spctl accepted, installer rejected certificate
I'm having difficulties generating a Package installer using my Developer ID Installer certificate, more precisely it seems that spctl has no problem with the certificate while the "installer" app think it is untrusted. Here are some command line output:
ekscrypto-2:Release ekscrypto$ pkgutil --check-signature SomeApp.pkg
Package "SomeApp.pkg":
Status: signed by a certificate trusted by Mac OS X
Certificate Chain:
1. Developer ID Installer: IDFusion Software Inc.
SHA1 fingerprint: E5 DC 63 4C 79 DC 09 03 4D 94 F2 E0 C6 00 7B 2C 80 3A 02 50
-----------------------------------------------------------------------------
2. Developer ID Certification Authority
SHA1 fingerprint: 3B 16 6C 3B 7D C4 B7 51 C9 FE 2A FA B9 13 56 41 E3 88 E1 86
-----------------------------------------------------------------------------
3. Apple Root CA
SHA1 fingerprint: 61 1E 5B 66 2C 59 3A 08 FF 58 D1 4A E2 24 52 D1 98 DF 6C 60
So far so good....
ekscrypto-2:Release ekscrypto$ spctl -a -v --type install SomeApp.pkg
SomeApp.pkg: accepted
source=Developer ID
And here where it gets weird:
sh-3.2# installer -pkg SomeApp.pkg -target /
installer: Package name is SomeApp
installer: Certificate used to sign package is not trusted. Use -allowUntrusted to override.
Note: it fails with a "SomeApp.pkg can't be installed because its digital signature is invalid." error when double-clicking the .pkg
Why is installer rejecting the certificate when both spctl and pkgutil --check-signature believe it is valid? Interestingly enough if I pkgutil --expand and pkgutil --flatten to remove the code signing, the package installs. But as soon as I use "productsign" to sign the .pkg, it again fails at the installer with "untrusted".
The Developer ID Installer certificate is valid, was never revoked, and expires in 2018. Please advise!
MacBook Pro (Retina, Mid 2012), OS X El Capitan (10.11.6)