I'm fairly new to the process of notarizing apps and have created a program using Python and Pyinstaller. I’m able to upload the zip file to Apple for notarization via the command
xcrun altool --notarize-app -f /Users/Desktop/dist/myapp.zip --primary-bundle-id ######7RBW -u my_emailaddress-p '@keychain:Python Notarization'
where ###### denotes the first six characters of my Developer ID Application and "Python Notarization" is the name of my Developer ID listed on my keychain. (I don’t understand what each portion of the above command does, but it seems to work.) I’m also able to run the notarized program on a different computer.
Now I wish to sign and notarize the installer package. I added a 3rd Party Mac Developer Installer certificate to my keychain. (Its ID number is the same as the developer one.) The keychain indicates the certificate is “trusted for this account.”
To sign the package I tried using
productsign --sign 'My Name (######7RBW)' /Users/Desktop/dist/my_app.pkg /Users/Desktop/dist/my_app_signed.pkg
The result included the warning message
Warning: unable to build chain to self-signed root for signer "3rd Party Mac Developer Installer: My Name (######7RBW)"
I then tried to check the signature using
pkgutil --check-signature /Users/Desktop/dist/my_app_signed.pkg
This resulted in
Package "my_app_signed.pkg":
Status: signed by a certificate that has since expired
Certificate Chain:
1. 3rd Party Mac Developer Installer: My Name (######7RBW)
Expires: 2023-01-13 17:17:55 +0000
SHA256 Fingerprint:
46 1A 51 B5 1F 21 81 90 CE 24 DB 86 79 1E F8 90 08 54 A2 CB D1 2E
E7 0E 99 C1 BD 46 A4 42 19 9E
I see my_app_signed.pkg was created, but, based upon the last output above, and the fact I cannot install the program using this installer, something is definitely wrong.
I sense the problem lies with the 3rd Party Mac Developer Installer on my keychain. I must have done something wrong. Among other things, the certificate should not be expired since I obtained my Developer's account only six months ago.