Apple packages (.pkgs) are opened by the GUI Installer.app or the command line installer command. If a package is unsigned and gets a quarantine flag (from being transferred over a network), the GUI Installer will refuse to run it. We can get around that with a right-click -> Open, but we shouldn’t be training computer users to ignore security warnings like this.
If you are creating your own packages, and users or techs may run them manually, then you really should be signing them. Even if you are deploying them in a way that a person won’t see a warning, signing packages can be very easy and provide a check that nothing changed since you created it. See below the break for how to easily automate signing packages. Continue reading