spctl --type install rejects notarized .pkg on macOS 26 Tahoe (26.3)

Question

Created 1d

Replies 2

Boosts 0

Participants 2

I'm distributing a macOS .pkg installer signed with Developer ID Installer and notarized via notarytool. On macOS 26.3 (Tahoe, Build 25D125), the package is rejected by Gatekeeper when downloaded from the internet.

What works:

pkgutil --check-signature → signed, Developer ID Installer, full chain (G2 intermediate + Apple Root CA)
xcrun stapler validate → "The validate action worked!"
xcrun notarytool info <id> → status: Accepted
The .app inside the .pkg passes spctl -a -vvv → "accepted, source=Notarized Developer ID"

What fails:

spctl -a -vvv --type install mypackage.pkg → rejected, origin=Developer ID Installer
Raw assessment: assessment:remote = true, assessment:verdict = false
Double-clicking the downloaded .pkg shows only "Move to Trash" / "Done" (no "Open" option)
syspolicyd log: meetsDeveloperIDLegacyAllowedPolicy = 0 (expected, since the cert is new), but no "notarized" match is logged

Certificate details:

Developer ID Installer, issued Feb 28, 2026, valid until 2031
OID 1.2.840.113635.100.6.1.14 (Developer ID Installer) — critical
OID 1.2.840.113635.100.6.1.33 — timestamp 20260215000000Z
Intermediate: Developer ID Certification Authority G2 (OID 1.2.840.113635.100.6.2.6)
security verify-cert → certificate verification successful

Build process:

productbuild --distribution ... --sign <SHA1> (also tried productsign)
Both produce: Warning: unable to build chain to self-signed root
xcrun notarytool submit → Accepted
xcrun stapler staple → worked

Workaround: xattr -d com.apple.quarantine ~/Downloads/mypackage.pkg allows opening the installer.

Question: Is spctl --type install assessment expected to work differently on macOS 26 Tahoe? The same signing and notarization workflow produces .app bundles that pass Gatekeeper, but .pkg installers are rejected. Is there a new requirement for .pkg distribution on macOS 26?

Environment: macOS 26.3 (25D125), Xcode CLT 26.3

Boost

Answer 1

DTS Engineer OP

Apple

19h

Both produce: Warning: unable to build chain to self-signed root

Hmmm, that doesn’t sound good.

Have you tried testing the cross-over cases? That is:

Building on macOS 26.3 and trying to install on macOS 26.2
Building on macOS 26.2 and trying to install on macOS 26.3

Those will let you determine whether this is a build problem or an install problem.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 2

kappie OP

16h

Thank you, Quinn.

Regarding the warning: security verify-cert -c /path/to/cert confirms the Developer ID Installer certificate chain is valid (no errors). The "unable to build chain to self-signed root" warning appears with both productbuild --sign and productsign, but the resulting signature passes pkgutil --check-signature and notarytool accepts it. The same team's Developer ID Application certificate signs the .app inside a ZIP without any issues — that ZIP passes Gatekeeper on the same machine.

Regarding cross-over testing: Unfortunately I only have access to macOS 26.3 (beta 3) at the moment, so I cannot test the cross-over cases right away.

However, here is what I can confirm on macOS 26.3 alone:

StepResult

`pkgutil --check-signature`	Signed with Developer ID Installer, valid
`notarytool submit`	Accepted
`stapler validate`	Valid
`spctl -a --type install`	Rejected
`syspolicyd` log	`meetsDeveloperIDLegacyAllowedPolicy = 0`

The .app (via ZIP) is signed with Developer ID Application from the same team and passes spctl -a --type exec with no issues. Only the .pkg path is affected.

Could this be a Gatekeeper regression specific to --type install evaluation on macOS 26.3?

0