Correct way to sign a .pkg on mac?


I have a .pkg that I created to distribute my company's software, but when they download it from other mac it says "It can not be opened because it comes from an unidentified developer", the pkg is signed with a valid certificate of the type App Store Installer with the tool productsign , the certificate appears correctly in the upper right part of the .pkg and is valid, opens without any problem, except when you download it from the internet, is there any other way to sign or avoid that?

asked by Angel Montes de Oca 20.09.2017 в 18:09

1 answer


What I did was change the certificate type to one of the Developer ID Installer type:

  • Go to, and click on Certificates, IDs & Profiles.
  • In the sidebar, select OS X from the menu, and under Certificates, select ALL.
  • Click on the (+) button at the top right.
  • Select Developer ID under Production, and click Continue.
  • Select the type of certificate -Developer ID Application or Developer ID Installer- and click Continue.
  • Follow the instructions to create a "certificate signing request (CSR)" using Keychain Access, and click Continue.
  • Click on Choose File.
  • Select a CSR file (with a .certSigningRequest extension), and click Choose.
  • Click on Continue.
  • Click on download (Download).

    EYE: Only the Team Agent can create this type of certificate, if not   You are the Team Agent, even if you are an Admin user, you can not create it,   communicate with your Team Agent and send your CSR file so you can   generate the certificate.

    Once this is done, double-click the certificate (previously downloaded) to add it to Keychain Access and proceed to sign your .pkg with the productsign (1) tool as follows (Terminal):
    productsign [options] --sign identity input-product-path output-product-path


    productsign --sign "Nombre de tu Certificado en Keychain Access" ruta-de-entrada-al-pkg ruta-de-salida-al-pkg
    answered by 21.09.2017 / 18:19