Failed to sign PKG Installer

I created PKG installer in command line (see below, command's output is in italic). Installer is opening on my MBP, but after uploading on server and download by link, macOS shows "TestApp.app.2.0(32).pkg” can’t be opened because Apple cannot check it for malicious software.

TestApp.app is application signed by "Developer ID Application" certificate and notarised with Xcode.

Check TestApp.app signing:

codesign --verify --verbose TestApp.app

TestApp.app: valid on disk

TestApp.app: satisfies its Designated Requirement

spctl --assess --verbose TestApp.app

TestApp.app: accepted

source=Notarized Developer ID

Build package component

pkgbuild --identifier <bundleID> --version '2.0(32)' --sign 'Developer ID Installer: ….’ --install-location /Applications --component TestApp.app component.pkg

pkgbuild: Adding component at …../Create PKG/TestApp.app

pkgbuild: Using timestamp authority for signature

pkgbuild: Signing package with identity "Developer ID Installer: …” from keychain …./Library/Keychains/login.keychain-db

pkgbuild: Adding certificate "Developer ID Certification Authority"

pkgbuild: Adding certificate "Apple Root CA"

pkgbuild: Wrote package to component.pkg

Build product package

productbuild --distribution distribution.xml --sign 'Developer ID Installer: ….’ --resources ./ 'TestApp.app.2.0(32).pkg'

productbuild: Using timestamp authority for signature

productbuild: Signing product with identity "Developer ID Installer: ….” from keychain …../Library/Keychains/login.keychain-db

productbuild: Adding certificate "Developer ID Certification Authority"

productbuild: Adding certificate "Apple Root CA"

productbuild: Wrote product to TestApp.app.2.0(32).pkg

Check signing

pkgutil --check-signature 'TestApp.app.2.0(32).pkg'**

Package "TestApp.app.2.0(32).pkg":

Status: signed by a developer certificate issued by Apple for distribution

   Signed with a trusted timestamp on: 2021-10-26 17:17:22 +0000

   Certificate Chain:

    1. Developer ID Installer: ….

       Expires: 2026-02-22 20:09:37 +0000

       SHA256 Fingerprint:

           1C 23 A0 1C 4C F4 BA E3 83 2E 39 E8 4C A8 1D 8E 95 46 7D 21 C7 F3

           25 B6 23 27 78 6E C7 41 50 F7

       ------------------------------------------------------------------------

    2. Developer ID Certification Authority

       Expires: 2027-02-01 22:12:15 +0000

       SHA256 Fingerprint:

           7A FC 9D 01 A6 2F 03 A2 DE 96 37 93 6D 4A FE 68 09 0D 2D E1 8D 03

           F2 9C 88 CF B0 B1 BA 63 58 7F

       ------------------------------------------------------------------------

    3. Apple Root CA

       Expires: 2035-02-09 21:40:36 +0000

       SHA256 Fingerprint:

           B0 B1 73 0E CB C7 FF 45 05 14 2C 49 F1 29 5E 6E DA 6B CA ED 7E 2C

           68 C5 BE 91 B5 A1 10 01 F0 24

Test the installer package using the spctl(8) command-line tool as said on https://help.apple.com/xcode/mac/current/#/deve51ce7c3d

spctl -a -v --type install TestApp.app.2.0\(32\).pkg

TestApp.app.2.0(32).pkg: rejected

source=Unnotarized Developer ID

Sign with productsign as described on the same https://help.apple.com/xcode/mac/current/#/deve51ce7c3d

productsign  --timestamp --sign "Developer ID Installer: ….” ./TestApp.app.2.0\(32\).pkg ./TestApp.app.2.0\(32\).\(2\).pkg

productsign: using timestamp authority for signature

productsign: signing product with identity "Developer ID Installer: ….” from keychain …./Library/Keychains/login.keychain-db

productsign: adding certificate "Developer ID Certification Authority"

productsign: adding certificate "Apple Root CA"

productsign: Wrote signed product archive to ./TestApp.app.2.0(32).(2).pkg

spctl -a -v --type install TestApp.app.2.0\(32\).\(2\).pkg

TestApp.app.2.0(32).(2).pkg: rejected

source=Unnotarized Developer ID

Answered by DTS Engineer in 692877022

It looks like you’ve notarised your app but not your installer package. That’s going to be a problem because Gatekeeper requires that installer packages be notarised. Rather than notarise twice, our general advice is that you notarise your outermost container; the resulting ticket will cover both your app and your installer package.

For more on this, see Signing a Mac Product For Distribution.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Accepted Answer

It looks like you’ve notarised your app but not your installer package. That’s going to be a problem because Gatekeeper requires that installer packages be notarised. Rather than notarise twice, our general advice is that you notarise your outermost container; the resulting ticket will cover both your app and your installer package.

For more on this, see Signing a Mac Product For Distribution.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Failed to sign PKG Installer
 
 
Q