Were there some changes with how certificates are handled, and how can I add back support for earlier OS versions?
Yeah, that’s my suspicion too. I took a look at the macOS 11 version of productsign to see if it had an option to control this but, AFAICT, it does not.
Big Sur does not correctly sign pkg files using SHA1 which is required
by El Capitan (10.11) and earlier.
An example package that reproduces the problem
A sysdiagnose log from the Mac taken immediately after it refuses to install the package
Apple never tells anyone their plans, for good reason.
We'd like to know what Apple's plans are to fix this problem, and when we can expect this fix to be released.