Re: How do you codesign a Packages .pkg?
Re: How do you codesign a Packages .pkg?
- Subject: Re: How do you codesign a Packages .pkg?
- From: Stephane Sudre <email@hidden>
- Date: Mon, 03 Apr 2017 12:11:42 +0200
Personally, I would not recommend using it (and also I'm not using it):
- the signing procedure (during the build) fails on macOS Sierra
because it's based on deprecated, obsolete and now broken APIs.
- the signing procedure does take care of including the intermediate
certificates. This means it works on most OS releases as the
certificates have been included into the standard OS distributions for
a while but there are still some old (think 10.5) OS versions that do
not have some of them. And in this case, it can cause an issue.
These 2 issues have been fixed in the next 1.2 version (and I'm not
using productsign anymore to sign the development builds).
So, please use productsign as recommended.
On Mon, Apr 3, 2017 at 1:41 AM, Stephen Kay <email@hidden> wrote:
> I'm using Packages 1.1.3 - A short while ago I asked about code-signing a
> package, and was referred to using the command line with 'productsign'.
>
> Another user here emailed me and said that in Packages, I could "set the
> certificate" under the Project menu, and then it would automatically sign
> the package. So I did that, installed my Installer Certificate, and it
> certainly appears to work.
>
> Whether I sign it with the Packages certificate, or I sign it manually
> using productsign, using 'pkgutil --check-signature' displays the exact
> same information: "signed by a certificate trusted by Mac OS X" and the
> exact same fingerprints for all 3 certificates. So seemingly there is no
> difference between these two methods.
>
> I've also tested downloading and installing the auto-code-signed package
> from the internet onto a virgin VM, on 10.10, 10.11 and 10.12 and it
> certainly doesn't alert GateKeeper. So it seems to work just fine.
>
> Yet I see in the Packages documentation:
>
>
> "While Packages can see and use the Developer ID certificate, at the time
> of this writing, it does not produce a signed package or distribution
> that is seen as valid by Gatekeeper - a required intermediate
> certificate is missing -"
>
> "To work around this:
> * Do not sign the packages and distributions with the corresponding
> Packages feature.
> * Use the productsign
> <https://developer.apple.com/legacy/library/documentation/Darwin/Reference/
> ManPages/man1/productsign.1.html> (1) tool that is installed with the
> Xcode tools (version 3.2.6 or later)."
>
> Since both of these methods seem to produce the same results with
> 'pkgutil', is the above information outdated and it's OK to use the
> auto-code-signing of the package by Packages?
>
>
> Thanks,
> - Stephen
>
>
> _______________________________________________
> Do not post admin requests to the list. They will be ignored.
> Installer-dev mailing list (email@hidden)
> Help/Unsubscribe/Update your Subscription:
>
> This email sent to email@hidden
--
Packaging Resources - http://s.sudre.free.fr/Packaging.html
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Installer-dev mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden