OS X productsign error: Could not find appropriate signing identity

Question

I'm trying to sign an OS X installer package using the command line utility productsign, but get an error.

productsign --sign "Developer ID Installer: XYZ" input.pkg output.pkg
productsign: error: Could not find appropriate signing identity for “Developer ID Installer: XYZ”.

When I open Keychain Access, I'm able to see the cert that I created at developer.apple.com and imported into my login Keychain. Its Common Name matches my command line parameter: "Developer ID Installer: XYZ". Is there any way to debug this particular error?

Answer 1

Check for the private key in your keychain. You need both the key and the certificate to do the signing (together Apple calls this an "identity").

Answer 2

I had the same issue. My installer certificate had no private key. You can check this by opening keychain and look for your certificat named like:

Developer ID Installer: My Company (1258345791ZL)

If you there is a private key attached, you should see

Developer ID Installer: My Company (1258345791ZL) (!) Private Key

If you cannot unfold the private key under your certificate, it means that it is missing.

Then to fix this, you have to log on to developer.apple.com with your apple ID and

1- try remove and download your certificate again

2- if this is not enough create a new with with the following steps

2a - click on the (+) or go here:

https://developer.apple.com/account/mac/certificate/distribution/create

2b - specify Production / Developer ID, then press Continue

2c - specify "Developer ID Installer"

2d - follow, the instruction to create a certificate request using keychain

2e - upload your certificate request file in apple developper

2f - download the newly created certificate in your keychain.

2g - cleanup all other installer certificate to be sure.

Et voila, you can sign.

Answer 3

I had this issue and it was because I did not have the private keys. Best practice you will need CertificateSigningRequest.certSigningRequest this is as good as a private key.

• sign into developer.apple.com with an apple ID that is a developer account
• (you could use Xcode, but that's too hard so you can log in to your Apple Developer account in browser)
• you can view existing certificates and download them but it will do you little good if you don't have the keys for them
• Tell developer.apple.com you want to create a new Developer ID Installer, you will have to feed it a file explained how to make in the following step
• Launch Keychain Access (these instructions mostly stolen from apple)

Choose Keychain Access > Certificate Assistant > Request a Certificate from a Certificate Authority.

In the Certificate Assistant dialog, enter an email address in the User Email Address field.

In the Common Name field, enter a name for the key (for example, Gita Kumar Dev Key).

Leave the CA Email Address field empty.

Choose “Saved to disk”, and click Continue.

• Feed this newly created CertificateSigningRequest.certSigningRequest file back to Safari
• Download the resulting developerID_installer.cer (you now have a signed Developer ID)

• Double click it to add it to the login keychain

• finally productsign --sign “Developer ID Installer: Your Developer Name (1A2B3C4D5E)” ~/Desktop/example.pkg ~/Desktop/signed-example.pkg