Unable to signed *.pkg file using productsign tool

Code Signing General
amrit3701 OP
Created Nov ’20
Replies 2
Boosts 1
Views 5.2k
Participants 2
I have a *.pkg file which is built by using productbuild command. (productbuild --component <path>/HyperBIM-v0.36.app /Applications/ ./HyperBIM-v0.36.pkg)

This HyperBIM-v0.6.app is signed by using codesign command. (codesign --deep -s "Apple Development: Amritpal Singh (KC65BTVN4Z)" ./HyperBIM-v0.36.app)

Now, to sign generated HyperBIM-v0.36.pkg file I run below command:

Code Block 
$ productsign --sign "Apple Development: Amritpal Singh (KC65BTVN4Z)" --keychain /Users/ambu/Library/Keychains/login.keychain-db ./HyperBIM-v0.36.pkg ./HyperBIM-v0.36-Signed.pkg
productsign: error: Could not find appropriate signing identity for “Apple Development: Amritpal Singh (KC65BTVN4Z)” in keychain at “/Users/ambu/Library/Keychains/login.keychain-db”. An installer signing identity (not an application signing identity) is required for signing flat-style products.


Here is identities present login.keychain-db:
Code Block 
$ security find-identity /Users/ambu/Library/Keychains/login.keychain-db
Policy: X.509 Basic
  Matching identities
  1) AFF80D6344B85AC51D5A44443B9AA5FF7B09A824 "Apple Development: Amritpal Singh (KC65BTVN4Z)"
     1 identities found
  Valid identities only
  1) AFF80D6344B85AC51D5A44443B9AA5FF7B09A824 "Apple Development: Amritpal Singh (KC65BTVN4Z)"
     1 valid identities found


But I can sign my HyperBIM-v0.36.pkg using codesign command (codesign --deep -s "Apple Development: Amritpal Singh (KC65BTVN4Z)" ./HyperBIM-v0.36.pkg)

Is there any difference between sign *.pkg using codesign and productsign tool? I have to publish my *pkg to App Store.

Why productsign tool unable to find signing identity as identity is present in login.keychain-db?


Thanks
Replies  2
Boosts  1
Views  5.2k
Participants  2
DTS Engineer OP
Apple
Nov ’20
The fundamental problem here is that an Apple Development signing identity is a code signing identity and thus not appropriate for signing an installer package. You need an installer signing identity; typically this is named Mac Installer Distribution (for submission to the Mac App Store) or Developer ID Installer (for independent distribution).

You can find this and other important tips in my Signing a Mac Product For Distribution post.

Also, you wrote:

But I can sign my HyperBIM-v0.36.pkg using codesign command

codesign is able to sign anything, but the signature it produces is not valid for an installer package. Those must be signed by productsign (or productbuild) and those tools check that you have a signing identity that’s appropriate for an installer.

codesign --deep -s "Apple Development: Amritpal Singh (KC65BTVN4Z)" ./HyperBIM-v0.36.app

I recommend against using --deep for signing an app. See --deep Considered Harmful for an explanation as to why.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"
1
amrit3701 OP
Nov ’20

The fundamental problem here is that an Apple Development signing identity is a code signing identity and thus not appropriate for signing an installer package. You need an installer signing identity; typically this is named Mac Installer Distribution (for submission to the Mac App Store) or Developer ID Installer (for independent distribution).

Hi, yes after adding 3rd Party Mac Developer Installer certificate I able to signed the application using productsign tool.

Could you also take look on below issue?
https://developer.apple.com/forums/thread/665848

Thanks in advance!
0
Unable to signed *.pkg file using productsign tool
First post date Last post date
 
 
Q