Signing Installer Packages

Signing Installer Packages

Xcode does not create signed installer packages for you. Instead, you create signed installer packages (with a .pkg extension) by supplying an installer signing identity to the productbuild tool. For example, to create the package Product.pkg from a distribution file Product.dist, and sign it with your identity, as found in your keychain:

productbuild --distribution Product.dist --sign <identity> Product.pkg

As with signed code, when you create a flat-file installation package, any modification after signing invalidates the signature.

Note: Bundle-style installer packages are no longer supported.

productbuild [options] --distribution dist-path

                  [--package-path search-path] product-output-path

Create a product archive using a distribution file. If you have a

          distribution file, use the --distribution option to specify the path

          to it, and the --package-path option to specify the directory where

          the component packages are found (if they are not in the current

          working directory). All packages referenced by the distribution will

          be incorporated into the resulting product archive.

When creating product archives for submission to the Mac App Store, use

     only the --component mode of productbuild.  The other modes will create

     product archives that are compatible with the OS X Installer, but are not

     necessarily acceptable for the Mac App Store.

SIGNED PRODUCT ARCHIVES

     When creating a product archive, you can optionally add a digital signa-

     ture to the archive.  You will need to have a certificate and correspond-

     ing private key -- together called an ``identity'' -- in one of your

     accessible keychains. To add a signature, specify the name of the iden-

     tity using the --sign option. The identity's name is the same as the

     ``Common Name'' of the certificate.

     If you want to search for the identity in a specific keychain, specify

     the path to the keychain file using the --keychain option. Otherwise, the

     default keychain search path is used.

     productbuild will embed the signing certificate in the product archive,

     as well as any intermediate certificates that are found in the keychain.

     If you need to embed additional certificates to form a chain of trust

     between the signing certificate and a trusted root certificate on the

     system, use the --cert option to give the Common Name of the intermediate

     certificate. Multiple --cert options may be used to embed multiple inter-

     mediate certificates.

     The signature can optionally include a trusted timestamp. This is enabled

     by default when signing with a Developer ID identity, but it can be

     enabled explicitly using the --timestamp option. A timestamp server must

     be contacted to embed a trusted timestamp. If you aren't connected to the

     Internet, you can use --timestamp=none to disable timestamps, even for a

     Developer ID identity.

     Note that component packages do not need to be signed (e.g. with

     pkgbuild(1)) before adding them to a signed product archive. The signa-

     ture on the product archive protects the entire product, including the

     added packages.

     If you want to postpone signing the product archive until it has been

     tested and is ready to deploy, you can use productsign(1) when you are

     ready to add the signature.

productbuild --distribution Product.dist --sign sample-identity

             Product.pkg

             Build the archive Product.pkg using Product.dist, and sign the

             resulting archive using the identity sample-identity. You will be

             prompted to allow productbuild to access the keychain item,

             unless Always Allow was chosen previously.