Hello! We built a macOS .pkg using pkgbuild (contains a DMG + postinstall bash script). The pkg works locally on the build machine but fails on other devices manually / via MDM unless signed.
We tried signing with a Developer ID Installer certificate, but: security find-identity -p codesigning -v → 0 valid identities security find-identity -v → shows the cert Private key is present in Keychain
OpenSSL check shows: X509v3 Extended Key Usage: Critical
(Expected one might be: Code Signing)
We recreated CSR + cert multiple times (G2 Sub-CA), ensured Login keychain, unlocked keychain, etc., but same result.
Question: Why is the Developer ID Installer cert missing Code Signing usage and not recognized for signing? Is there any account restriction or step we might be missing? Any recommendations on resolving this issue.
Thanks!
Why is the Developer ID Installer cert missing Code Signing usage … ?
Because it’s not using for signing code. Apple issues two types of Developer ID certificates:
- Developer ID Application, for signing code and (weirdly) disk images
- Developer ID Installer, for signing installer packages
If you run security find-identity and apply the code signing filter, you’ll only see the first type.
There’s a bunch more advice on this topic in Packaging Mac software for distribution.
Also, whenever I talk about Developer ID signing identities I like to stress that they are precious. See The Care and Feeding of Developer ID for more about that.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"