productsign(1) General Commands Manual productsign(1)
productsign – Sign a macOS Installer product archive
productsign [options] --sign identity input-product-path.pkg
productsign adds a digital signature to a product archive previously
created with productbuild(1). Although you can add a digital signature at
the time you run productbuild(1), you may wish to add a signature later,
once the product archive has been tested and is ready to deploy. If you run
productsign on a product archive that was previously signed, the existing
signature will be replaced.
To sign a product archive, you will need to have a certificate and
corresponding private key -- together called an “identity” -- in one of
your accessible keychains. To add a signature, specify the name of the
identity using the --sign option. The identity's name is the same as the
“Common Name” of the certificate.
If you want to search for the identity in a specific keychain, specify the
path to the keychain file using the --keychain option. Otherwise, the
default keychain search path is used.
productsign will embed the signing certificate in the product archive, as
well as any intermediate certificates that are found in the keychain. If
you need to embed additional certificates to form a chain of trust between
the signing certificate and a trusted root certificate on the system, use
the --cert option to give the Common Name of the intermediate certificate.
Multiple --cert options may be used to embed multiple intermediate
The signature can optionally include a trusted timestamp. This is enabled
by default when signing with a Developer ID identity, but it can be enabled
explicitly using the --timestamp option. A timestamp server must be
contacted to embed a trusted timestamp. If you aren't connected to the
Internet, you can use --timestamp=none to disable timestamps, even for a
Developer ID identity.
ARGUMENTS AND OPTIONS
The name of the identity to use for signing the product archive.
Specify a specific keychain to search for the signing identity.
Specify an intermediate certificate to be embedded in the product
Include a trusted timestamp with the signature.
Disable trusted timestamp, regardless of identity.
The product archive to be signed.
The path to which the signed product archive will be written. Must
not be the same as input-product-path. The output path should be
package. If the package already exists, it will be overwritten.
macOS September 15, 2010 macOS