How do I re-sign a .pkg installer file?

productsign is capable of replacing an installer package’s signature entirely. Consider the transcript below. I started with a package that’s signed with my Developer ID. I replaced that with a Mac App Store signature. I then replaced it again with a Developer ID one.

I’m not sure what’s going on with your setup. It’s possible that productsign is getting mixed up about what identity to use. If so, you can pass the SHA-1 hash for the identity instead. To see a list of identities and their hashes, run the following command:

% security find-identity -v

If that doesn’t fix, try running my test, that is, replace the signature with something obviously different and then again with your new Developer ID, dumping the signature at each step. Does that behave correctly?

This is on macOS 12.2 btw.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

% pkgutil --check-signature PrivilegedTool.pkg 
Package "PrivilegedTool.pkg":
   …
   Certificate Chain:
    1. Developer ID Installer: Quinn Quinn (SKMME9E2Y8)
       Expires: 2022-08-01 16:32:52 +0000
       …
       ------------------------------------------------------------------------
    2. Developer ID Certification Authority
       Expires: 2027-02-01 22:12:15 +0000
       …
       ------------------------------------------------------------------------
    3. Apple Root CA
       Expires: 2035-02-09 21:40:36 +0000
       …
% productsign --sign "3rd Party Mac Developer Installer: Quinn Quinn (SKMME9E2Y8)" PrivilegedTool.pkg PrivilegedTool-re-signed.pkg
…
% pkgutil --check-signature PrivilegedTool-re-signed.pkg 
Package "PrivilegedTool-re-signed.pkg":
   …
   Certificate Chain:
    1. 3rd Party Mac Developer Installer: Quinn Quinn (SKMME9E2Y8)
       Expires: 2022-04-16 14:02:16 +0000
       …
       ------------------------------------------------------------------------
    2. Apple Worldwide Developer Relations Certification Authority
       Expires: 2030-02-20 00:00:00 +0000
       …
       ------------------------------------------------------------------------
    3. Apple Root CA
       Expires: 2035-02-09 21:40:36 +0000
       …
% productsign --sign "Developer ID Installer: Quinn Quinn (SKMME9E2Y8)" PrivilegedTool-re-signed.pkg PrivilegedTool-re-signed-2.pkg
…
% pkgutil --check-signature PrivilegedTool-re-signed-2.pkg 
Package "PrivilegedTool-re-signed-2.pkg":
   …
   Certificate Chain:
    1. Developer ID Installer: Quinn Quinn (SKMME9E2Y8)
       Expires: 2022-08-01 16:32:52 +0000
       …
       ------------------------------------------------------------------------
    2. Developer ID Certification Authority
       Expires: 2027-02-01 22:12:15 +0000
       …
       ------------------------------------------------------------------------
    3. Apple Root CA
       Expires: 2035-02-09 21:40:36 +0000
       …

Thank you for your help! Although I had deleted the old certificate on my keychain there was a duplicate of it that only showed up if I selected to see "All Items" instead of "Certificates". Your command "security find-identity -v" helped me see that this certificate was still around somewhere and that it was the default. My new signed installer is showing the correct expiry date now, thanks again!