If this is your enterprise app and you are uploading it to Apple App Store then you can upload your Enterprise certificate for signing.
  4. In the next step, upload the CSR that you generated in Step 3.1 and click Continue
  5. Click Download to download the *.cer file and double click on it to install it in your Keychain
If you intend to use this certificate to Sign your in-house applications, please Notarize your software using the Learn how to submit your software for notrization link.
Step 3.3: Signing the PKG file

Once you have generated the certificate and installed it in your keychain, follow the steps below to sign the package generated at Step 2 or any pkg file.

  1. Open a Terminal window and use the productSign command to sign the package file by substituting the following,
    1. DEVELOPER ID INSTALLER: Apple Account Name (TEAM_ID): The name of your certificate as shown in KeyChain.
    2. FOLDER: Refers to the the folder where the unsigned app is copied/stored on disk.
    3. UNSIGNED_APP.pkg: The name of the the unsigned app/pkg file
    4. OUTPUT_FOLDER: The name of the output folder
    5. SIGNED_APP.pkg: Refers to the final signed version of the app
      productsign -sign "Developer ID Installer: Apple Account Name (TEAM_ID)" ~/FOLDER/UNSIGNED_APP.pkg ~/OUTPUT_FOLDER/SIGNED_APP.pkg
Extra Tip: Generating and Signing an Installed Application

If you want to generate a PKG file for an application installed on your macOS machine then follow the steps below,

  1. Copy the path of the installed application. Open the Applications folder, select the app and press CMD + C
  2. Open a Terminal window and run the pkgbuild command by substituting the values,
    sudo pkgbuild --component COPIED_PATH_TO_INSTALLED_APP --install-location /Applications --sign "Developer ID Installer: Apple Account Name (TEAM_ID)" ~/OUTPUT_FOLDER/SIGNED_APP.pkg
    1. COPIED_PATH_TO_INSTALLED_APP: The Application path copied in the first step.
    2. DEVELOPER ID INSTALLER: Apple Account Name (TEAM_ID): The name of your certificate as shown in KeyChain.
    3. OUTPUT_FOLDER: Name of the folder where the generated PKG will be stored
    4. SIGNED_APP.PKG: The generated signed PKG file.

Once you have generated the signed PKG file, please navigate to Installing Enterprise Apps/PKG Files on macOS devices to remotely push the app to all your managed macOS devices. Feel free to reach out to [email protected] in case you need further help.

How did we do?

Powered by HelpDocs (opens in a new tab)