Menu
What is the difference between Apple codesign and productsign. I have been playing around with them both and whilst I cannot sign code with productsign it appears I can sign a package with codesign.
So two main questions:
706
You use the codesign command to interrogate an app or other signed entity about its signature. To verify the signature on a signed binary, use the -v option with no other options: codesign -v <code-path>
An installer signing identity (not an application signing identity) is required for signing flat-style products.
— used for codesigning application bundles, frameworks, verifying and manipulating signatures, etc.
— used specifically for codesigning .pkgs and .mpkgs (Installer packages/archives).
But why can I sign a package using codesign?
The codesign tool is used to validate what you sign as single entity — meaning the same program. An installer package is not one entity, it's actually several (the contents, the installer, and installer scripts/plugins). Since the codesign tool does not make distinctions that your .pkg is actually something completely separate from what's contained within it, using it to sign an installer package can result in an invalid signature, or your installer crashing.
Apple's Code Signing Guide Reads
"In the case of installer packages (.pkg and .mpkg bundles), everything is implicitly signed: The CPIO archive containing the payload, the CPIO archive containing install scripts, and the bill of materials (BOM) each have a hash recorded in the XAR header, and that header in turn is signed. Therefore, if you modify an install script (for example) after the package has been signed, the signature will be invalid."
157
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
