Personally, I would not recommend using it (and also I'm not using it): - the signing procedure (during the build) fails on macOS Sierra because it's based on deprecated, obsolete and now broken APIs. - the signing procedure does take care of including the intermediate certificates. This means it works on most OS releases as the certificates have been included into the standard OS distributions for a while but there are still some old (think 10.5) OS versions that do not have some of them. And in this case, it can cause an issue. These 2 issues have been fixed in the next 1.2 version (and I'm not using productsign anymore to sign the development builds). So, please use productsign as recommended. On Mon, Apr 3, 2017 at 1:41 AM, Stephen Kay <sk@karma-lab.com> wrote:

I'm using Packages 1.1.3 - A short while ago I asked about code-signing a package, and was referred to using the command line with 'productsign'.

Another user here emailed me and said that in Packages, I could "set the certificate" under the Project menu, and then it would automatically sign the package. So I did that, installed my Installer Certificate, and it certainly appears to work.

Whether I sign it with the Packages certificate, or I sign it manually using productsign, using 'pkgutil --check-signature' displays the exact same information: "signed by a certificate trusted by Mac OS X" and the exact same fingerprints for all 3 certificates. So seemingly there is no difference between these two methods.

I've also tested downloading and installing the auto-code-signed package from the internet onto a virgin VM, on 10.10, 10.11 and 10.12 and it certainly doesn't alert GateKeeper. So it seems to work just fine.

Yet I see in the Packages documentation:

"While Packages can see and use the Developer ID certificate, at the time of this writing, it does not produce a signed package or distribution that is seen as valid by Gatekeeper - a required intermediate certificate is missing -"

"To work around this: * Do not sign the packages and distributions with the corresponding Packages feature. * Use the productsign <https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ ManPages/man1/productsign.1.html> (1) tool that is installed with the Xcode tools (version 3.2.6 or later)."

Since both of these methods seem to produce the same results with 'pkgutil', is the above information outdated and it's OK to use the auto-code-signing of the package by Packages?

Thanks, - Stephen

_______________________________________________ Do not post admin requests to the list. They will be ignored. Installer-dev mailing list (Installer-dev@lists.apple.com) Help/Unsubscribe/Update your Subscription: https://lists.apple.com/mailman/options/installer-dev/dev.iceberg%40gmail.co...

This email sent to dev.iceberg@gmail.com

-- Packaging Resources - http://s.sudre.free.fr/Packaging.html _______________________________________________ Do not post admin requests to the list. They will be ignored. Installer-dev mailing list (Installer-dev@lists.apple.com) Help/Unsubscribe/Update your Subscription: https://lists.apple.com/mailman/options/installer-dev/site_archiver%40lists.... This email sent to site_archiver@lists.apple.com