After using the Packages app to build my MySQL and Postgres installer packages, this is how I “looked into” them to see how they’ve been built and make any last minute edits, and then digitally signed them with my Apple Developer ID Installer certificate:
(1) cd to the directory with the built .pkg
(2) pkgutil --expand PostgreSQL-Installer.pkg output/
(3) do any edit of the distribution.dist file in output/
(4) pkgutil --flatten output/ PostgreSQL-Installer.pkg
(5) productsign --timestamp --sign FAEEV5252R PostgreSQL-Installer.pkg PostgreSQL-Installer.signed.pkg
where FAEEV5252R is my Apple Developer ID.
(6) spctl -a -v --type install PostgreSQL-Installer.pkg
to check that the signing is OK and that it won’t be rejected by macOS’s Gatekeeper.
And that’s it.