Here I am wondering: I can timestamp the SHA-1 signature with a SHA-256 timestamp, but does that make sense? I would think that I include the SHA-1 signature only for compatibility, so I guess I should use a SHA-1 timestamp for it.

I have an application which is packed into a pkg file using productbuild and then is signed using productsign. However when I run pkgutil --check-signature only the SHA1 signature is shown. I also tried to create a self-signed certificate using the instructions reported here but the problem is still the same. The only difference is that when the Apple certificate is used (Developer ID Installer: ...) all the chain is dumped to the screen but also for the other certificates only the SHA1 signature is shown.

Why does productsign use SHA1 instead of SHA256 to sign the pkg

I am still seeing this issue with notarization. I see that when we use productsign it takes identity which is SHA1 only. I wonder the issue with notarization is that the signature needs to be SHA256. If thats the case how do I use productsign command to sign using using SHA256?

Gatekeeper, first introduced in Mountain Lion (10.8, 2012), is a Mac security feature that was designed to protect Apple computers from malicious software. Gatekeeper checks applications against the list of apps that Apple has approved for its App Store or have been code signed by developers who have Apple-issued certificates where the application is not offered through the app store. It does not perform any safety checks by itself, other than that the application wasn't changed since the developer signed it, nor does it offer any guarantees about the developer other than that they are paying Apple $US 99 per year (aka an "Identified Developer").

This is especially important on ARM64 M1 Apple processors which require all native code to be validly signed (if only ad hoc) or the operating system will not execute it, instead killing it on launch. To ad hoc sign an application:

codesign -dv --verbose=4 /Applications/Utilities/Terminal.appExecutable=/Applications/Utilities/Terminal.app/Contents/MacOS/TerminalIdentifier=com.apple.TerminalFormat=bundle with Mach-O thin (x86_64)CodeDirectory v=20100 size=5227 flags=0x0(none) hashes=255+3 location=embeddedPlatform identifier=1Hash type=sha1 size=20CDHash=0941049019f9fa3499333fb5b52b53735b498aed6cde6a23Signature size=4105Authority=Software SigningAuthority=Apple Code Signing Certification AuthorityAuthority=Apple Root CAInfo.plist entries=34TeamIdentifier=not setSealed Resources version=2 rules=13 files=996Internal requirements count=1 size=68

Tracks the live user sessions coming in over HTTP. Flushing thiscache would cause all users to be signed out immediately, forcingthem to sign-in again. To avoid breaking active users, this cacheis not flushed automatically by gerrit flush-caches --all, butinstead must be explicitly requested.

Git has a configuration option to hide refs from the initialadvertisement (uploadpack.hideRefs). This option can be used to hidethe change refs from the client. As consequence fetching changes bychange ref does not work anymore. However by settinguploadpack.allowTipSha1InWant to true fetching changes by commit IDis possible. If download.checkForHiddenChangeRefs is set to truethe git download commands use the commit ID instead of the change refwhen a project is configured like this.

If kerberos authentication is enabled with sshd.kerberosKeytab,instead use the given principal name instead of the default.If the principal does not begin with host/ a warning message isprinted and may prevent successful authentication.

2ff7e9595c