productsign(1) General Commands Manual productsign(1)

productsignSign a macOS Installer product archive

productsign [options] --sign identity input-product-path.pkg output-product-path.pkg

productsign adds a digital signature to a product archive previously created with productbuild(1). Although you can add a digital signature at the time you run productbuild(1), you may wish to add a signature later, once the product archive has been tested and is ready to deploy. If you run productsign on a product archive that was previously signed, the existing signature will be replaced.

To sign a product archive, you will need to have a certificate and corresponding private key -- together called an “identity” -- in one of your accessible keychains. To add a signature, specify the name of the identity using the --sign option. The identity's name is the same as the “Common Name” of the certificate.

If you want to search for the identity in a specific keychain, specify the path to the keychain file using the --keychain option. Otherwise, the default keychain search path is used.

productsign will embed the signing certificate in the product archive, as well as any intermediate certificates that are found in the keychain. If you need to embed additional certificates to form a chain of trust between the signing certificate and a trusted root certificate on the system, use the --cert option to give the Common Name of the intermediate certificate. Multiple --cert options may be used to embed multiple intermediate certificates.

The signature can optionally include a trusted timestamp. This is enabled by default when signing with a Developer ID identity, but it can be enabled explicitly using the --timestamp option. A timestamp server must be contacted to embed a trusted timestamp. If you aren't connected to the Internet, you can use --timestamp=none to disable timestamps, even for a Developer ID identity.

identity-name
The name of the identity to use for signing the product archive.
keychain-path
Specify a specific keychain to search for the signing identity.
certificate-name
Specify an intermediate certificate to be embedded in the product archive.
Include a trusted timestamp with the signature.
Disable trusted timestamp, regardless of identity.
input-product-path
The product archive to be signed.
output-product-path
The path to which the signed product archive will be written. Must not be the same as input-product-path. The output path should be package. If the package already exists, it will be overwritten.

productbuild(1)

September 15, 2010 macOS