Notarizing installer package; which certificate?

I am having troubles notarizing an installer package.

I created an installer package using the pkgbuild and productbuild, and then I tried to notarize it with notarytool, but I got an error message.

The error message led me to Use a valid Developer ID certificate, which includes the statement

Sign installer packages with a Developer ID Installer certificate

The app is signed with the team Developer ID and is notarized (via Xcode).

I signed both packages (during pkgbuild and productbuild) with a certificate created when I clicked Mac Installer Distribution in the developer portal, and it created a certificate named "3rd Party Mac Developer Installer: my company"

Is this the wrong certificate?

If it is the wrong certificate, which one should I create in the developer portal? (I didn't see anything specified as "Developer ID Installer")

If it is the right certificate, any idea what I might have done wrong?

Note: The reason I am trying to notarize the installer package is because when I tried testing the installer in my test VM, I received the following message (I thought signing the pkg would have prevented this):

Up vote post of Todd_at_Ennetix Down vote post of Todd_at_Ennetix
529 views
Posted by
Todd_at_Ennetix
Reply
Add a Comment

Accepted Reply

Ah! Not being the Account Holder, I do not even see the "Developer ID Installer" option when creating a certificate in the developer portal. I'll get the account holder to generate this for me.

Posted by
Todd_at_Ennetix
Up vote reply of Todd_at_Ennetix Down vote reply of Todd_at_Ennetix
Post marked as solved

  • Verified. Once the account holder created a new "Developer ID Installer" certificate, exported it to a .p12, and I added it to my keychain, I was able to properly sign, notarize, and distributed the installer.

    Todd_at_Ennetix
Add a Comment

Replies

PS. When I use pkgutil on the installer package, it looks like the pkg is signed. I get the following results:

% pkgutil --check-signature MyInstaller.pkg
Package "MyInstaller.pkg":
   Status: signed by a developer certificate issued by Apple (Development)
   Certificate Chain:
    1. 3rd Party Mac Developer Installer: MyCompany
       Expires: 2024-11-12 22:49:38 +0000
       SHA256 Fingerprint:
           F4 86 F1 45 97 3D DB B6 E2 92 3D 04 69 CE E3 04 9F 9D B3 4E F5 62 
           4B 7C 0D 49 96 C2 F4 87 8F 4C
       ------------------------------------------------------------------------
    2. Apple Worldwide Developer Relations Certification Authority
       Expires: 2030-02-20 00:00:00 +0000
       SHA256 Fingerprint:
           DC F2 18 78 C7 7F 41 98 E4 B4 61 4F 03 D6 96 D8 9C 66 C6 60 08 D4 
           24 4E 1B 99 16 1A AC 91 60 1F
       ------------------------------------------------------------------------
    3. Apple Root CA
       Expires: 2035-02-09 21:40:36 +0000
       SHA256 Fingerprint:
           B0 B1 73 0E CB C7 FF 45 05 14 2C 49 F1 29 5E 6E DA 6B CA ED 7E 2C 
           68 C5 BE 91 B5 A1 10 01 F0 24
Posted by
Todd_at_Ennetix
Up vote reply of Todd_at_Ennetix Down vote reply of Todd_at_Ennetix
Add a Comment

Ah! Not being the Account Holder, I do not even see the "Developer ID Installer" option when creating a certificate in the developer portal. I'll get the account holder to generate this for me.

Posted by
Todd_at_Ennetix
Up vote reply of Todd_at_Ennetix Down vote reply of Todd_at_Ennetix
Post marked as solved

  • Verified. Once the account holder created a new "Developer ID Installer" certificate, exported it to a .p12, and I added it to my keychain, I was able to properly sign, notarize, and distributed the installer.

    Todd_at_Ennetix
Add a Comment