madefresh_dave

Q: spctl accepted, installer rejected certificate

I'm having difficulties generating a Package installer using my Developer ID Installer certificate, more precisely it seems that spctl has no problem with the certificate while the "installer" app think it is untrusted.  Here are some command line output:

 

ekscrypto-2:Release ekscrypto$ pkgutil --check-signature SomeApp.pkg

Package "SomeApp.pkg":

   Status: signed by a certificate trusted by Mac OS X

   Certificate Chain:

    1. Developer ID Installer: IDFusion Software Inc.

       SHA1 fingerprint: E5 DC 63 4C 79 DC 09 03 4D 94 F2 E0 C6 00 7B 2C 80 3A 02 50

       -----------------------------------------------------------------------------

    2. Developer ID Certification Authority

       SHA1 fingerprint: 3B 16 6C 3B 7D C4 B7 51 C9 FE 2A FA B9 13 56 41 E3 88 E1 86

       -----------------------------------------------------------------------------

    3. Apple Root CA

       SHA1 fingerprint: 61 1E 5B 66 2C 59 3A 08 FF 58 D1 4A E2 24 52 D1 98 DF 6C 60

 

 

So far so good....

ekscrypto-2:Release ekscrypto$ spctl -a -v --type install SomeApp.pkg

SomeApp.pkg: accepted

source=Developer ID

 

And here where it gets weird:

sh-3.2# installer -pkg SomeApp.pkg -target /

installer: Package name is SomeApp

installer: Certificate used to sign package is not trusted. Use -allowUntrusted to override.

 

Note: it fails with a "SomeApp.pkg can't be installed because its digital signature is invalid." error when double-clicking the .pkg

 

Why is installer rejecting the certificate when both spctl and pkgutil --check-signature believe it is valid?  Interestingly enough if I pkgutil --expand and pkgutil --flatten to remove the code signing, the package installs.  But as soon as I use "productsign" to sign the .pkg, it again fails at the installer with "untrusted".

 

The Developer ID Installer certificate is valid, was never revoked, and expires in 2018.  Please advise!

MacBook Pro (Retina, Mid 2012), OS X El Capitan (10.11.6)

Posted on Sep 26, 2016 2:08 PM

Close

Q: spctl accepted, installer rejected certificate

  • All replies
  • Helpful answers

  • by madefresh_dave,

    madefresh_dave madefresh_dave Sep 26, 2016 2:22 PM in response to madefresh_dave
    Level 1 (4 points)
    Sep 26, 2016 2:22 PM in response to madefresh_dave

    ekscrypto-2:Release ekscrypto$ spctl -a --raw --type install SomeApp.pkg

    <?xml version="1.0" encoding="UTF-8"?>

    <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

    <plist version="1.0">

    <dict>

      <key>assessment:authority</key>

      <dict>

      <key>assessment:authority:row</key>

      <integer>7</integer>

      <key>assessment:authority:source</key>

      <string>Developer ID</string>

      </dict>

      <key>assessment:remote</key>

      <true/>

      <key>assessment:verdict</key>

      <true/>

    </dict>

    </plist>