I have a plugin that, as recommended, does not have to be signed, but I also have a pkg installer (which installs the plug-in) that needs to be signed. So I signed both my plugins and pkg file to be on the more secure side. Since there is no plugin check, I did not see any problems. But I have problems with the pkg installer. I signed the pkg installer on 10.6.8 so that I can reuse it on 10.5, 10.6, 10.7 and 10.8. I used the following command
productsign --sign "Developer ID Installer: My Company" /Volumes/code/MyInstaller.pkg "/Volumes/code/My Installer.pkg"
The magazines displayed by the products were encouraging.
productsign: signing product with identity "Developer ID Installer: My Company" from keychain /Users/vishveshk/Library/Keychains/login.keychain productsign: adding intermediate certificate "Developer ID Certification Authority" productsign: Wrote signed product archive to /Volumes/code/My Installer.pkg
When I tested it at 10.8 using
sudo spctl -a -v My Installer.pkg
The result was bad
My Installer.pkg: rejected source=no usable signature
I signed my plugin on the same computer and it seems to be working fine. Am I doing something wrong? Any understanding of this would be helpful.
Vishvesh
source share