Unable to retrieve the certificate with codesign after signing the pkg with productsign

Question

I am struggling for the past 2 weeks with publishing the .pkg.

If I execute codesign -dvv app-version.pkg

I get app-version.pkg: code object is not signed at all

Then I want to sign it with productsign --sign "3rd Party Mac Developer Installer: xxx (yyy)" ./app-version.pkg ./app-version-signed.pkg

The output is:

productsign: signing product with identity "3rd Party Mac Developer Installer: xxx (yyy)" from keychain /Users/<user>/Library/Keychains/login.keychain-db
productsign: adding certificate "Apple Worldwide Developer Relations Certification Authority"
productsign: adding certificate "Apple Root CA"
productsign: Wrote signed product archive to ./app-version-signed.pkg

When I check my codesign with codesign -dvv app-version-signed.pkg, I get the same result. app-version-signed.pkg: code object is not signed at all

---

We are using electron-builder to build the pkg but the pkg is not signed yet. The app is signed with Developer ID application and 3rd Party Mac Developer Application.

Answer 1

Short answer: use pkgutil --check-signature instead of codesign -dvv.

Long answer: flat packages use a somewhat different signing format than other things, and you need to use different tools to sign them & check the signatures. Specifically, use productsign instead of codesign to sign them, and pkgutil instead of codesign to check the signature.

When you use codesign -dvv on a package, it's looking for its format of signature, and indeed there isn't one there.