• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Re: How do you codesign a Packages .pkg?
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: How do you codesign a Packages .pkg?

  • Subject: Re: How do you codesign a Packages .pkg?
  • From: Stephen Kay <email@hidden>
  • Date: Sun, 02 Apr 2017 16:41:15 -0700
  • Thread-topic: How do you codesign a Packages .pkg?
I'm using Packages 1.1.3 - A short while ago I asked about code-signing a
package, and was referred to using the command line with 'productsign'.

Another user here emailed me and said that in Packages, I could "set the
certificate" under the Project menu, and then it would automatically sign
the package. So I did that, installed my Installer Certificate, and it
certainly appears to work.

Whether I sign it with the Packages certificate, or I sign it manually
using productsign, using 'pkgutil --check-signature' displays the exact
same information: "signed by a certificate trusted by Mac OS X" and the
exact same fingerprints for all 3 certificates.  So seemingly there is no
difference between these two methods.

I've also tested downloading and installing the auto-code-signed package
from the internet onto a virgin VM, on 10.10, 10.11 and 10.12 and it
certainly doesn't alert GateKeeper. So it seems to work just fine.

Yet I see in the Packages documentation:


"While Packages can see and use the Developer ID certificate, at the time
 of this writing, it does not produce a signed package or distribution
that is seen as valid by Gatekeeper - a required intermediate
certificate is missing -"

"To work around this:
* Do not sign the packages and distributions with the corresponding
Packages feature.
* Use the productsign
<https://developer.apple.com/legacy/library/documentation/Darwin/Reference/
ManPages/man1/productsign.1.html> (1) tool that is installed with the
Xcode tools (version 3.2.6 or later)."

Since both of these methods seem to produce the same results with
'pkgutil', is the above information outdated and it's OK to use the
auto-code-signing of the package by Packages?


Thanks,
- Stephen


 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Installer-dev mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden
  • Follow-Ups:
    • Re: How do you codesign a Packages .pkg?
      • From: Stephane Sudre <email@hidden>
  • Prev by Date: Packages: limit installation to startup disk
  • Next by Date: Re: Packages: limit installation to startup disk
  • Previous by thread: Re: Packages: limit installation to startup disk
  • Next by thread: Re: How do you codesign a Packages .pkg?
  • Index(es):
    • Date
    • Thread