That doesn't explain my issue with installer packages though. When I take the last known working pkg (built using Xcode 12.0 under macOS 10.15.7) and open it on 10.10, if I click the certificate icon in the upper-right corner, I can see that it says
Signature Algorithm: SHA-256 with RSA Encryption ( 1.2.840.1135220.127.116.11 )
Surely that means 10.10 is able to handle SHA 256.
Also, last night I installed Xcode 12.2 on my iMac (which I haven't upgraded to macOS 11 yet), and if I build the installer package there, it works fine on 10.10. So the only difference between the two build machines (both Intel) is that my MBP is running macOS 11 and the iMac is running 10.15.7. The iMac produces a perfectly usable installer package for 10.10 all the way up to macOS 11 including Apple Silicon, but the MBP seems to produce something which is only valid for most OSes, but not 10.10 or 10.11
What's the best way to do that? Using `pkgutil --expand` just gives me the payload, distribution.xml and resources. None of which show any appreciable differences.
Using `pkgutil --verbose --check-signature` just reports
Status: invalid signature
For the one built under macOS 11.
Yeah, I do that too. I already have a bunch of VMs for testing (going all the way back to 10.6.8!) and an additional one running macOS 10.13 for building a version that runs on 10.6.8 - 10.9.5. I don't desperately want to introduce yet another non-scriptable step to my build process for something that really feels like a bug in the OS or build tools.