tunnelblick icon Tunnelblick free software for OpenVPN on macOS We need translators for several languages…
Home Downloads Support Documents Issues Source Contribute Contact

Highlighted Articles
  News
  Installing Tunnelblick
  Uninstalling Tunnelblick
  Setting up Configurations
  Using Tunnelblick
  Getting VPN Service
  Common Problems
  Configuring OpenVPN
  Release Notes
  Thanks
  FAQ

Discussion Group
  Read Before You Post

Automatically Install Configurations and Forced Preferences

Tunnelblick can install Tunnelblick VPN configurations and forced preferences (preferences that cannot be modified by a standard user) at the same time that Tunnelblick itself is installed, using the same computer administrator authorization. This will happen when the configurations and/or preferences are located in a folder named "auto-install" or ".auto-install" in the same location as the Tunnelblick application that is being installed.

This will only happen if the Tunnelblick.app and "auto-install" or ".auto-install" folder are in a signed, notarized disk image. To create such a disk image:

  1. Create a folder with a signed copy of Tunnelblick;
  2. Add a subfolder named "auto-install" or ".auto-install" that contains zero or more Tunnelblick VPN configurations;
  3. If desired, add a file named "forced-preferences.plist" containing the preferences to the subfolder;
  4. Create a disk image file (.dmg) from the folder;
  5. Sign the disk image file;
  6. Notarize the disk image file; and
  7. Distribute the signed disk image file.

The "forced-preferences.plist" file in step 3 must be a macOS property list file.

To help you do steps 4 - 6, here is a pseudocode script that performs steps 3-5. It omits important error checking and output parsing, so you should do the commands interactively, adjusting as needed to the output of the commands.

# Pseudocode script to create, sign, and notarize a disk image file from a folder
#
# For more information, see https://developer.apple.com/developer-id.
#
# What you need:
#
# * Apple Developer account
# * Apple signing identity stored in your keychain
# * Apple ID (usually looks like an email address)
# * app password for that Apple ID, for notarization.
#     Create it on the Apple Developer site and
#     store it in your Keychain under the name "altool_password".
#
# * macOS Mojave or higher
# * Xcode 10.3 or higher
# * Xcode tools installed
#
# A folder with a copy of the Tunnelblick application and an
# "auto-install" folder of configurations
#
#
# These are the "variables" that will be used in the pseudocode below:
#
# FOLDER_PATH="path to the folder from which the .dmg is to be created.
#              This will be the name of the disk image and the volume"
# DMG_PATH="path to the .dmg to be created, signed and notarized;
#              this should end in '.dmg'"
# NOTARIZATION_USERNAME="Apple ID username (usually an email address)"
# NOTARIZATION_PASSWORD="altool_password, or whatever other name you used"
# SIGNING_IDENTITY="signing identity; whatever name it has
#              in your Keychain"



#####
# 1 #
#####
# Create a .dmg from the folder
rm -f "$DMG_PATH"
hdiutil create -noscrub -srcfolder "$FOLDER_PATH" "DMG_PATH"

#####
# 2 #
#####
# Sign the .dmg
codesign --verbose              \
         --timestamp            \
         --options runtime      \
         --deep                 \
         -s "$SIGNING_IDENTITY" \
         "$DMG_PATH"



#####
# 3 #
#####
# Upload the .dmg for notarization
xcrun altool --notarize-app                                 \
             --primary-bundle-id "$bundle_id"               \
             --username          "$NOTARIZATION_USERNAME"   \
             --password          "$NOTARIZATION_PASSWORD"   \
             --file              "$DMG_PATH"



#####
# 4 #
#####
# Wait for the upload to complete, examine the output
# for the UUID, which should appear as "RequestUUID"
UUID="UUID-from-the-upload-output"



#####
# 5 #
#####
# (OPTIONAL) Get information about the notarization
xcrun altool --notarization-info "$UUID"                    \
             --username          "$NOTARIZATION_USERNAME"   \
             --password          "@keychain:$NOTARIZATION_PASSWORD"

#####
# 6 #
#####
# Wait until the notarization is successful,
# then staple the notarization to the .dmg.
# (You'll be notified by an email from Apple
# when the notarization is finished.)
xcrun stapler staple -v "$DMG_PATH"
  Deutsch     Français     中文(简体)     Русский     Español     日本語     …