bakepkg

🚀

Simple

Build a signed, notarized .pkg from a single JSON config file.

⚙️

Auto-scripting

Generates postinstall, uninstall.sh, and upgrade scripts automatically.

🛤️

PATH Integration

Writes /etc/paths.d and /etc/manpaths.d entries so binaries are immediately discoverable.

🔐

Integrated Signing

Automatically signs binaries and the final installer with your Developer ID certificate.

🍎

Modern Notarization

Directly integrates with Apple's Notary API — no more xcrun altool.

🖥️

Distribution UI

First-class support for Welcome screens, READMEs, Licenses, and Dark Mode backgrounds.

👤

Single-User Mode

Generate distribution packages with per-user installation domain choices.

🧹

Quarantine Stripping

Strips com.apple.quarantine attributes to prevent Gatekeeper false positives.

🔬

Simulation Mode

Dry-run mode prints all commands without touching the system — perfect for CI debugging.

Options

Flag	Description	Default
`-config`	Path to JSON configuration file	`bakepkg.json`
`-verbose`	Enable verbose output	`false`
`-debug`	Enable debug output	`false`
`-version`, `-V`	Print version information and exit
`-help`, `-h`	Display the help message and exit

Configuration Reference

// bakepkg.json
{
  "id":               "com.example.mytool",
  "name":             "MyTool",
  "version":          "1.2.0",
  "output":           "MyTool-1.2.0.pkg",
  "symlink_binaries": true,

  "files": {
    "bin":            ["./build/mytool"],
    "share/man/man1": ["./docs/mytool.1"],
    "etc":            ["./config/defaults.yaml"]
  },

  "signing": {
    "identity": "Developer ID Installer: Your Name (XYZ)",
    "notarize": true
  }
}

Field	Type	Default	Description
`id`	`string`	required	Reverse-DNS package identifier, e.g. `com.example.tool`.
`name`	`string`	required	Application name. Used as the install prefix component and in `paths.d`.
`version`	`string`	`"1.0.0"`	Package version string.
`output`	`string`	`"out.pkg"`	Output `.pkg` filename.
`single_user`	`boolean`	`false`	Produce a distribution package with per-user installation domain choices.
`symlink_binaries`	`boolean`	`false`	Create symlinks in `/usr/local/bin/` for each detected binary.
`files`	`object`		Map of `dest_subdir → [source_paths]`. Installed under `/Library/<Name>/<Version>/`.
`distribution.*`	`object`		UI assets for the installer wizard: `readme`, `license`, `welcome`, `background`, `background_dark`.
`signing.identity`	`string`		Developer ID Installer certificate name or hash.
`signing.notarize`	`boolean`	`false`	Submit the package to Apple's Notary API after signing.
`signing.issuer_id`	`string`		App Store Connect API issuer ID. Env: `MACOSNOTARYLIB_ISSUER_ID`.
`signing.key_id`	`string`		App Store Connect API key ID. Env: `MACOSNOTARYLIB_KID`.
`signing.private_key_b64`	`string`		Base64-encoded private key. Env: `MACOSNOTARYLIB_PRIVATE_KEY`.

Build Pipeline

Validate & Stage

Validate config, create a temp staging directory, copy all files into it.

Quarantine Strip

Remove com.apple.quarantine extended attributes from all staged files.

Generate Scripts

Auto-generate postinstall, preupgrade, postupgrade, and uninstall.sh from the file map.

Codesign Binaries

Sign all executables in the staging directory with your Developer ID Application certificate.

pkgbuild

Assemble the staged payload and scripts into a flat .pkg component.

productbuild

Wrap into a distribution package when UI assets or single_user mode is enabled. Injects <domains> for per-user installs.

productsign

Sign the final package with your Developer ID Installer certificate.

Notarize & Staple

Submit to Apple's Notary API and staple the resulting ticket to the package.