Hello!
I am using the EV (Extended Validation) code signing certificate issued by DigiCert (https://www.digicert.com/code-signing/ev-code-signing.htm) to sign code. The certificate and corresponding private key are stored on the eToken.
I am signing successfully Mac OS X applications with following command:
$ codesign -s "Open Joint-Stock Company BIFIT" -v -f nmBIFITApp
nmBIFITApp: replacing existing signature
nmBIFITApp: signed Mach-O thin (x86_64) [nmBIFITApp]
And verify:
$ codesign -vvd nmBIFITApp
Executable=/Users/borodavkin/2sign/macosx/nmBIFITApp
Identifier=nmBIFITApp
Format=Mach-O thin (x86_64)
CodeDirectory v=20100 size=4662 flags=0x0(none) hashes=228+2 location=embedded
Signature size=4775
Authority=Open Joint-Stock Company BIFIT
Authority=DigiCert EV Code Signing CA (SHA2)
Authority=DigiCert High Assurance EV Root CA
Signed Time=17 сент. 2015 г., 19:02:16
Info.plist=not bound
TeamIdentifier=not set
Sealed Resources=none
Internal requirements count=2 size=264
However, I can't sign the installation package using this certificate:
$ productsign --sign "Open Joint-Stock Company BIFIT" bifit_app.pkg bifit_app.pkg-signed
productsign: error: Could not find appropriate signing identity for “Open Joint-Stock Company BIFIT”. An installer signing identity (not an application signing identity) is required for signing flat-style products.
I am using this certificate because it is EV, and also because signing requires two-factor authentication.
So how to sign product with a EV certificate issued by DigiCert or may be by any other public certification authority?
Is this possible?