The signing certificate for the popular MacAdmins tool Nudge was changed tonight and action may be needed on your part.
Nudge version 1.1.11 was released but contains no code changes, only those related to the build process and the signing certificate.
This will require a configuration profile update if you are managing the login item for Nudge in the com.apple.servicemanagement
payload.
Read on for the details.
Signing Certificate
Nudge is hosted in the macadmins GitHub Organization and had previously been signed with the associated certificate: Clever DevOps Co. (9GQZ7KUFR6)
Developer Erik Gomez shared on the MacAdmins Slack that the Clever DevOps Co. certificate is now deprecated.
All releases going forward will be signed with the new certificate: Mac Admins Open Source (T4SK8ZXCXG)
macadmins python is next in line to transition to the Mac Admins Open Source certificate and Erik said that another large tool may follow as time allows.
Managed Login Items
This change in certificate will have no effect on existing installations or operations of Nudge. However, if you are managing Login Items in macOS Ventura you will need to take action before deploying Nudge 1.1.11.
If managing Login Items is new to you, there are several blog posts by other MacAdmins that cover the com.apple.servicemanagement
payload, so I won’t rehash the details here. But doing so is advised to keep users from more easily disabling the LaunchAgent that is critical to Nudge’s operation.
- Login and Background Item Management in macOS Ventura 13 by Nate Felton
- Manage and enforce custom Login and Background items in macOS Ventura by Matthew Warren
- Managing “Login Items” for macOS Ventura by Robert Hammen
If you are currently, or want to start, managing the login item for Nudge you will need to add the TeamIdentifier of the new Mac Admins Open Source certificate to your configuration profile.
My advice is to add a completely new rule to your profile, as opposed to just updating the existing one, so that the login item will be managed for both the old and new versions of Nudge during this transition. After your entire fleet has updated to Nudge 1.1.11 or newer the old Clever DevOps Co. TeamID can be removed.
The rule that needs to be included in your configuration profile for this change is:
<dict> <key>RuleType</key> <string>TeamIdentifier</string> <key>RuleValue</key> <string>T4SK8ZXCXG</string> <key>Comment</key> <string>Mac Admins Open Source</string> </dict>
My example configuration profile on GitHub has been updated with the new TeamID.
If you have any questions or need assistance please join us in the #nudge channel on the MacAdmins Slack.
EDIT 2/9/22: Today we got the full story about this certificate change, Announcing Mac Admins Open Source (MAOS).
Pingback: Nudge and Installomator – TeamID Update and valuesfromarguments Example – The BigMacAdmin Blog
Pingback: Weekly News Summary for Admins — 2023-02-10 – Scripting OS X