fix: Handle Developer ID certificate types for PKG signing

PKG signing with productsign requires "Developer ID Installer" certificate,
not "Developer ID Application" certificate. Updated scripts to:

- Check certificate type before attempting productsign
- Only sign PKG if proper Installer certificate is available
- Log clear warnings when using unsigned PKG
- App bundle inside PKG remains signed with Application certificate

This resolves the CI error: "productsign: error: Could not find appropriate
signing identity for 'Developer ID Application'"

Author: Dumbris

.github/workflows/prerelease.yml

@@ -520,8 +520,9 @@ jobs:
             echo "✅ Found Developer ID Installer certificate: ${PKG_CERT_IDENTITY}"
           else
             echo "⚠️  No specific Developer ID Installer certificate found"
-            echo "Using Developer ID Application certificate for PKG signing (this is valid)"
-            PKG_CERT_IDENTITY="${APP_CERT_IDENTITY}"
+            echo "Note: PKG signing requires a separate 'Developer ID Installer' certificate"
+            echo "App bundle will be signed with Developer ID Application, PKG will be unsigned"
+            PKG_CERT_IDENTITY=""  # Don't pass app cert to PKG signing
           fi
 
           # Export certificate identities for scripts to use
@@ -533,7 +534,12 @@ jobs:
           CORE_BINARY="mcpproxy"
 
           # Create PKG installer with both tray and core binaries
-          echo "Creating PKG installer with certificate: ${PKG_CERT_IDENTITY}"
+          if [ -n "${PKG_CERT_IDENTITY}" ]; then
+            echo "Creating signed PKG installer with certificate: ${PKG_CERT_IDENTITY}"
+          else
+            echo "Creating PKG installer (unsigned - app bundle inside will be signed)"
+            echo "Note: PKG signing requires a separate Developer ID Installer certificate"
+          fi
           ./scripts/create-pkg.sh ${TRAY_BINARY} ${CORE_BINARY} ${VERSION} ${{ matrix.goarch }}
 
           # Create installer DMG containing the PKG

scripts/create-pkg.sh

@@ -325,25 +325,40 @@ else
     fi
 fi
 
+# Check if the certificate is actually a "Developer ID Installer" certificate
 if [ -n "${INSTALLER_CERT_IDENTITY}" ]; then
+    if echo "${INSTALLER_CERT_IDENTITY}" | grep -q "Developer ID Installer"; then
+        echo "✅ Valid Developer ID Installer certificate found"
 
-    # Sign the PKG
-    productsign --sign "${INSTALLER_CERT_IDENTITY}" \
-                --timestamp \
-                "${PKG_NAME}.pkg" \
-                "${PKG_NAME}-signed.pkg"
+        # Sign the PKG with proper installer certificate
+        if productsign --sign "${INSTALLER_CERT_IDENTITY}" \
+                      --timestamp \
+                      "${PKG_NAME}.pkg" \
+                      "${PKG_NAME}-signed.pkg"; then
 
-    # Replace unsigned with signed
-    mv "${PKG_NAME}-signed.pkg" "${PKG_NAME}.pkg"
+            # Replace unsigned with signed
+            mv "${PKG_NAME}-signed.pkg" "${PKG_NAME}.pkg"
 
-    # Verify PKG signing
-    echo "=== Verifying PKG signature ==="
-    pkgutil --check-signature "${PKG_NAME}.pkg"
+            # Verify PKG signing
+            echo "=== Verifying PKG signature ==="
+            pkgutil --check-signature "${PKG_NAME}.pkg"
 
-    echo "✅ PKG signed successfully"
+            echo "✅ PKG signed successfully with Developer ID Installer certificate"
+        else
+            echo "❌ PKG signing with productsign failed"
+            echo "Keeping unsigned PKG"
+        fi
+    else
+        echo "⚠️  Certificate is not a Developer ID Installer certificate: ${INSTALLER_CERT_IDENTITY}"
+        echo "productsign requires specifically a 'Developer ID Installer' certificate"
+        echo "Creating unsigned PKG (component PKG is still signed with app certificate)"
+        echo ""
+        echo "Note: The app bundle inside the PKG is properly signed with Developer ID Application certificate"
+        echo "The PKG container itself will be unsigned, but may still work for testing"
+    fi
 else
     echo "❌ No Developer ID Installer certificate found"
-    echo "PKG will be unsigned (will not pass notarization)"
+    echo "Creating unsigned PKG (component PKG is still signed with app certificate)"
 fi
 
 # Clean up