HT204413: About Security Update 2015-002

Learn about About Security Update 2015-002
Nuke

Q: SHA-1 certificate wrong - download Security Update 2015 -002 Apple.com

As I can't seem to login to Apple for the Software Update today, I decided to download the Security update directly.

 

I always check the SHA-1 certificate when I do a direct download.

 

After downloading the update found at Security Update 2015-002 Mavericks twice, I still find the following SHA-1 fingerprint.

 

1E 34 E3 91 C6 44 37 DD 24 BE 57 B1 66 7B 2F DA 09 76 E1 FD

 

But the linked page showing what the SHA-1 fingerprint should be How to verify the authenticity of manually downloaded Apple Software Updates - Apple Support shows

 

Verify that the SHA-1 fingerprint displayed matches the following fingerprint of Apple’s certificate, which is:

SHA1 FA 02 79 0F CE 9D 93 00 89 C8 C2 51 0B BC 50 B4 85 8E 6F BF

Note: Older installers could have this SHA-1 fingerprint:

SHA1 9C 86 47 71 48 B3 D7 04 24 7A 3C 3F 56 EA 2D E5 94 4B 01 C2

 

Either the update has been messed with or the webpage showing what the fingerprint is old.  The last modified date for the verification information page is :

Last Modified: Nov 13, 2014

 

So which is it?

MacBook Pro, OS X Mavericks (10.9.5)

Posted on Mar 11, 2015 7:42 AM

Close

Q: SHA-1 certificate wrong - download Security Update 2015 -002 Apple.com

  • All replies
  • Helpful answers

  • by Juan Palacios,

    Juan Palacios Juan Palacios Apr 10, 2015 11:01 AM in response to Nuke
    Level 1 (0 points)
    Apr 10, 2015 11:01 AM in response to Nuke

    I also see that Certificate fingerprint, and it appears to be legit... but most ironically I can't find it on Apple's site:

     

    http://www.apple.com/certificateauthority/

     

    You'll see that the "Software Update Certificate" that you can download from there has the following SHA-1 fingerprint:

     

    9C:86:47:71:48:B3:D7:04:24:7A:3C:3F:56:EA:2D:E5:94:4B:01:C2

    (run "openssl x509 -fingerprint -in SoftwareUpdateCA.cer -noout" in Terminal to obtain it)

     

    which is the old certificate listed on the "Ho to verify (...)" site that you link to. Lets hope Apple really does correct this information ASAP, as the mismatch can be incredibly misleading at best!

  • by Juan Palacios,

    Juan Palacios Juan Palacios Apr 10, 2015 11:10 AM in response to Nuke
    Level 1 (0 points)
    Apr 10, 2015 11:10 AM in response to Nuke

    The fingerprint we're seeing is indeed legit, we were both making a mistake. That fingerprint is for the "Software Update" Certificate, which is a child of the "Apple Software Update Certification Authority" certificate, whose SHA1 fingerprint does match Apple's information on the "How to verify (...)" page.

     

    Also, if you run from Terminal "pkgutil --check-signature $foo", where $foo should be replaced by the path to an Apple-provided pkg, you'll see that the printed certificate chain checksums will match perfectly.

     

    So nothing to worry about, false alarm!