productsign(1)               General Commands Manual              productsign(1)

     productsign – Sign a macOS Installer product archive

     productsign [options] --sign identity input-product-path.pkg

     productsign adds a digital signature to a product archive previously
     created with productbuild(1).  Although you can add a digital signature at
     the time you run productbuild(1), you may wish to add a signature later,
     once the product archive has been tested and is ready to deploy. If you run
     productsign on a product archive that was previously signed, the existing
     signature will be replaced.

     To sign a product archive, you will need to have a certificate and
     corresponding private key -- together called an “identity” -- in one of
     your accessible keychains. To add a signature, specify the name of the
     identity using the --sign option. The identity's name is the same as the
     “Common Name” of the certificate.

     If you want to search for the identity in a specific keychain, specify the
     path to the keychain file using the --keychain option. Otherwise, the
     default keychain search path is used.

     productsign will embed the signing certificate in the product archive, as
     well as any intermediate certificates that are found in the keychain. If
     you need to embed additional certificates to form a chain of trust between
     the signing certificate and a trusted root certificate on the system, use
     the --cert option to give the Common Name of the intermediate certificate.
     Multiple --cert options may be used to embed multiple intermediate

     The signature can optionally include a trusted timestamp. This is enabled
     by default when signing with a Developer ID identity, but it can be enabled
     explicitly using the --timestamp option. A timestamp server must be
     contacted to embed a trusted timestamp. If you aren't connected to the
     Internet, you can use --timestamp=none to disable timestamps, even for a
     Developer ID identity.

     --sign identity-name
             The name of the identity to use for signing the product archive.

     --keychain keychain-path
             Specify a specific keychain to search for the signing identity.

     --cert certificate-name
             Specify an intermediate certificate to be embedded in the product

             Include a trusted timestamp with the signature.

             Disable trusted timestamp, regardless of identity.

             The product archive to be signed.

             The path to which the signed product archive will be written. Must
             not be the same as input-product-path. The output path should be
             package. If the package already exists, it will be overwritten.


macOS                          September 15, 2010                          macOS