When building omnibus-toolchain on macOS, the script tries to sign some libraries, and the .pkg file. It looks like in both cases it uses the signing id in
(No link above because message can't post links to "that host" which I can only assume is the link to Chef's GitHub repo)
Sorry if I'm being stupid, but using my own Apple deveoper certs, I can only get the builder to sign either the libraries or the pkg, depending on the value I specify in line 72 there. If I use the SHA-1 of a certificate "Mac Developer:" it signs the libraries, but fails on the .pkg (ie
this identity cannot be used for signing code). If I use the CN of a certificate "Developer ID Installer:" it fails to sign the libraries. If I set it up to sign the libraries, it creates - but cannot sign - the package. However, I can sign the .pkg file by manually executing the pkgbuild command with my "Developer ID Installer" cert.
While omnibus code-wise looks like it uses just one cert, either single certificate does not seem to function for both. Is there a different single type of Apple Developer certificate (ie "Chef Software, Inc. (EU3VF8YLX2)") is that is being used to sign both kinds of things?
Edit - thanks to whoever fixed the flags on the other thread. Removed related parenthetical remarks from this post.