Mountain Lion PKG signing

Question

I have a plug-in which according to the guidelines need not be signed but I also have pkg installer(which installs the plug-in) which has to be signed. So I signed both my plug-in and pkg file, to be on the safer side. Since there is no check for plug-ins I haven't seen any issues. But I have issues with my pkg installer. I signed by pkg installer on 10.6.8 so that I can reuse it on 10.5, 10.6, 10.7 and 10.8. I used the following command

productsign --sign "Developer ID Installer: My Company" /Volumes/code/MyInstaller.pkg "/Volumes/code/My Installer.pkg"

The logs displayed by productsign was encouraging

productsign: signing product with identity "Developer ID Installer: My Company" from keychain /Users/vishveshk/Library/Keychains/login.keychain
productsign: adding intermediate certificate "Developer ID Certification Authority"
productsign: Wrote signed product archive to /Volumes/code/My Installer.pkg

When I checked it on 10.8 using

sudo spctl -a -v My Installer.pkg

The result was bad

My Installer.pkg: rejected
source=no usable signature

I signed my plug-in on the same machine and it seems to be working fine. Am I doing anything wrong? Any insights on this will be useful.

Answer 1

I ran into the same problem. The issue is that your spctl command line is wrong. According to Apple's documentation here, you need to specify the type, like so:

spctl -a -v --type install MyPackageName.pkg

Chances are that your signed package works fine under Mountain Lion. It was just the problematic command line that misled you into thinking that there was a signature problem.