I have an myFile.mpkg file and signed it in Mac OS X 10.9.5 using the command line utility productsign and the following command:
productsign --sign "Developer ID Installer: MyDeveloperInstallerId" myFile.mpkg
mySignedFile.mpkg
The output when I ran the command is the following:
productsign: preparing "myFile.mpkg" for signing...
productsign: Using timestamp authority for signature
productsign: Wrote signed product archive to mySignedFile.mpkg
Then in order to verify that my file is signed I ran the command:
pkgutil --check-signature mySignedFile.mpkg
and the output was:
Package "mySignedFile.mpkg":
Status: signed by a certificate trusted by Mac OS X
Certificate Chain: etc...
Nevertheless when I tried to install my signed file to a Mac OS X 10.10.1 the following message appeared:
mySignedFile.mpkg can't be opened because the identity of the developer cannot be
confirmed
Any idea why is this happening? Is there anything wrong in the signing process?
[UPDATE]
Found this post
and run the following command:
spctl -a -t exec -vv mySignedFile.mpkg
the output was:
mySignedFile.mpkg: rejected
source=obsolete resource envelope
which means that my package will be rejected by Gatekeeper on 10.9.5 (OSX Mavericks) /10.10 (OSX Yosemite) or above.
I also checked the version of the signature and found something strange:
codesign -dvvv mySignedFile.mpkg
Executable=mySignedFile.mpkg/Contents/distribution.dist
Identifier=mySignedFile
Format=installer package bundle
CodeDirectory v=20200 size=183 flags=0x0(none) hashes=1+3 location=embedded
Hash type=sha1 size=20
CDHash=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Signature size=7589
Authority=Developer ID Application: My Company
Authority=Developer ID Certification Authority
Authority=Apple Root CA
Timestamp=Jan 14, 2015, 13:08:13 pm
Info.plist=not bound
TeamIdentifier=XXXXXXXXX
Sealed Resources version=2 rules=4 files=2
Internal requirements count=1 size=200
Info.plist instead of having entries = a number equals to not bound.