I am struggling for the past 2 weeks with publishing the .pkg.
If I execute codesign -dvv app-version.pkg
I get app-version.pkg: code object is not signed at all
Then I want to sign it with productsign --sign "3rd Party Mac Developer Installer: xxx (yyy)" ./app-version.pkg ./app-version-signed.pkg
The output is:
productsign: signing product with identity "3rd Party Mac Developer Installer: xxx (yyy)" from keychain /Users/<user>/Library/Keychains/login.keychain-db
productsign: adding certificate "Apple Worldwide Developer Relations Certification Authority"
productsign: adding certificate "Apple Root CA"
productsign: Wrote signed product archive to ./app-version-signed.pkg
When I check my codesign with codesign -dvv app-version-signed.pkg
, I get the same result.
app-version-signed.pkg: code object is not signed at all
We are using electron-builder to build the pkg but the pkg is not signed yet. The app is signed with Developer ID application
and 3rd Party Mac Developer Application
.
Short answer: use
pkgutil --check-signature
instead ofcodesign -dvv
.Long answer: flat packages use a somewhat different signing format than other things, and you need to use different tools to sign them & check the signatures. Specifically, use
productsign
instead ofcodesign
to sign them, andpkgutil
instead ofcodesign
to check the signature.When you use
codesign -dvv
on a package, it's looking for its format of signature, and indeed there isn't one there.