Re: Installer pkg built with Xcode 12.2 won't open in macOS 10.10 and 10.11

Mark Allan

On 8 Dec 2020, at 2:20 am, Jack Brindle via <jackbrindle@...> wrote:

That is the issue! Your post jogged my memory. The older versions of macOS need SHA1, but the Apple Silicon version of macOS doesn’t do SHA-1. Apple switched over to SHA-256 several years ago, maintaining both in the system. But, it looks like they didn’t maintain the SHA-1 for Apple Silicon systems. It may be very important to keep an Intel Mac around to handle builds for the foreseeable future.


That doesn't explain my issue with installer packages though. When I take the last known working pkg (built using Xcode 12.0 under macOS 10.15.7) and open it on 10.10, if I click the certificate icon in the upper-right corner, I can see that it says 
Signature Algorithm: SHA-256 with RSA Encryption ( 1.2.840.113549.1.1.11 )

Surely that means 10.10 is able to handle SHA 256.

Also, last night I installed Xcode 12.2 on my iMac (which I haven't upgraded to macOS 11 yet), and if I build the installer package there, it works fine on 10.10. So the only difference between the two build machines (both Intel) is that my MBP is running macOS 11 and the iMac is running 10.15.7.  The iMac produces a perfectly usable installer package for 10.10 all the way up to macOS 11 including Apple Silicon, but the MBP seems to produce something which is only valid for most OSes, but not 10.10 or 10.11

On 7 Dec 2020, at 9:48 pm, Alex Zavatone via <zav@...> wrote:

Out of curiosity, do you have an older copy of the installer that works on those platforms?

You may be able to open it up and view the entitlements/config files and see the differences.

What's the best way to do that? Using `pkgutil --expand` just gives me the payload, distribution.xml and resources. None of which show any appreciable differences.

Using `pkgutil --verbose --check-signature` just reports
Status: invalid signature
For the one built under macOS 11.

One option is to create a VM with one of those operating systems on it and install a version of Xcode that works on 10.10 and 10.11, then deliver these special case installers or create installers that work on that OS and see what the difference is.

I keep around old 50 GB VMWare images and old Xcode installers just in case.

Yeah, I do that too. I already have a bunch of VMs for testing (going all the way back to 10.6.8!) and an additional one running macOS 10.13 for building a version that runs on 10.6.8 - 10.9.5. I don't desperately want to introduce yet another non-scriptable step to my build process for something that really feels like a bug in the OS or build tools.


Join to automatically receive all group messages.