Signed pkg using productbuild --distribute but codesign says "code object is not signed at all"

I am signing my package during distribution using

SIGN_IDENTITY_INSTALLER="Developer ID Installer: Pxxxxxxx, LLC (AXXXXXXXXX)"

productbuild --distribution final-distribution.xml --package-path /tmp/installer-temp/package.pkg --resources resources --sign "$SIGN_IDENTITY_INSTALLER" "Package.pkg"

And this outputs what it's supposed to

productbuild: Signing product with identity "Developer ID Installer: Pxxxxxxx, LLC (AXXXXXXXXX)" from keychain /Users/michael/Library/Keychains/login.keychain
productbuild: Adding certificate "Developer ID Certification Authority"
productbuild: Adding certificate "Apple Root CA"
productbuild: Wrote product to Product.pkg

But when I go to verify the signature nothing is there.

codesign -dv --verbose=4 Product.pkg 
Product.pkg: code object is not signed at all <----WHAT?

Am I supposed to be signing with the Developer ID Application and not the Developer ID Installer?

All certificates exist in keychain and work just fine.

Edit 1 See the certificates in the Apple Developer Portal. enter image description here


Solution 1:

Use spctl, not codesign

The codesign tool does not work with package files, .pkg.

Use the spctl tool instead:

/usr/sbin/spctl --assess --ignore-cache --verbose --type install <pkg-path>

Alternatively, Installer.app

You can also check the package certificate using Installer.app:

  1. Open the package in macOS's Installer.app;
  2. Click the padlock in the top-right of the installer window.

Installer certificate in macOS