Iceberg Installer and 10.9.5 codesigning

We have updated to 10.9.5 and can successfully codesign our app after also signing all of the MBS plugins with our own signature. We use the Iceberg Installer to create a .pkg file for the app and support files. However we can no longer get the .pkg to codesign correctly. After codesigning the .pkg file when we verify it, we get the following:

codesign --verify --deep --verbose=3 Foo.pkg
foo.pkg: resource envelope is obsolete

codesign --verify --deep --verbose=3 --no-strict Foo.pkg
Foo.pkg: valid on disk
Foo.pkg: satisfies its Designated Requirement

I have been hunting around for a week trying to workout where the problem lies which has led to more confusion that anything else.

Is this a 10.9.5 bug that requires Apple to fix, something we are doing incorrectly or an inherent problem with the structure of the .pkg file produced by the Iceberg Installer?

Any advice on this would be much appreciated.

I’ve not used iceberg to build installers, but the Apple productBuild function takes a code signature and signs the installer. App Wrapper uses the productBuild function to create signed installers that are accepted for the App Store.

What I do know is that the changes made for code signing v2, are much stricter than before and it could be the iceberg tool does something slightly wrong, which is why the code sign command kicks it out. Files being in the wrong place will cause code sign to fail.

Hi Sam,

Thanks for the reply. We are not distributing via the App Store but do want to allow our downloaded installer to be passed by Gatekeeper as coming from a recognised developer.

Can we use App Wrapper to sign the installer created by Iceberg?
Any suggestion on how to determine if/what Iceberg is creating is incorrect?

Unfortunately, trying to figure out exactly what Apple’s requirements and what Iceberg (may) be doing wrong is a very length task. It took a long time to figure out part of their code signing process for applications, only to have Apple change the rules again.

They keep it so that using their tools (Xcode) is easy and provide minimal documentation for other tools.

The direction I’m thinking would be to figure out exactly what is it about Iceberg that you need and then seeing if we can do something very close using the Apple built in tools.

The function for creating Installer for MAS is rather limited, but there is another function, perhaps we can put our heads together and crack this.

Have you asked on the installer-dev mailing list, which is the support list for Iceberg? Perhaps it’s a problem with Iceberg that the developer needs to fix. Isn’t Iceberg the old version that has been replaced by Packages?

Possibly a bug in 10.9.5

The command line tool “codesign” has changed in 10.9.5 and 10.10, you need to pass “--no-strict” option to the command, (the problem has been reported and will be fixed). To workaround the problem, please save a copy and modify PackageApplication to pass “—no-strict” to codesign, you can locate PackageApplication by running the following:- xcrun -sdk iphoneos -f PackageApplication


Our solution was to switch from Iceberg to Packages. This is by the same author who has been really helpful with this.