Installer packages signed with my team's "Developer ID Installer" certificate (using productsign) appear to sign without error, but the resulting "signed" packages do not display a padlock in the Installer GUI.
Inspecting a package with pkgutil --check-signature indicates that the package has been signed with a developer certificate issued by Apple for distribution, with a trusted timestamp, and with the Developer ID Installer cert in the first position in the trust chain, as expected. Further, I am able to successfully notarize the resulting signed packages.
Output of security find-identity -vp codesigning does include my team's "Developer ID Application" cert but not the "Developer ID Installer" cert, though both certs exist in my keychain along with the associated private keys, as far as I can tell.
Does the absence of the padlock in the Installer GUI indicate a problem with my signing workflow?