areyouex

Q: SHA-1 fingerprint / certification of update problem (10.10.3)

Hello everyone.

 

I downloaded the new Update (v 10.10.3) via the apple download page since it took too long for me to download it via the App Store. I wanted to check if everything is ok with it, so looked at the certificate (it displayed a green checkmark) and at the SHA-1 fingerprint.

The official page from apple (named "How to verify the authenticity of manually downloaded Apple Software Updates") says the SHA-1 should be: SHA1 FA 02 79 0F CE 9D 93 00 89 C8 C2 51 0B BC 50 B4 85 8E 6F BF, but my SHA-1 is different.

 

So, is the page not update yet or is something wrong with my downloaded update?

 

What does your SHA-1 say?

 

Thanks for answers

Posted on Apr 12, 2015 8:25 AM

Close

Q: SHA-1 fingerprint / certification of update problem (10.10.3)

  • All replies
  • Helpful answers

  • by Latranner,

    Latranner Latranner Apr 12, 2015 8:47 AM in response to areyouex
    Level 1 (60 points)
    Apr 12, 2015 8:47 AM in response to areyouex

    What are you using to calculate the SHA-1 value?

  • by areyouex,

    areyouex areyouex Apr 12, 2015 9:01 AM in response to Latranner
    Level 1 (0 points)
    Apr 12, 2015 9:01 AM in response to Latranner

    As far as I see there are two possibilities:

     

    One via terminal and the other one via the update package:

     

    Mac OS X: How to verify a SHA-1 digest - Apple Support

     

    How to verify the authenticity of manually downloaded Apple Software Updates - Apple Support

  • by Barney-15E,Helpful

    Barney-15E Barney-15E Apr 12, 2015 2:37 PM in response to areyouex
    Level 9 (50,047 points)
    Mac OS X
    Apr 12, 2015 2:37 PM in response to areyouex

    I submitted a bug report. I'm not sure what they will do about it, or how fast they will respond.

  • by areyouex,

    areyouex areyouex Apr 12, 2015 9:32 AM in response to Barney-15E
    Level 1 (0 points)
    Apr 12, 2015 9:32 AM in response to Barney-15E

    So should I be worried? Because I already installed the update, so far everything seems fine but I still wanted to be 100% sure...

  • by Barney-15E,Helpful

    Barney-15E Barney-15E Apr 12, 2015 2:37 PM in response to areyouex
    Level 9 (50,047 points)
    Mac OS X
    Apr 12, 2015 2:37 PM in response to areyouex

    areyouex wrote:

     

    So should I be worried? Because I already installed the update, so far everything seems fine but I still wanted to be 100% sure...

    I wouldn't be worried. They likely haven't updated the support document for the newer installer.

  • by areyouex,

    areyouex areyouex Apr 12, 2015 10:01 AM in response to Barney-15E
    Level 1 (0 points)
    Apr 12, 2015 10:01 AM in response to Barney-15E

    Ok, thank you.

     

    I would still appreciate if someone could check his SHA-1 and post it here , so me and other people could compare...

  • by Latranner,

    Latranner Latranner Apr 12, 2015 10:28 AM in response to areyouex
    Level 1 (60 points)
    Apr 12, 2015 10:28 AM in response to areyouex

    Here's my SHA-1 on my MacBook Pro. Looks like it matches Apple's.

     

    Screen Shot 2015-04-12 at 11.27.51.png

  • by Drew Reece,Solvedanswer

    Drew Reece Drew Reece Apr 12, 2015 10:53 AM in response to Barney-15E
    Level 5 (7,527 points)
    Notebooks
    Apr 12, 2015 10:53 AM in response to Barney-15E

    It's very easy to select the wrong cert at the top of the window which will show the wrong value. Double check that you have the same item selected when viewing the installers certificates.

    Barney-15E wrote:

    I wouldn't be worried. They likely haven't updated the support document for the newer installer.

     

    That is the SHA-1 of the certificate not the installer, if Apple have a new cert it could be OK if they correct that page with the same SHA-1 for the cert you see, but the point of these is to verify that Apple created the items you are installing & that they have not been tampered with in transit. I think you should worry if you have 'mission critical' uses for the Mac, the same as you would worry if you installed from any other untrusted source (maybe you do that anyway - in which case meh!).

     

    Other recent updates use the same cert as that page shows (the 10.9 security updates, iTunes 12.1.2 update). It's curious that only you two have this different SHA-1, would you mind sharing where you are located? Mine was downloaded in the UK. You should both post the result you see for the SHA-1 value.

     

    'pkgutil' should also show the signatures in the installer if you want another easy way to see them all in one go. (note the reversed order, and we are verifying number 2).

    https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/ man1/pkgutil.1.html

     

    pkgutil -v --check-signature /Volumes/OS\ X\ 10.10.3\ Update\ Combo/OSXUpdCombo10.10.3.pkg

    Package "OSXUpdCombo10.10.3.pkg":

       Status: signed Apple Software

       Certificate Chain:

        1. Software Update

           SHA1 fingerprint: 1E 34 E3 91 C6 44 37 DD 24 BE 57 B1 66 7B 2F DA 09 76 E1 FD

           -----------------------------------------------------------------------------

        2. Apple Software Update Certification Authority

           SHA1 fingerprint: FA 02 79 0F CE 9D 93 00 89 C8 C2 51 0B BC 50 B4 85 8E 6F BF

           -----------------------------------------------------------------------------

        3. Apple Root CA

           SHA1 fingerprint: 61 1E 5B 66 2C 59 3A 08 FF 58 D1 4A E2 24 52 D1 98 DF 6C 60

  • by Drew Reece,

    Drew Reece Drew Reece Apr 12, 2015 11:35 AM in response to Drew Reece
    Level 5 (7,527 points)
    Notebooks
    Apr 12, 2015 11:35 AM in response to Drew Reece

    P.S.

    This was the combo update that I checked, not the standard update installer, it was what I had to available.


    The standard update installer also agrees for me…

    pkgutil -v --check-signature /Volumes/OS\ X\ 10.10.3\ Update/OSXUpd10.10.3.pkg

    Package "OSXUpd10.10.3.pkg":

       Status: signed Apple Software

       Certificate Chain:

        1. Software Update

           SHA1 fingerprint: 1E 34 E3 91 C6 44 37 DD 24 BE 57 B1 66 7B 2F DA 09 76 E1 FD

           -----------------------------------------------------------------------------

        2. Apple Software Update Certification Authority

           SHA1 fingerprint: FA 02 79 0F CE 9D 93 00 89 C8 C2 51 0B BC 50 B4 85 8E 6F BF

           -----------------------------------------------------------------------------

        3. Apple Root CA

           SHA1 fingerprint: 61 1E 5B 66 2C 59 3A 08 FF 58 D1 4A E2 24 52 D1 98 DF 6C 60

  • by Barney-15E,

    Barney-15E Barney-15E Apr 12, 2015 12:07 PM in response to Drew Reece
    Level 9 (50,047 points)
    Mac OS X
    Apr 12, 2015 12:07 PM in response to Drew Reece

    You're correct. I was looking at the Software update cert, not the installer cert.

  • by areyouex,

    areyouex areyouex Apr 12, 2015 12:09 PM in response to Drew Reece
    Level 1 (0 points)
    Apr 12, 2015 12:09 PM in response to Drew Reece

    *facepalm*, I realised my mistake. EVERYTHING IS OK.

     

    In the certification window (via the lock icon) of an installer you can choose between "Apple Software Certification Authority" and between "Software Update".

    (Like you said Drew Reece)

     

    I only looked at the SHA-1 of the "Software Update" one, not the "Apple Software Update Certification Authority". Like your picture shows: The SHA-1 of the Software update is not the same as shown on the apple support page. The SHA-1 on the apple support page is the "Apple Software Update Certification Authority" one (and not the "Software Update" one I looked at).

     

    I thought there was only one SHA-1 Number, I didnt realise that there were two.

     

     

    Thank you all, especially Drew Reece. You made me realise the mistake.

  • by Drew Reece,

    Drew Reece Drew Reece Apr 12, 2015 1:43 PM in response to areyouex
    Level 5 (7,527 points)
    Notebooks
    Apr 12, 2015 1:43 PM in response to areyouex

    This is the second time I have seen this mistake - Apple could do with fixing this UI. It's silly that it selects the cert that is not the relevant one by default. The important info below the scroll area, those hashes make peoples eyes glaze over too. Frankly I prefer the pkgutil output – straight to the point

     

    It's good news that the internet is not editing your installers, as you were…