My installer is created using PackageMaker. After that I codesigned the installer using the following command.

productsign --sign 'Blah, Inc.' Install.mpkg/ CS/Install.mpkg

This seem to work pretty well and I could see that it is signed using the following command.

pkgutil --check-signature Install.mpkg

Since the certificate is installed on my system in keychain, the installer seem to show a little lock on top right corner. Clicking this opens up the certificate.

If the installer is placed in a system without the certificate installed the lock is no longer seen. However I could still run the command to check for certificate.

1) Is there a graphical way to check for code signing before installing? (I do not want to run command line)

2) I removed a folder from the mpkg file using finder to see if the installer will complain of tampering. But that does not happen. Is there a way the installer can stop install if it is tampered?

3) I also code signed all the binaries in my package (mostly daemons) using xcode's option to use certificate. Again I am able to see the binary as signed, however I do get a message kernel[0]: CODE SIGNING: cs_invalid_page(0x1000): p=224[MyDaemon] clearing CS_VALID.

Googling, I found http://feedback.photoshop.com/photoshop_family/topics/photoshop_13_0_4_x64_how_can_i_get_rid_of_the_could_not_complete_your_request_because_of_a . However I am still not very clear what they are getting at. Could someone help me?

You can sign only flat packages. Your package has extension .mpkg which I believe is the older bundle format. Make sure you are using flat packages if you want to sign them.

You can sign .mpkg packages but you must sign it with the Developer ID Application cert and not the Developer ID Installer cert.

When you sign the .mpkg you get a number a warnings that the inner packages must be signed but the signing seems to be valid with or without the inner .pkg signed.

I have tested that modifying an internal .pkg causes the .mpkg to fail the Gatekeeper check

So for the each internal .pkg files you should:

sudo productsign --sign "<Developer ID Installer: Cert>" "<source.mpkg>/Contents/Packages/<source.pkg>" "<destination.mpkg>/Contents/Packages/<source.pkg>"

for then for the .mpkg do:

sudo productsign --sign "<Developer ID Application: Cert>" "<Source .mpkg>" "<Destination .mpkg>"