I find it hard to believe myself, but I got the method in the link to work and have now successfully signed a .pkg on Big Sur using my Installer certificate which launches on both Big Sur and 10.7.
A big problem was that the xar utility shipped with OS X is the basic version and does not have the commands needed for cert extraction and injection. I tried building the extended mackyle/xar 1.6.1 myself on arm64, but ran into issues quickly. I realized MacPorts is already working on arm64, has mackyle/xar included and luckily all the required libs are arm64 compatible already.
So I installed MacPorts and installed xar from that using sudo port install xar. Using this version I was able to do the exact steps listed in the link in the previous post, I just needed to adjust the path of xar to /opt/local/bin/xar to use the macports one.
The only thing that remains to be checked it whether the .pkg still passes Notarization.
Yep works… now I just need to write a script from this that works like productsign.
I ended up with this modified version of the script posted and called it xarsign.sh .
Update: WARNING! This method has been shown to not fully work. See later posts!
#!/bin/bash
# Original script from http://users.wfu.edu/cottrell/productsign/productsign_linux.html
#
# Written by Allin Cottrell, with help from MacKyle who added signing capabilities to xar.
# Requires a mackyle/xar install using MacPorts (sudo port install xar).
# The xar included in macOS cannot modify pkg signatures.
#
# Instructions on how to extract certs from a working foo.pkg and a .p12 file exported from
# Keychain Access.app are on the homepage:
#
# mkdir certs
# xar -f foo.pkg --extract-certs certs
#
# openssl pkcs12 -in "Dev ID Installer.p12" -nodes | openssl rsa -out "Dev ID Installer.pem"
XARCMD="/opt/local/bin/xar"
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
PKG="$1"
SIGFILE="$DIR/Dev ID Installer.pem"
echo "determine signature length"
echo $SIGFILE
SIGLEN="$(: | openssl dgst -sign "$SIGFILE" -binary | wc -c)"
echo $SIGLEN
echo
echo "prepare singing data digest & add certs to pkg"
echo
# may have to adjust depending
# on the contents of the certs subdir in your case
$XARCMD --sign -f $PKG --digestinfo-to-sign digestinfo.dat \
--sig-size $SIGLEN \
--cert-loc "$DIR/certs/cert00" \
--cert-loc "$DIR/certs/cert01" \
--cert-loc "$DIR/certs/cert02"
echo "create signature"
openssl rsautl -sign -inkey "$SIGFILE" -in digestinfo.dat -out signature.dat
echo
echo "inject signature into package"
$XARCMD --inject-sig signature.dat -f $PKG
# clean up
rm -f signature.dat digestinfo.dat
WARNING! This method has been shown to not fully work. See later posts!
I created the “foo.pkg” on my 10.13 system and also exported the Developer ID Installer .p12 file on the 10.13 machine … just to be sure.
I put everything inside a directory like this:
Now I can just call xarsign.sh from anywhere with the pkg to sign as the argument.