I am struggling for the past 2 weeks with publishing the .pkg.

If I execute codesign -dvv app-version.pkg

I get app-version.pkg: code object is not signed at all

Then I want to sign it with productsign --sign "3rd Party Mac Developer Installer: xxx (yyy)" ./app-version.pkg ./app-version-signed.pkg

The output is:

productsign: signing product with identity "3rd Party Mac Developer Installer: xxx (yyy)" from keychain /Users/<user>/Library/Keychains/login.keychain-db
productsign: adding certificate "Apple Worldwide Developer Relations Certification Authority"
productsign: adding certificate "Apple Root CA"
productsign: Wrote signed product archive to ./app-version-signed.pkg

When I check my codesign with codesign -dvv app-version-signed.pkg, I get the same result. app-version-signed.pkg: code object is not signed at all

We are using electron-builder to build the pkg but the pkg is not signed yet. The app is signed with Developer ID application and 3rd Party Mac Developer Application.

CodePudding user response：

Short answer: use pkgutil --check-signature instead of codesign -dvv.

Long answer: flat packages use a somewhat different signing format than other things, and you need to use different tools to sign them & check the signatures. Specifically, use productsign instead of codesign to sign them, and pkgutil instead of codesign to check the signature.

When you use codesign -dvv on a package, it's looking for its format of signature, and indeed there isn't one there.