Verify code signature of a package installer

On macOS when you open an app downloaded from the internet Gatekeeper automatically verifies the code signature and in case of any problem warns you and blocks the app. As far as I understand that only happens for applications (.app extension) and Gatekeeper won't do the same for package installers (.pkg extension).

I decided to do an experiment to check that. I used a package installer (1Password-7.8.pkg) with a valid signature and removed the signature completely, essentially I did the following:

  1. pkgutil --expand 1Password-7.8.pkg Unsigned.unpkg
  2. pkgutil --flatten Unsigned.unpkg Unsigned.pkg
  3. pkgutil --check-signature Unsigned.pkg

The output of the 3 step is:

Package "Unsigned.pkg":
   Status: no signature

Then I double-clicked on the Unsigned.pkg and was able to do the installation without any warning or blocking from the Gatekeeper. That experiment proves that Gatekeeper doesn't verify the code signature of a package installer (.pkg extension) automatically, am I right?

If the assumption above is current, it leads to the second question. How do I verify the signature of a package installer manually before running it?

Apple has a great article on how to check the signature of a package installer: https://support.apple.com/en-us/HT202369: you simply need to open the installer and click on the padlock in the upper-right corner. This works smoothly in most cases. But if an installer contains the pre-install script, when you open the installer you see a popup with the text "This package will run a program to determine if the software can be installed." the popup looks like this: enter image description here In that case, the padlock is grayed-out and you can't click on it until you click "Allow". The problem is when you click "Allow" the pre-install script will run and it means that you are running some kind of a script before checking its authenticity. Usually, the pre-install script only checks the requirements and compatibility as stated in the popup title. But potentially it can do arbitrary stuff e.g. the zoom installer case: https://twitter.com/c1truz_/status/1244737672930824193

So is there an option to verify the code signate of a package installer from the GUI before running it or Apple just missed that case and I need to submit a feature request to them?

Of course, you can always verify the signature from the terminal like that: `pkgutil --check-signature, but running that command for any package installer downloaded from the internet doesn't seem right and there should a native and more convenient way to do that.

Thanks!


There is no current way to verify the signature using Installer.app before accepting the pre-flight script. This is a long standing oversight by Apple's engineers.

Please provide feedback or, if you are a developer, formally report this problem to Apple.