I am signing my package during distribution using
SIGN_IDENTITY_INSTALLER="Developer ID Installer: Pxxxxxxx, LLC (AXXXXXXXXX)"
productbuild --distribution final-distribution.xml --package-path /tmp/installer-temp/package.pkg --resources resources --sign "$SIGN_IDENTITY_INSTALLER" "Package.pkg"
And this outputs what it's supposed to
productbuild: Signing product with identity "Developer ID Installer: Pxxxxxxx, LLC (AXXXXXXXXX)" from keychain /Users/michael/Library/Keychains/login.keychain
productbuild: Adding certificate "Developer ID Certification Authority"
productbuild: Adding certificate "Apple Root CA"
productbuild: Wrote product to Product.pkg
But when I go to verify the signature nothing is there.
codesign -dv --verbose=4 Product.pkg
Product.pkg: code object is not signed at all <----WHAT?
Am I supposed to be signing with the Developer ID Application and not the Developer ID Installer?
All certificates exist in keychain and work just fine.
Best Answer
Use
spctl
, notcodesign
The
codesign
tool does not work with package files,.pkg
.Use the
spctl
tool instead:Alternatively, Installer.app
You can also check the package certificate using Installer.app: