yeah, it's a bug I don't really have a workaround for... I can't delete my expired key from my keychain because Mail.app finds and re- adds it when it scans through old emails, and PackageMaker.app always chooses the first certificate it matches for a given name (meaning it will choose the oldest/expired cert). It's either sign with the expired one or don't sign at all. The pkg is also signed with with gpg cert and md5/sha1sum'd, so if you don't want to trust my expired cert, use those methods to verify it. --Jeremy On Jan 7, 2009, at 04:54, David Waitzman wrote:

Please note that your signing certificate used for X11-2.3.2.1 expired on Friday, November 28, 2008 7:10:43 PM ET.

-- David Waitzman BBN Technologies 410-290-6160