Hello! We built a macOS .pkg using pkgbuild (contains a DMG + postinstall bash script). The pkg works locally on the build machine but fails on other devices manually / via MDM unless signed.
We tried signing with a Developer ID Installer certificate, but: security find-identity -p codesigning -v → 0 valid identities security find-identity -v → shows the cert Private key is present in Keychain
OpenSSL check shows: X509v3 Extended Key Usage: Critical
(Expected one might be: Code Signing)
We recreated CSR + cert multiple times (G2 Sub-CA), ensured Login keychain, unlocked keychain, etc., but same result.
Question: Why is the Developer ID Installer cert missing Code Signing usage and not recognized for signing? Is there any account restriction or step we might be missing? Any recommendations on resolving this issue.
Thanks!