Post

Replies

Boosts

Views

Activity

Reply to spctl --type install rejects notarized .pkg on macOS 26 Tahoe (26.3)
Thank you Quinn! Here's the direct download link to the installer package: https://github.com/Nakanokappei/window-resize/releases/download/v2.0/Window.Resize.pkg This is a Developer ID Installer–signed and notarized .pkg built with productbuild --sign. The .zip distribution of the same app passes Gatekeeper without issue. For reference, here's what I see: # Signature is valid pkgutil --check-signature Window\ Resize.pkg # → signed by Developer ID Installer certificate # Notarization succeeded xcrun stapler validate Window\ Resize.pkg # → The validate action worked! # But spctl rejects it spctl -a --type install Window\ Resize.pkg # → rejected # syspolicyd log shows # meetsDeveloperIDLegacyAllowedPolicy = 0 The productbuild --sign does emit "Warning: unable to build chain to self-signed root" but security verify-cert confirms the cert chain is valid. Happy to file a bug with the .pkg attached if that's easier for you.
Topic: Code Signing SubTopic: Notarization Tags:
Mar ’26
Reply to spctl --type install rejects notarized .pkg on macOS 26 Tahoe (26.3)
Thank you, Quinn. Regarding the warning: security verify-cert -c /path/to/cert confirms the Developer ID Installer certificate chain is valid (no errors). The "unable to build chain to self-signed root" warning appears with both productbuild --sign and productsign, but the resulting signature passes pkgutil --check-signature and notarytool accepts it. The same team's Developer ID Application certificate signs the .app inside a ZIP without any issues — that ZIP passes Gatekeeper on the same machine. Regarding cross-over testing: Unfortunately I only have access to macOS 26.3 (beta 3) at the moment, so I cannot test the cross-over cases right away. However, here is what I can confirm on macOS 26.3 alone: Step Result pkgutil --check-signature Signed with Developer ID Installer, valid notarytool submit Accepted stapler validate Valid spctl -a --type install Rejected syspolicyd log meetsDeveloperIDLegacyAllowedPolicy = 0 The .app (via ZIP) is signed with Developer ID Application from the same team and passes spctl -a --type exec with no issues. Only the .pkg path is affected. Could this be a Gatekeeper regression specific to --type install evaluation on macOS 26.3?
Topic: Code Signing SubTopic: Notarization Tags:
Mar ’26
Reply to spctl --type install rejects notarized .pkg on macOS 26 Tahoe (26.3)
Thank you Quinn! Here's the direct download link to the installer package: https://github.com/Nakanokappei/window-resize/releases/download/v2.0/Window.Resize.pkg This is a Developer ID Installer–signed and notarized .pkg built with productbuild --sign. The .zip distribution of the same app passes Gatekeeper without issue. For reference, here's what I see: # Signature is valid pkgutil --check-signature Window\ Resize.pkg # → signed by Developer ID Installer certificate # Notarization succeeded xcrun stapler validate Window\ Resize.pkg # → The validate action worked! # But spctl rejects it spctl -a --type install Window\ Resize.pkg # → rejected # syspolicyd log shows # meetsDeveloperIDLegacyAllowedPolicy = 0 The productbuild --sign does emit "Warning: unable to build chain to self-signed root" but security verify-cert confirms the cert chain is valid. Happy to file a bug with the .pkg attached if that's easier for you.
Topic: Code Signing SubTopic: Notarization Tags:
Replies
Boosts
Views
Activity
Mar ’26
Reply to spctl --type install rejects notarized .pkg on macOS 26 Tahoe (26.3)
Thank you, Quinn. Regarding the warning: security verify-cert -c /path/to/cert confirms the Developer ID Installer certificate chain is valid (no errors). The "unable to build chain to self-signed root" warning appears with both productbuild --sign and productsign, but the resulting signature passes pkgutil --check-signature and notarytool accepts it. The same team's Developer ID Application certificate signs the .app inside a ZIP without any issues — that ZIP passes Gatekeeper on the same machine. Regarding cross-over testing: Unfortunately I only have access to macOS 26.3 (beta 3) at the moment, so I cannot test the cross-over cases right away. However, here is what I can confirm on macOS 26.3 alone: Step Result pkgutil --check-signature Signed with Developer ID Installer, valid notarytool submit Accepted stapler validate Valid spctl -a --type install Rejected syspolicyd log meetsDeveloperIDLegacyAllowedPolicy = 0 The .app (via ZIP) is signed with Developer ID Application from the same team and passes spctl -a --type exec with no issues. Only the .pkg path is affected. Could this be a Gatekeeper regression specific to --type install evaluation on macOS 26.3?
Topic: Code Signing SubTopic: Notarization Tags:
Replies
Boosts
Views
Activity
Mar ’26