I have a file that is a program "add-on" that's a single flat-file that's placed in the "Users/Shared" folder.
Historically, I've been able to code-sign this file with the "Developer ID Application" certificate, then nest it in a DMG file, code-sign the DMG file with the "Developer ID Application" certificate, and then submit for notarization. The issue with this was that users had to undergo manual steps to ensure the file was placed in the correct location.
I then found "Packages" (http://s.sudre.free.fr/Packaging.html) which provide a UI for creating PKG files. I added the "Developer ID Installer" to the Packages preferences for signing the PKG file during the build process. No matter the approach the file never get correctly signed and fails notarization.
I have tried not signing during Packages build, and then performing the certification with Terminal.
"codesign --options=runtime --sign 'Developer ID Installer: XYZ123' -v /path/to/pkg-file"
When I do that I get the error: "Developer ID Installer: XYZ123: this identity cannot be used for signing code"
From looking at other posts I've tried: security find-identity which returns both of the correct Certificates for Application and Installer. So it is a valid certificate, but it doesn't seem to work. I've also checked on the Apple Developer website to confirm that the certificates are valid and haven't expired.
I've contacted the Packages application support over the last 3-4 days but we still can't seem to figure out what is causing it to fail.
Any help would be really appreicated