Signed pkg using productbuild --distribute but codesign says "code object is not signed at all"
I am signing my package during distribution using
SIGN_IDENTITY_INSTALLER="Developer ID Installer: Pxxxxxxx, LLC (AXXXXXXXXX)"
productbuild --distribution final-distribution.xml --package-path /tmp/installer-temp/package.pkg --resources resources --sign "$SIGN_IDENTITY_INSTALLER" "Package.pkg"
And this outputs what it's supposed to
productbuild: Signing product with identity "Developer ID Installer: Pxxxxxxx, LLC (AXXXXXXXXX)" from keychain /Users/michael/Library/Keychains/login.keychain
productbuild: Adding certificate "Developer ID Certification Authority"
productbuild: Adding certificate "Apple Root CA"
productbuild: Wrote product to Product.pkg
But when I go to verify the signature nothing is there.
codesign -dv --verbose=4 Product.pkg
Product.pkg: code object is not signed at all <----WHAT?
Am I supposed to be signing with the Developer ID Application and not the Developer ID Installer?
All certificates exist in keychain and work just fine.
Edit 1
See the certificates in the Apple Developer Portal.
Solution 1:
Use spctl, not codesign
The codesign tool does not work with package files, .pkg.
Use the spctl tool instead:
/usr/sbin/spctl --assess --ignore-cache --verbose --type install <pkg-path>
Alternatively, Installer.app
You can also check the package certificate using Installer.app:
- Open the package in macOS's Installer.app;
- Click the padlock in the top-right of the installer window.
