spctl says rejected for signed flat package
I have a flat package, signed by a Apple supplied Developer Id, and spctl rejects it
The TOC in the xar file is proper looking and has a valid XML signature in it (best I can tell). Certificate chain is elided here, but matches the output from pkgutil.
xar --dump-toc=- -f foo.pkg
<?xml version="1.0" encoding="UTF-8"?>
<xar>
<toc>
<checksum style="sha1">
<size>20</size>
<offset>0</offset>
</checksum>
<creation-time>2013-10-29T18:23:23</creation-time>
<signature style="RSA">
<offset>20</offset>
<size>256</size>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<X509Data>
<X509Certificate>...</X509Certificate>
</X509Data>
</KeyInfo>
</signature>
<x-signature style="CMS">
<offset>276</offset>
<size>6144</size>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<X509Data>
<X509Certificate>...</X509Certificate>
</X509Data>
</KeyInfo>
</x-signature>
<file id="1">
<name>Bom</name>
<type>file</type>
<inode>39991802</inode>
<deviceno>16777218</deviceno>
<mode>0644</mode>
<uid>0</uid>
<user>root</user>
<gid>0</gid>
<group>wheel</group>
<atime>2013-10-29T18:01:47Z</atime>
<mtime>2013-10-29T18:01:47Z</mtime>
<ctime>2013-10-29T18:01:48Z</ctime>
<FinderCreateTime>
<time>1970-01-01T00:00:00</time>
<nanoseconds>0</nanoseconds>
</FinderCreateTime>
<data>
<extracted-checksum style="sha1">afb0b9dc0fe87477290b8551c1cf038c6bf7d3eb</extracted-checksum>
<archived-checksum style="sha1">2aa56353d6d0e2c4eed9bc45f2541b19b17532e3</archived-checksum>
<encoding style="application/x-gzip"/>
<size>37717</size>
<offset>6420</offset>
<length>1907</length>
</data>
</file>
<file id="2">
<name>PackageInfo</name>
<type>file</type>
<inode>39991816</inode>
<deviceno>16777218</deviceno>
<mode>0644</mode>
<uid>0</uid>
<user>root</user>
<gid>0</gid>
<group>wheel</group>
<atime>2013-10-29T18:01:48Z</atime>
<mtime>2013-10-29T18:01:48Z</mtime>
<ctime>2013-10-29T18:01:48Z</ctime>
<FinderCreateTime>
<time>1970-01-01T00:00:00</time>
<nanoseconds>0</nanoseconds>
</FinderCreateTime>
<ea id="0">
<name>com.apple.TextEncoding</name>
<extracted-checksum style="sha1">34bb265cb6732969f269ccc90fea5d662e9e0ea5</extracted-checksum>
<archived-checksum style="sha1">d433dacc26ca2c81f30c25e807dc170e6680aad9</archived-checksum>
<encoding style="application/x-gzip"/>
<size>15</size>
<offset>8625</offset>
<length>23</length>
</ea>
<data>
<extracted-checksum style="sha1">8ddffdeaf0c9d56f1ac7a545f9065b8c0a0c253b</extracted-checksum>
<archived-checksum style="sha1">a0e202b915ac2b741e8b4eb4b6c34ad2025e576e</archived-checksum>
<encoding style="application/x-gzip"/>
<size>549</size>
<offset>8327</offset>
<length>298</length>
</data>
</file>
<file id="3">
<name>Payload</name>
<type>file</type>
<inode>39991803</inode>
<deviceno>16777218</deviceno>
<mode>0644</mode>
<uid>0</uid>
<user>root</user>
<gid>0</gid>
<group>wheel</group>
<atime>2013-10-29T18:01:47Z</atime>
<mtime>2013-10-29T18:01:48Z</mtime>
<ctime>2013-10-29T18:01:48Z</ctime>
<FinderCreateTime>
<time>1970-01-01T00:00:00</time>
<nanoseconds>0</nanoseconds>
</FinderCreateTime>
<data>
<extracted-checksum style="sha1">8c82d6335d52c388475c710b3da67dfc037aeb57</extracted-checksum>
<archived-checksum style="sha1">8c82d6335d52c388475c710b3da67dfc037aeb57</archived-checksum>
<size>6074987</size>
<offset>8648</offset>
<encoding style="application/octet-stream"/>
<length>6074987</length>
</data>
</file>
<file id="4">
<name>Scripts</name>
<type>file</type>
<inode>39991814</inode>
<deviceno>16777218</deviceno>
<mode>0644</mode>
<uid>0</uid>
<user>root</user>
<gid>0</gid>
<group>wheel</group>
<atime>2013-10-29T18:01:48Z</atime>
<mtime>2013-10-29T18:01:48Z</mtime>
<ctime>2013-10-29T18:01:48Z</ctime>
<FinderCreateTime>
<time>1970-01-01T00:00:00</time>
<nanoseconds>0</nanoseconds>
</FinderCreateTime>
<data>
<extracted-checksum style="sha1">b2e862d97d79b2a78433f07b29685e0293e0239b</extracted-checksum>
<archived-checksum style="sha1">b2e862d97d79b2a78433f07b29685e0293e0239b</archived-checksum>
<size>180</size>
<offset>6083635</offset>
<encoding style="application/octet-stream"/>
<length>180</length>
</data>
</file>
</toc>
</xar>
Looking at the contents, very simple flat package:
$ xar -t -f foo.pkg
Bom
PackageInfo
Payload
Scripts
And lastly, pkgutil is happy, spctl (and the Installer of course) are not:
$ sudo spctl --assess --type install -v foo.pkg
foo.pkg: rejected
$ /usr/sbin/pkgutil --check-signature foo.pkg
Package "foo.pkg":
Status: signed by a developer certificate issued by Apple
Certificate Chain:
1. 3rd Party Mac Developer Installer: TiVo, Inc (4BLW75E6S3)
SHA1 fingerprint: 1C 22 36 8E 43 E6 6D 42 CE 9F 63 B2 74 C7 23 C6 16 CF AC 10
-----------------------------------------------------------------------------
2. Apple Worldwide Developer Relations Certification Authority
SHA1 fingerprint: 09 50 B6 CD 3D 2F 37 EA 24 6A 1A AA 20 DF AA DB D6 FE 1F 75
-----------------------------------------------------------------------------
3. Apple Root CA
SHA1 fingerprint: 61 1E 5B 66 2C 59 3A 08 FF 58 D1 4A E2 24 52 D1 98 DF 6C 60
Nothing inside the package is signed.
Any ideas where I look next?
OS X Mountain Lion (10.8.5)