How to create an Apple Installer Package Signing Certificate

A copy-paste documentation for myself. For more information about the certificate extensions, have a look at Apple Developer ID Certification Practice Statement.

  1. Create apple.conf with the following content:

    [ req ]
    distinguished_name = req_name
    prompt = no
    [ req_name ]
    CN = my-test-installer
    [ extensions ]
    basicConstraints=critical,CA:false
    keyUsage=critical,digitalSignature
    extendedKeyUsage=critical,1.2.840.113635.100.4.13
    1.2.840.113635.100.6.1.14=critical,DER:0500
    
  2. Generate the key:

    openssl genrsa -out apple.key 2048

  3. Create the self-signed certificate:

    openssl req -x509 -new -config apple.conf -nodes \
    -key apple.key -extensions extensions -sha256 -out apple.crt
    
  4. Wrap the key and certificate into PKCS#12:

    openssl pkcs12 -export -inkey apple.key -in apple.crt -out apple.p12

  5. Import it into keychain with open apple.p12. Select "Always trust".

  6. Use the certificate to sign installers:

    productbuild --sign "my-test-installer" ...