I created PKG installer in command line (see below, command's output is in italic). Installer is opening on my MBP, but after uploading on server and download by link, macOS shows "TestApp.app.2.0(32).pkg” can’t be opened because Apple cannot check it for malicious software.
TestApp.app is application signed by "Developer ID Application" certificate and notarised with Xcode.
Check TestApp.app signing:
codesign --verify --verbose TestApp.app
TestApp.app: valid on disk
TestApp.app: satisfies its Designated Requirement
spctl --assess --verbose TestApp.app
TestApp.app: accepted
source=Notarized Developer ID
Build package component
pkgbuild --identifier <bundleID> --version '2.0(32)' --sign 'Developer ID Installer: ….’ --install-location /Applications --component TestApp.app component.pkg
pkgbuild: Adding component at …../Create PKG/TestApp.app
pkgbuild: Using timestamp authority for signature
pkgbuild: Signing package with identity "Developer ID Installer: …” from keychain …./Library/Keychains/login.keychain-db
pkgbuild: Adding certificate "Developer ID Certification Authority"
pkgbuild: Adding certificate "Apple Root CA"
pkgbuild: Wrote package to component.pkg
Build product package
productbuild --distribution distribution.xml --sign 'Developer ID Installer: ….’ --resources ./ 'TestApp.app.2.0(32).pkg'
productbuild: Using timestamp authority for signature
productbuild: Signing product with identity "Developer ID Installer: ….” from keychain …../Library/Keychains/login.keychain-db
productbuild: Adding certificate "Developer ID Certification Authority"
productbuild: Adding certificate "Apple Root CA"
productbuild: Wrote product to TestApp.app.2.0(32).pkg
Check signing
pkgutil --check-signature 'TestApp.app.2.0(32).pkg'**
Package "TestApp.app.2.0(32).pkg":
Status: signed by a developer certificate issued by Apple for distribution
Signed with a trusted timestamp on: 2021-10-26 17:17:22 +0000
Certificate Chain:
1. Developer ID Installer: ….
Expires: 2026-02-22 20:09:37 +0000
SHA256 Fingerprint:
1C 23 A0 1C 4C F4 BA E3 83 2E 39 E8 4C A8 1D 8E 95 46 7D 21 C7 F3
25 B6 23 27 78 6E C7 41 50 F7
------------------------------------------------------------------------
2. Developer ID Certification Authority
Expires: 2027-02-01 22:12:15 +0000
SHA256 Fingerprint:
7A FC 9D 01 A6 2F 03 A2 DE 96 37 93 6D 4A FE 68 09 0D 2D E1 8D 03
F2 9C 88 CF B0 B1 BA 63 58 7F
------------------------------------------------------------------------
3. Apple Root CA
Expires: 2035-02-09 21:40:36 +0000
SHA256 Fingerprint:
B0 B1 73 0E CB C7 FF 45 05 14 2C 49 F1 29 5E 6E DA 6B CA ED 7E 2C
68 C5 BE 91 B5 A1 10 01 F0 24
Test the installer package using the spctl(8) command-line tool as said on https://help.apple.com/xcode/mac/current/#/deve51ce7c3d
spctl -a -v --type install TestApp.app.2.0\(32\).pkg
TestApp.app.2.0(32).pkg: rejected
source=Unnotarized Developer ID
Sign with productsign as described on the same https://help.apple.com/xcode/mac/current/#/deve51ce7c3d
productsign --timestamp --sign "Developer ID Installer: ….” ./TestApp.app.2.0\(32\).pkg ./TestApp.app.2.0\(32\).\(2\).pkg
productsign: using timestamp authority for signature
productsign: signing product with identity "Developer ID Installer: ….” from keychain …./Library/Keychains/login.keychain-db
productsign: adding certificate "Developer ID Certification Authority"
productsign: adding certificate "Apple Root CA"
productsign: Wrote signed product archive to ./TestApp.app.2.0(32).(2).pkg
spctl -a -v --type install TestApp.app.2.0\(32\).\(2\).pkg
TestApp.app.2.0(32).(2).pkg: rejected
source=Unnotarized Developer ID
Sergem
Users receive reputation points by contributing quality content to the forums.
Posts include post and replies published on the forums.
Post authors can mark replies as Accepted to indicate successful solutions.
Apple Developer Forums admins can mark replies as Apple Recommended to indicate an approved solution
Last seen
User for