I'm trying to sign my package for own distribution.
> spctl --assess -v --type install Unsigned.pkg
Unsigned.pkg: rejected
source=no usable signature
That's correct.
> productsign --timestamp=none --sign "Developer ID Installer: Aaa Ltd." Unsigned.pkg Signed.pkg
productsign: signing product with identity "Developer ID Installer: Aaa Ltd. (123456789)" from keychain /Users/user/Library/Keychains/login.keychain
productsign: adding certificate "Developer ID Certification Authority"
productsign: adding certificate "Apple Root CA"
productsign: Wrote signed product archive to Signed.pkg
Went well.
> spctl --assess -v Signed.pkg
Signed.pkg: rejected
source=no usable signature
Suspicious...
> spctl --assess -v --type install Signed.pkg
Signed.pkg: accepted
source=Developer ID
Looks perfect.
But when I start the Signed.pkg:
Signed.pkg can't be installed because its digital signature is invalid.
Why?
P.S. Read the Apple website - the certificate is correct, right?
Had same problem. Looks like pkg and dmg needs type install.(docs say open) try checking directly context. You might get a bit more information from it.
also check if you signed all frameworks and stuff used inside. Check for symlinks as they like to crush stuff too. Signing is not recursive you need to manually sign it all.