I am signing my package during distribution using

SIGN_IDENTITY_INSTALLER="Developer ID Installer: Pxxxxxxx, LLC (AXXXXXXXXX)"

productbuild --distribution final-distribution.xml --package-path /tmp/installer-temp/package.pkg --resources resources --sign "$SIGN_IDENTITY_INSTALLER" "Package.pkg"

And this outputs what it's supposed to

productbuild: Signing product with identity "Developer ID Installer: Pxxxxxxx, LLC (AXXXXXXXXX)" from keychain /Users/michael/Library/Keychains/login.keychain
productbuild: Adding certificate "Developer ID Certification Authority"
productbuild: Adding certificate "Apple Root CA"
productbuild: Wrote product to Product.pkg

But when I go to verify the signature nothing is there.

codesign -dv --verbose=4 Product.pkg 
Product.pkg: code object is not signed at all <----WHAT?

Am I supposed to be signing with the Developer ID Application and not the Developer ID Installer?

All certificates exist in keychain and work just fine.

Edit 1
See the certificates in the Apple Developer Portal.

Best Answer

Use `spctl`, not `codesign`

The codesign tool does not work with package files, .pkg.

Use the spctl tool instead:

/usr/sbin/spctl --assess --ignore-cache --verbose --type install <pkg-path>

Alternatively, Installer.app

You can also check the package certificate using Installer.app:

Open the package in macOS's Installer.app;
Click the padlock in the top-right of the installer window.

MacOS – Signed pkg using productbuild –distribute but codesign says “code object is not signed at all”

Best Answer

Use `spctl`, not `codesign`

Alternatively, Installer.app

Related Question

Best Answer

Use spctl, not codesign

Alternatively, Installer.app

Related Solutions

MacOS – not using Apple Mail, but using Calendar

MacOS – OS X Terminal: ‘ls’ shows program but then says command not found

Related Question

Use `spctl`, not `codesign`