Whats the difference between codesign and productsign?

Question

What is the difference between Apple codesign and productsign. I have been playing around with them both and whilst I cannot sign code with productsign it appears I can sign a package with codesign.

So two main questions:

• Whats the difference between codesign and productsign?
• Can I use codesign to sign packages?

Answer 1

• codesign

— used for codesigning application bundles, frameworks, verifying and manipulating signatures, etc.

• productsign

— used specifically for codesigning .pkgs and .mpkgs (Installer packages/archives).

But why can I sign a package using codesign?

The codesign tool is used to validate what you sign as single entity — meaning the same program. An installer package is not one entity, it's actually several (the contents, the installer, and installer scripts/plugins). Since the codesign tool does not make distinctions that your .pkg is actually something completely separate from what's contained within it, using it to sign an installer package can result in an invalid signature, or your installer crashing.

Apple's Code Signing Guide Reads

"In the case of installer packages (.pkg and .mpkg bundles), everything is implicitly signed: The CPIO archive containing the payload, the CPIO archive containing install scripts, and the bill of materials (BOM) each have a hash recorded in the XAR header, and that header in turn is signed. Therefore, if you modify an install script (for example) after the package has been signed, the signature will be invalid."

---