On the odd occasion get are asked how we create software packages that are signed and trusted to pass Apple’s Gatekeeper checks. We are registered Apple developers and a benefit of this registration is the ability to create signed packages.
So how is this sorcery accomplished. Developers need to export signed certificates and import them into keychain on the Mac. Apple has a good explanation here:
Once completed you can list what identities can sign software by running to following in a terminal:
security find-identity -v
You should see something like (we have redacted our dev ID):
Now onto the fun part, actually signing your package! the key piece of data from the above will be the “Developer ID Installer” Section.
So for an example package named package.pkg we could use:
productsign --sign "Developer ID Installer: YOUR DETAILS HERE (XXXXXXXXXX)" package1.pkg package1_signed.pkg
This should result in a signed package that is trusted on any macOS system.