User profile for user: Matti Haveri
Matti Haveri Author
User level: Level 6
19,676 points

How to check when the installer certificate will expire?

Some OS X installers expired on 14 February 2016 and will expire again 7 February 2023.


I can check expired certificates with pkgutil:


pkgutil --check-signature MacOSXServerUpdCombo10.6.7.pkg

Status: signed by a certificate that has since expired

pkgutil --check-signature MacOSXServerUpdCombo10.6.8.pkg

Status: signed Apple Software


How can I check when the certificate will expire?


https://tidbits.com/2016/03/02/previously-downloaded-os-x-installers-no-longer-work/


http://osxdaily.com/2016/04/12/check-packages-expired-certificates-mac-os-x/


Posted on Aug 29, 2019 6:43 AM

Reply

Similar questions

3 replies
User profile for user: Matti Haveri
Matti Haveri Author
User level: Level 6
19,676 points

Sep 2, 2019 7:19 AM in response to VikingOSX

I learned from a recent MacInTouch thread that (if the installer can be opened in that system version) in the upper-right corner of the Installer window there is an icon. Clicking it shows the package's certificate information, including expiration date.


But I don't know if that info can be trusted because for a recently downloaded MacOSXServerUpdCombo10.6.7.pkg that shows expiration date October 24 2019 while "pkgutil --check-signature" reports its certificate as expired.


"Suspicious Package" is a nice app that allows to inspect all kinds of details about software installer packages. It reports MacOSXServerUpdCombo10.6.7.pkg certificate as expired (*).


https://www.mothersruin.com/software/SuspiciousPackage/


(*) BTW, even if the system clock is turned to 1 February 2016, MacOSXServerUpdCombo10.6.7.pkg won't work because the installer fails. That can be fixed by running "Apple Software Installer Update 1.0" which needs Mac OS X 10.6.8 but can be installed via Pacifist in Mac OS X 10.6.3. But luckily MacOSXServerUpdCombo10.6.8 certificate is updated and also Software update still works. Obviously Apple forgot to fix the older installers.

Reply
User profile for user: VikingOSX
VikingOSX
User level: Level 10
123,164 points

Aug 30, 2019 11:43 AM in response to Matti Haveri

I arbitrarily downloaded a 10.8.5 Mountain Lion Combo update dated from 2013, and started poking about in it. No .plist that I encountered had any expiration date. There might be something stored in the bom, but you likely could not get at it with pkgutil until the package is actually installed, and then the following might work to dump the package receipt to a .plist:


pkgutil --pkg-info-plist foo.pkg


Otherwise, there could be certificate data compiled into the application binary, and the installer checks an internal expiration date to the current date. That would be my guess.



Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

How to check when the installer certificate will expire?

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up