To sign macOS packages, you’ll require an appropriate certificate, such as a TLS/SSL certificate with signing usage, which must be verifiable on the client. Typically, a Developer ID Installer certificate is used for this purpose, obtained from an Apple Developer account.
However, third-party certificates meeting these criteria are also acceptable. If you don’t have a certificate and intend to use an Apple Developer account, you can commence the signup process on Apple’s website.
If utilizing an Apple Developer account, certificates can be generated by linking your Developer account to Xcode and exporting the certificate file from Xcode. Alternatively, you can log in to your Apple Developer account online and download the certificate through a web browser.
When creating the certificate, ensure that the certificate type is designated as a Developer ID Installer certificate and confirm that it is saved to your macOS Keychain.
Once you obtain your certificate, there are several methods available for signing the macOS PKG.
Signing PKGs with Terminal and Command Line
In this example, you will have to use the productsign command.
First, open Keychain Access on macOS and find the certificate. If you’re using an Apple certificate, it should start with Developer ID Installer: … followed by your Apple Developer account name, and end with a serial number in parentheses.
Next, open the Terminal. The command to sign the package should look something like this:
productsign --sign "Developer ID Installer: Your Developer Name (1A2B3C4D5E)" ~/Desktop/example.pkg ~/Desktop/signed-example.pkg
The text within quotes after --sign should be the Common Name of your certificate. The first argument (~/Desktop/example.pkg) indicates the current location of the unsigned package on your computer, while the second argument (~/Desktop/signed-example.pkg) is where you want to save your signed package.
Once done, run the command. If it works, you should see something similar to the following printed out in Terminal:
productsign: using timestamp authority for signature
productsign: signing product with identity "Developer ID Installer: Your Developer Name (1A2B3C4D5E)" from keychain /Users/sdeveloper/Library/Keychains/login.keychain-db
productsign: adding certificate "Developer ID Certification Authority"
productsign: adding certificate "Apple Root CA"
productsign: Wrote signed product archive to /Users/sdeveloper/Downloads/munkitools_signed-3.2.0.3476.pkg
Verify that the signed package is located at the destination you specified.
Signing using Xcode
Suppose you’re building your macOS PKG in Xcode and your Apple Developer account is linked. In that case, Xcode can automatically request a certificate from your Developer account and include it in the signing certificate for the package during the build and archive phases. We recommend referring to Apple’s documentation for more detailed instructions.
Ensure that you choose Developer ID Installer from the dropdown list for the Signing Certificate setting when using this approach. This option can be found under the Signing section of the General Settings tab.