Mac Developer Library Developer


This manual page is for Mac OS X version 10.9

If you are running a different version of Mac OS X, view the documentation locally:

  • In Terminal, using the man(1) command

Reading manual pages

Manual pages are intended as a quick reference for people who already understand a technology.

  • To learn how the manual is organized or to learn about command syntax, read the manual page for manpages(5).

  • For more information about this technology, look for other documentation in the Apple Developer Library.

  • For general information about writing shell scripts, read Shell Scripting Primer.

productsign(1)            BSD General Commands Manual           productsign(1)

     productsign -- Sign an OS X Installer product archive

     productsign [options] --sign identity input-product-path output-product-path

     productsign adds a digital signature to a product archive previously created with productbuild(1).
     Although you can add a digital signature at the time you run productbuild(1), you may wish to add a
     signature later, once the product archive has been tested and is ready to deploy. If you run
     productsign on a product archive that was previously signed, the existing signature will be replaced.

     To sign a product archive, you will need to have a certificate and corresponding private key --together -together
     together called an ``identity'' -- in one of your accessible keychains. To add a signature, specify the
     name of the identity using the --sign option. The identity's name is the same as the ``Common Name'' of
     the certificate.

     If you want to search for the identity in a specific keychain, specify the path to the keychain file
     using the --keychain option. Otherwise, the default keychain search path is used.

     productsign will embed the signing certificate in the product archive, as well as any intermediate cer-tificates certificates
     tificates that are found in the keychain. If you need to embed additional certificates to form a chain
     of trust between the signing certificate and a trusted root certificate on the system, use the --cert
     option to give the Common Name of the intermediate certificate. Multiple --cert options may be used to
     embed multiple intermediate certificates.

     The signature can optionally include a trusted timestamp. This is enabled by default when signing with
     a Developer ID identity, but it can be enabled explicitly using the --timestamp option. A timestamp
     server must be contacted to embed a trusted timestamp. If you aren't connected to the Internet, you can
     use --timestamp=none to disable timestamps, even for a Developer ID identity.

     --sign identity-name
                 The name of the identity to use for signing the product archive.

     --keychain keychain-path
                 Specify a specific keychain to search for the signing identity.

     --cert certificate-name
                 Specify an intermediate certificate to be embedded in the product archive.

                 Include a trusted timestamp with the signature.

                 Disable trusted timestamp, regardless of identity.

                   The product archive to be signed.

                   The path to which the signed product archive will be written. Must not be the same as


Mac OS                        September 15, 2010                        Mac OS

Reporting Problems

The way to report a problem with this manual page depends on the type of problem:

Content errors
Report errors in the content of this documentation with the feedback links below.
Bug reports
Report bugs in the functionality of the described tool or API through Bug Reporter.
Formatting problems
Report formatting mistakes in the online version of these pages with the feedback links below.