I recently had to build an installer package that used the Apple Developer ID Installer certificate. This is the first time I have signed an installer package and was interested to see how it worked with Gatekeeper. In PackageMaker you click on the “Configuration” tab for the installer then click on “Certificate” to select the appropriate one. Worked exactly as they say, found the cert and added it, no problem.

Next, I tested the installer to make sure it was signed correctly. You do that in Terminal using the spctl command:

sudo spctl -a -v --type install /Users/test/Desktop/MyInstaller.pkg
Password:
/Users/test/Desktop/MyInstaller.pkg: accepted source=Developer ID

Now I ran the package on both a 10.8.2 and 10.7.5 machine. Both of these OS versions have Gatekeeper. The package ran correctly and showed that the signing certificate was correct.

Now, to be certain I ran the package again on a 10.6.8 machine and a 10.7.4 machine since neither of these have Gatekeeper.

On the 10.7.4 machine I get a certificate error warning. It says my certificate isn’t signed by a trusted source and do I want to trust it. Looking at the certificate chain it all seems correct. Running a signed Cisco installer on the same system does not generate the same error, even though the root signing CA is exactly the same. The installer works but has that disturbing error message.

On a 10.6.8 machine the installer runs without a certificate warning but clicking on the cert button in the installer window says the same thing as the 10.7.4 machine, that it isn’t signed by a trusted source.

Cutting to the chase, the issue is with signing the installer using the GUI version of PackageMaker. It works just fine for 10.7.5 and up machines but gives all those errors below that. To get your signed installer to work on all versions of the OS you need to use the productsign tool at the command line. These instructions assume that you’ve already installed your Developer ID certificates.

Use the following steps to do that:

  1. Use the GUI version of PackageMaker to generate your installer but leave it unsigned.
  2. Run the following command to sign that package:
    productsign --sign "Developer ID Installer: My Company" /Users/test/Desktop/MyInstaller.pkg /Users/test/Desktop/Signed/MyInstaller.pkg
    Note:If you are signing an older style non-distribution package it will give you the following error:
    Could not find appropriate signing identity for "Developer ID Installer: My Company". An application signing identity (not an installer identity) is required for signing bundle-style products.

    If you get that error use the following format instead of the one listed above:

    productsign --sign "Developer ID Application: My Company" /Users/test/Desktop/MyInstaller.pkg /Users/test/Desktop/Signed/MyInstaller.pkg

To test if you have successfully signed the package use the spctl command:

sudo spctl -a -v --type install /Users/test/Desktop/Signed/MyInstaller.pkg
/Users/test/Desktop/Signed/MyInstaller.pkg: accepted source=Developer ID