Codesign Installer package for distribution outside the Mac App Store

Sometimes you need to distribute your application installers outside Mac App Store. You can code sign it so that it will be recognized by Gatekeeper as identified developer product. Once you code sign the installer with your Apple Developer Id certificate, gatekeeper will allow to open the installer, otherwise it will show a dialog saying “The app cannot be opened because it is from an unidentified developer” (if gatekeeper settings are set to ‘Mac App store and identified developers’).

To know more about Gatekeeper options click here.

Here we will see how to sign the installer package so that gatekeeper won’t block it.

The installers created by PackageMaker with minimum target set to 10.5 and above are flat package while the installers created with minimum target set to 10.4 will create a bundle package.

Bundle type installers cannot be signed using Developer Id Installer certificate. These can be signed using Developer Id Application certificate, but gatekeeper does not pass it.

To sign a flat type installer first you need to enroll to Mac Developer Program and download your Developer Id Installer certificate. Double click the downloaded certificate to load it to keychain.

Now once you have the certificate in your keychain, you may check it via KeyChain Access. The certificate will be named like “Developer ID Installer: Any Name”.

To code-sign your installer package, run the following command in terminal:

productsign –timestamp=none –sign “Your Certificate Name” “/path/and/name/of/the/unsigned/installer” “path/and/name/of/signed/installer

For example, in my case

productsign –timestamp=none –sign “Developer ID Installer: Neha Gupta” “/myApp.pkg” “/signed/myApp.pkg”

The new installer created will be signed by your installer certificate and will be recognized by gatekeeper as a identified developer product. To check the certificate by which package is signed, launch the signed installer package and click the lock sign on the upper right corner.

Written By: Neha Gupta


2 thoughts on “Codesign Installer package for distribution outside the Mac App Store

  1. Hi, how to fix re-quarantined signed pkg file? When I uploaded the signed pkg file to our website or Dropbox and downloaded the pkg file, it will not open and prompts “because it is from an unidentified developer”. But if I run the signed pkg from my Mac with Gatekeeper default settings, it is OK.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s