Developer ID Installer xxx this identity cannot be used for signing code

The fact that the code signing purpose is missing from your Developer ID Installer identity is expected; that identity is not used to sign code.

Run the following command:

Code Block  
% security find-identity

That is, without specifying a purpose. You should see two lists:

• Matching identities

• Valid identities only

Which of these lists includes your Developer ID Installer identity?

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Thanks Quinn,
Thanks for the reply- much appreciated.

Using that command I can verify-
'Developer ID Installer' appears once in 'Matching Identities'
'Developer ID Installer' appears once in 'Valid Identities'

However your reply does give some clues. On trying again,

Code Block 
pkgutil --check-signature /package.pkg

does say the package is validly signed. Also opening the installer and clicking the padlock shows the correct cert.



So it's really spctl that's barfing.
Instead of using

Code Block 
spctl --assess -vvvv /package.pkg

I use

Code Block 
spctl -a -t install --context context:primary-signature -v /package.pkg

And this gives a slightly different error about notarisation.
Is it possible that spctl is giving errors because the .pkg is not notarised?
If yes, then the errors are appallingly vague

found it- SPCTL not needed as the installer will be deployed with MDM

The issue was my script was using 'sign-binaries' instead of 'sign-package'

Thanks for your help Quinn