I am struggling for the past 2 weeks with publishing the .pkg.
If I execute codesign -dvv app-version.pkg
I get app-version.pkg: code object is not signed at all
Then I want to sign it with productsign --sign "3rd Party Mac Developer Installer: xxx (yyy)" ./app-version.pkg ./app-version-signed.pkg
The output is:
productsign: signing product with identity "3rd Party Mac Developer Installer: xxx (yyy)" from keychain /Users/<user>/Library/Keychains/login.keychain-db
productsign: adding certificate "Apple Worldwide Developer Relations Certification Authority"
productsign: adding certificate "Apple Root CA"
productsign: Wrote signed product archive to ./app-version-signed.pkg
When I check my codesign with codesign -dvv app-version-signed.pkg, I get the same result.
app-version-signed.pkg: code object is not signed at all
We are using electron-builder to build the pkg but the pkg is not signed yet. The app is signed with Developer ID application and 3rd Party Mac Developer Application.
Short answer: use pkgutil --check-signature instead of codesign -dvv.
Long answer: flat packages use a somewhat different signing format than other things, and you need to use different tools to sign them & check the signatures. Specifically, use productsign instead of codesign to sign them, and pkgutil instead of codesign to check the signature.
When you use codesign -dvv on a package, it's looking for its format of signature, and indeed there isn't one there.