My .pkg is being rejected after notarize it

I'm notarizing my .pkg installer and even stapling the ticket after, but I still get rejected after checking it with the following command:


spctl -vvv --assess --type install path/to/my/notarized.pkg

path/to/my/notarized.pkg: rejected
origin=3rd Party Mac Developer Installer: My Certificate Name (XXXXXXXXX)


My pkg is being created with the "packages" app and then signed using pkgutils. Then it's notarized and after the success response from Apple I'm stapling the ticket into it. The pkg contains an app that is also signed of course.


How can I find more information about what's going on? Is there a log somewhere?


Thanks in advance.

Up vote post of SrCobranza Down vote post of SrCobranza
539 views
Posted by
SrCobranza
Reply
Add a Comment

Replies

origin=3rd Party Mac Developer Installer

Hmmm, that’s not good. That’s a Mac App Store certificate name. If you plan to distribute independently, you need to sign with a Developer ID signing identity, whose name is of the form 

Developer ID Installer: TTT
, where 
TTT
identifier your team.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

Ok, I'm not sure if this is on purpose or it's a bug, but I don't see that option even if I have the "Admin" role. The person who created the Team is able to see the option to create that type of certificate. I share it just in case someone runs into the same issue. In my case, because of not having the correct option, I ended up using a wrong certificate...


Posted by
SrCobranza
Up vote reply of SrCobranza Down vote reply of SrCobranza
Add a Comment

The person who created the Team is able to see the option to create that type of certificate.

Indeed. This is in line with the big table in Apple Developer Program Roles.

The reason for this is that a Developer ID signing identity allows you to sign code for your team without any mediation, and thus access to these signing identities is extremely limited.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment