Want to highlight a helpful answer? Upvote!

Did someone help you, or did an answer or User Tip resolve your issue? Upvote by selecting the upvote arrow. Your feedback helps others! Learn more about when to upvote >

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: Jus7in Case
Jus7in Case Author
User level: Level 1
9 points

Are .pkg/.mpkg originating from Apple codesigned and can be verified?

Cheers everybody,


I wonder if Apple Software that is distributed as .pkg or mpkg files (whether on CD or elsewhere) is codesigned. I know that the program files within the packages are codesigned and I know how to verify these signatures. This, however, can be easily only done after having installed the (m)pkg. At that time it might already be too late, if someone has fiddled with the (m)pkg and added some malware. Then you need to deal with that problem.


So the question is, is Apple codesigning the (m)pkg files such that their validity may be verified before installing them, and how do you verify that signature.

I have tried to use the codesign tool to check for signatures on pkgs on my installation disks, but they did not seem to be signed. Maybe I looked in the wrong place.


Anybody?


Best,

J C

Posted on Jul 16, 2011 4:35 AM

Reply
1 reply

Are .pkg/.mpkg originating from Apple codesigned and can be verified?

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up