.pkg signed on 10.14 not compatible with 10.6

Hi


I've been using productsign with a Developer ID Installer certifcate for some time, but when signing a recent pkg build I found that I could no longer open it on macOS 10.6. I tried signing the same pkg under a VM macOS 10.12 and the resulting signed pkg was again compatible with macOS 10.6.


The error I see on 10.6 is:

Jan 11 12:01:45 macos-snow-leopard-server Installer[3080]: Failed to verify data against certificate.
Jan 11 12:01:45 macos-snow-leopard-server Installer[3080]: Invalid Distribution File/Package


I assume something changed with productsign on the release of macOS Mojave and my guess is it will no longer work prior to when GateKeeper was added. I've not been able to find any reference to changes elsewhere.


Is any one aware of what exactly changed, and ideally a workaround so I don't have to load up a VM every time I do a build.


Many thanks

Replies

You are going to have certificate problems on anything before 10.9. Those old OS versions may not work with some modern certificates.

I'm observing the exactly the same error as the OP. I will add that the certificate has not changed as far as I know. I just updated from Sierra to Mojave. Additionally I tried using the productsign binary from my Sierra installation, and had the same result.


Is it possible to sign a package on Mojave, that is compatible with 10.6?

Are you testing on 10.6? Or 10.6.8?

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

I ran into this recently. A pkg signed with my Developer ID on 10.14 with Xcode 10.3 can't be opened on 10.6.8. If I do the signing on the 10.6 machine with the exact same certificate, it works. I have other pkgs I signed on 3 Oct 2018 which do work on 10.6. At that time I would have been running 10.13 and either Xcode 9.4.1 or 10.0.

I ran into this recently.

Interesting. I have some theories as to what might be going on there, but nothing concrete that I want to share.

I do not, alas, have time to look into this in the context of DevForums. If you need help with it, my recommendation is that you open a DTS tech support incident so that one of my colleagues can help you out.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

OK. If it gets to be too much of a problem I might do that.


For now, I'll just note for the benefit of anyone who might be unsure that the pkgs signed on 10.14 do still seem to be compatible with 10.7 and later pre-Gatekeeper OS versions.

I have submitted a TS ticket. To answer a previous question: Yes, it is OS 10.6.8, with the latest updates installed.

I'm having exactly the same problem. Did you ever hear back from Apple about this or otherwise find a solution?

I'm a bit late to the party, but I think the problem is that newer versions of packagesign put the RSA signature into the pkg, it only puts the CMS sig in place. Older versions of OSX only know to check the RSA signature.


It is possible to add the RSA sig yourself, there's nothing magical about packagesign.


Quinn (or anyone at Apple) if you are interested, see radar 47434137, which is now FB5386538 (?) As I wrote in that bug report, I have code that demonstrates the issue if that is needed. I still have that code sitting on my desktop.

Could you tell us the method for adding the RSA signature? If there's a workaround to this issue I'd love to see it.

Here's the source for a simple tool that adds the RSA signature:


https://gist.github.com/kurash/57e18d6e6e98f397f42086194b7b67bd


The command for compiling is at the top of the file. Usage is like: pkgresign mypackage.pkg

That seems to have done the trick. Thanks for sharing this tool!