Hi,
I develop a tool which has to come as PKG installer to the customers by download. The tool is built automatically. Thus, no manual XCode signing but using a Makefile with productsign:
$ productsign --sign "Developer ID Installer: company (P5L99xxxxx)" unsigned.pkg signed.pkgFinally, everything seems fine and this is what the test with spctl returns:
$ spctl --assess --verbose --type install mac/signed.pkg
mac/signed.pkg: accepted
source=Developer IDI also tried to verify using pkgutil:
$ pkgutil --check-signature mac/signed.pkg
Status: signed by a certificate trusted by Mac OS X
Certificate Chain:
1. Developer ID Installer: company (P5L99xxxxx)
SHA1...
2. Developer ID Certification Authority
SHA1...
3. Apple Root CA
SHA1...For me it looks all good but all the customers will get the message
"signed.pkg" can't be opened because it is from an unidentified developer.
If such customer is calling the above spctl call after he got the warning, his tool also reports "accepted". Upon this, it no longer complains any more.
You can try by yourself by downloading the signed app from here: http://www.regify.com/DOWNLOAD/beta/ (please test the regibox .pkg file)
I tried several certificates and already learned that the "3rd Party Mac Developer Installer" certificate is wrong and only for tests. Thus, I exported the "Developer ID Installer: company..." certificate from XCode and used this (as seen above). But it does not work :-(
What's wrong?
Best,
Kukulkan
