codesign --force --sign "iPhone Distribution: me (...)" AA.dmg
=> this works, dmg file is signed, but when I open it "AA can't be opened because it is from an unidentified developer"
whereas the certificate was applied correctly and is in my keychain; the root CA is Apple CA
When I verify the dmg:
spctl -a -t open --context context:primary-signature --verbose=4 -v "AA.dmg"
AA.dmg: rejected
origin=iPhone Distribution: me (...)
So how can I sign my dmg file so my customers will have no warning ?