Sometimes you need to distribute your application installers outside Mac App Store. You can code sign it so that it will be recognized by Gatekeeper as identified developer product. Once you code sign the installer with your Apple Developer Id certificate, gatekeeper will allow to open the installer, otherwise it will show a dialog saying “The app cannot be opened because it is from an unidentified developer” (if gatekeeper settings are set to ‘Mac App store and identified developers’).
To know more about Gatekeeper options click here.
Here we will see how to sign the installer package so that gatekeeper won’t block it.
The installers created by PackageMaker with minimum target set to 10.5 and above are flat package while the installers created with minimum target set to 10.4 will create a bundle package.
Bundle type installers cannot be signed using Developer Id Installer certificate. These can be signed using Developer Id Application certificate, but gatekeeper does not pass it.
To sign a flat type installer first you need to enroll to Mac Developer Program and download your Developer Id Installer certificate. Double click the downloaded certificate to load it to keychain.
Now once you have the certificate in your keychain, you may check it via KeyChain Access. The certificate will be named like “Developer ID Installer: Any Name”.
To code-sign your installer package, run the following command in terminal:
productsign –timestamp=none –sign “Your Certificate Name” “/path/and/name/of/the/unsigned/installer” “path/and/name/of/signed/installer“
For example, in my case
productsign –timestamp=none –sign “Developer ID Installer: Neha Gupta” “/myApp.pkg” “/signed/myApp.pkg”
The new installer created will be signed by your installer certificate and will be recognized by gatekeeper as a identified developer product. To check the certificate by which package is signed, launch the signed installer package and click the lock sign on the upper right corner.
Written By: Neha Gupta