Omnibus-toolchain signing on macOS

When building omnibus-toolchain on macOS, the script tries to sign some libraries, and the .pkg file. It looks like in both cases it uses the signing id in config/projects/omnibus-toolchain.rb / github chef/omnibus-toolchain/blob/master/config/projects/omnibus-toolchain.rb#L72

(No link above because message can't post links to "that host" which I can only assume is the link to Chef's GitHub repo)

Sorry if I'm being stupid, but using my own Apple deveoper certs, I can only get the builder to sign either the libraries or the pkg, depending on the value I specify in line 72 there. If I use the SHA-1 of a certificate "Mac Developer:" it signs the libraries, but fails on the .pkg (ie this identity cannot be used for signing code). If I use the CN of a certificate "Developer ID Installer:" it fails to sign the libraries. If I set it up to sign the libraries, it creates - but cannot sign - the package. However, I can sign the .pkg file by manually executing the pkgbuild command with my "Developer ID Installer" cert.

While omnibus code-wise looks like it uses just one cert, either single certificate does not seem to function for both. Is there a different single type of Apple Developer certificate (ie "Chef Software, Inc. (EU3VF8YLX2)") is that is being used to sign both kinds of things?

Edit - thanks to whoever fixed the flags on the other thread. Removed related parenthetical remarks from this post.