Signing Installer Packages with Apple 3rd Party Developer Certificate

OS X 10.8 “Moutain Lion” shipped with Gatekeeper, an Apple technology that prevents malicious software from getting installed on OS X. The default setting for Gatekeeper is that all applications must either be from the Mac App Store, or be signed by a “registered developer”. This also applies to installer packages. If you attempt to install a package that is not signed correctly, you’ll get an error message that it is from an unidentified developer:

You can get around this by control clicking the package file and selecting “open”, but this is not the best user experience. The correct way to do it is to get a 3rd party developer certificate from Apple and use the productsign binary. You can create the package and sign it in two easy steps on the command line using “packagemaker” and “productsign”.

To use packagemaker command line tool, you need to create a folder structure like this:

Make sure that the permissions are set as they should be for existing files and folders when installing. Then run, as root, the packagemaker command, replacing $buildNumber with the version of the package (this should increase each time you create a package).

packagemaker –domain system –no-relocate –version $buildNumber –title “Boot Runner” –version ${buildNumber} –filter “.DS_Store” –root-volume-only –domain system –verbose –no-relocate -l “/” –target 10.6 –id com.twocanoes.bootrunner.pkg –root /Users/Shared/package_builder/Boot Runner –out “/Users/Shared/Installers/Boot Runner-${buildNumber}.pkg”

To see what each option does, see man packagemaker.
Now we need to sign the package. Assuming that you have created a 3rd party developer certificate at developer.apple.com (“Developer ID Installer Certificate”) you can look in your keychain and get the name of your certificate:
Note that you need the identify with “Installer” in the name. Next, run the productsign command:
productsign –sign “Developer ID Installer: Twocanoes Software, Inc.” “/Users/Shared/Installers/Boot Runner-${buildNumber}.pkg” “/Users/Shared/Installers/Boot Runner-${buildNumber}.pkg.signed”
That’s it! You’ll now have a fancy signed package: