How do we sign macOS PKG files?

Hello!

I am encountering a issue with Travis when it comes to importing a macOS cert and signing a PKG file. I have imported the cert successfully in the CI and the “identity” is visible through security find-identity. I am using the correct macOS cert type, Developer ID: Installer, to sign the MSI.

Now onto the issue. When signing a PKG, the command becomes stuck at, “pkgbuild: adding certificate Apple Root CA”. There is no error or other output than this, the command never terminates. This would cause the CI to timeout.

Restarting the build in debug mode and ssh into the CI and running all the commands prior to signing a PKG, the issue still happens. Thinking maybe a intermediary cert is missing, i imported the 2 certs into the keychain(Apple Root CA, Apple Worldwide Developer…) yet the issue persists.

The way i am importing these certs is exporting them from my local machine as base64 string, encypting them using the travis CLI and decrypting them on the CI and importing them like this:

KEY_CHAIN=build.keychain
INSTALLER_CERT=installer.p12
base64 --decode ./scripts/Travis/certs/macOS-cert-installer.txt > $INSTALLER_CERT

security create-keychain -p travis $KEY_CHAIN

security default-keychain -s $KEY_CHAIN

security unlock-keychain -p travis $KEY_CHAIN

security import $INSTALLER_CERT -k $KEY_CHAIN -P $MACOS_PRODUCTION_CERT_INSTALLER_PASSWORD -T /usr/bin/codesign

security set-key-partition-list -S apple-tool:,apple: -s -k travis $KEY_CHAIN

The weird part is that i can sign a .app file just fine. I am importing 2 certificates in my build(the script above just shows importing 1).

Is this a possible bug, known issue? Is this how we sign PKG/installer files in travis?

Thanks in advance for your time,
Gavin

Imprint