We verify the signature of our install pkg files using a combination of xar calls and the crypto functions in Security framework. This has worked fine for a long time, using the productsign utility on macOS 10.11 (with Xcode 7 or 8, SDK 10.11 I think).
Now we are updating our build environment to Mojave, Xcode 10, and the 10.14 SDK. The pkg files that are signed in this environment no longer pass verification using our working code. This same code (built in the new Mojave/Xcode10/SDK10..14 env) can still verify the older pkg files. But files signed with the new productsign can't be verified with our code whether that code is built in our old or new env. Of course, pkgutil shows that all the pkg sigs are valid.
So... what changed in the new tools that would somehow create a non-verifiable signature? Is there any documentation on how pkg files are signed? Any docs on an Apple-sanctioned method for verifying pkg signatures programmatically? I'm happy to explain in more detail how we do this now, or post the code if that is needed.
TIA
Mark
