1 Reply Latest reply: May 7, 2013 5:34 PM by MrHoffman Branched to a new discussion.
macfrombrampton Level 1 (0 points)

Is there a SHa1 or Md5 hash check for Mountain lion like the other updated Aple provides?


It seems Apple provides Sha1 hashes for its updates but not for a major operating system? Why?

MacBook Pro, Mac OS X (10.6.8)
  • MrHoffman Level 6 (14,782 points)

    This is a question best asked of Apple directly; the "why" questions are often not something that non-Apple folks are in a position to answer.


    Of what's been posted and discussed about your question, "For updates delivered by Automatic Software Update, SHA-1 digest verification is performed automatically for you."  (HT1652)  


    For details on code signing used on more recent OS X releases, see the Code Signing Guide and review commands such as codesign --verify --deep-verify --verbose /applications/Install\ OS\ X\ Mountain\ Lion.app  and codesign --display -vvv  --entitlements - /applications/Install\ OS\ X\ Mountain\ Lion.app    Based on the output from those and related commands, the code-signing here is using SHA-1, and it traces back to Apple digital certificates.  


    AFAIK, the installation verifies the signatures, as it wouldn't be much value otherwise.


    US NSA and Apple security guides are among the available security-related documentation.   Apple's Gatekeeper (HT5290) might also be of some interest.


    Alternatively (and likely better), please call the Apple support center folks directly, as your requirements are clearly quite specialized, and it would appear your distribution path requirements may be equally specialized.


    FWIW, few folks are using MD5 anymore for anything more serious than detecting file transfer corruptions.