Fixing packages with expired signatures

In my previous post, I provided a tool to enable you to check your collection(s) of packages to determine if any are affected by the Package Apocalypse.

But what to do once you’ve found packages with expired signatures? If Apple has provided an updated replacement package at http://support.apple.com/downloads/, it’s probably best to replace the package with the expired signature with the updated one.

But that might not always be possible — Apple has not provided replacements for every package that has been affected, or the replacement might not be practical to use.

For example, the packages included in the iLife ’11 Install DVD have expired signatures. The only “replacement” available would be the Mac App Store versions of the iLife 11 apps. Not all iLife ’11 apps from the DVD have App Store equivalents, and distributing the App Store versions is a whole different set of issues.

So the ideal solution here is to somehow fix the packages with expired signatures so they will work with your software distribution mechanism. It turns out that you can do this with an Apple-provided tool — pkgutil.


pkgutil --expand SomeFlat.pkg /tmp/SomeFlat.pkg
pkgutil --flatten /tmp/SomeFlat.pkg SomeFlatFixed.pkg

Expanding and reflattening a flat package has a side-effect of removing the package signing. the command-line installer tool will happily (at least as of this writing) install unsigned flat packages.

So there you have it — a way to fix packages broken by the Package Apocalypse. But it’s a tedious process. To help, I offer yet another tool — flatpkgfixer.py.

This tool will remove package signing either from a single flat package:


./flatpkgfixer.py /path/to/expired.pkg /path/to/new_fixed.pkg

or can fix up an entire disk image containing packages:


./flatpkgfixer.py /path/to/iLife11.dmg /path/to/iLife11_fixed.dmg

This tool is brand new, and could very well have bugs, but I hope it’s useful to some!

Explore posts in the same categories: Deployment, Leopard, Lion, OS X, Python, Security

88 Comments on “Fixing packages with expired signatures”


  1. [...] Greg Neagle’s checkPackageSignatures and flatpkgfixer scripts are extremely helpful here. checkPackageSignatures will help you find expired certificates [...]

  2. rtrouton Says:

    I’ve tested this on a iLife 11 retail disk image and it works as advertised. Once package signing was removed from the flat packages contained in iLife .dmg, I was able to install iLife 11 and then update it with the correct updates from Software Update.


  3. [...] this after Friday, March 23 2012, make sure to remove iLife 11′s package signing using Greg Neagle’s flatpkgfixer script prior to using the repackaging procedure [...]

  4. innermotion Says:

    Thanks so much Greg this has saved the day.

  5. Matthew Says:

    How do you do it? I’m clueless, pls help ASAP!

    • Joe Sofia Says:

      You must be as confused as I was Matthew. I figured it out though. In my case I used a iLife 11 Install DMG that I created in Disk Utility. Saved that to the desktop. We ultimately are modifying this DMG, which is the whole point of this script to a new DMG, that has the flat files repaired. First you have to take the script that he makes available and save it as a text document, saving it as a .py (Python Script) extension. in this case flatpkgfixer.py . I saved the file to my desktop. From there you have to give the script executable permissions by opening up the terminal and running the command:

      sudo chmod a+x ~/Desktop/flatpkgfixer.py

      from there it should promt you for your password. Enter it and continue.

      Now comes time to execute the script. I will tell you what worked for me.

      From terminal

      sudo python ~/Desktop/flatpkgfixer.py ~/Desktop/iLife\ \’11\ Install\ DVD.dmg ~/Desktop/iLife11_fixed.dmg

      From there it will create a newly repaired iLife 11 DMG. Hope that explains it.

      • Bob Reed Says:

        Does anyone here know of a way to add a bundle identifier to an existing package? When I run Apple software update, I get a ton of errors for “missing bundle identifiers” in Office 2008 receipt files. I know that Office is running fine and the problem is limited only to the Office packages in /Library/Receipts. So I thought if I could somehow add a bundle identifier to each of the offending packages, I’d stop getting the errors for my users.

      • Jacques Paul Says:

        Followed your very clear instructions and all when well.
        Installed iLife 2011 on Lion 10.7.4 without problem.
        The only FLAW is with software update.
        Do not offering me iPhoto updates (only all the other).
        iPhoto is not working on Lion without update (9.1 follow by 9.2.3).
        Do you met the same problem.


  6. This is great news to wake up to this morning. Thanks for finding this for us and sharing, Greg- our workflows aren’t as broken as they looked on Friday.


  7. [...] Trials and Tribulations of an OS X Administrator « Xcode 4 Cocoa-Python Templates Fixing packages with expired signatures [...]

  8. acdesigntech Says:

    Reblogged this on acdesigntech and commented:
    Since this is a pretty big deal in the world of Apple System Management, I am re-blogging this on acdesigntech so it gets more coverage. Thanks for everything, Greg!

  9. acdesigntech Says:

    It’s so nice not to have my hands tied with this anymore (or at least, less tied). Despite underscoring a true need for some enterprise support oversight at Apple, this is going to give way too much ammo to our windows admins now. le sigh…

  10. Don Montalvo Says:

    Wow…dude….U ROK!!!!! :):):)

  11. Matt Says:

    Why am i getting failed to create at the end? Am i doing anything wrong?

  12. Dimitris Paralis Says:

    do in terminal “chmod a+x /path/flatpkgfixer.py before using.
    Thank you for the script, is perfect!


  13. Thank you, thank you, thank you!

    Now we have an automated solution for those packages not re-signed by Apple, and don’t have to task some monkey with repackaging them all!

  14. Brian Martin Says:

    Greg,

    What can I say man?? Your work and diligence saved me again. Luckily, I had some time and plenty of bandwidth over our spring break this week to deal with re-downloading our software update mirrors.

    Without your fix, imaging this summer would have been very bad!! Not fond of having to apply this to legitimate installer CDs such as iLife 11 and iWork 09, but at least I know of the issue and have a fix thanks to you.

    Made sure to kick a note up to the Apple rep though on the discs and forwarded your posts on to other K-12 Mac admins in Indiana and Michigan so maybe they can plan accordingly.

  15. Don Montalvo Says:

    Quick question…that you can run the script on a DMG and have it recursively “fix” all the PKG installers within it…does this mean we can run it on an entire share and have it “fix” all the PKG installers on that share?

    Else do we have to run it once on each PKG on that share?

    Thanks,
    Don

    • GregN Says:

      Sorry, flatpkgfixer.py works on a single flat package or single disk image at a time. It needs a source and destination.

      Someone else can write a wrapper that fixes up an entire share!

  16. Cameron Kay Says:

    I can’t seem to get the script to work on the GarageBandBasicContent.pkg package that the App Store version of Garage Band 6.x downloads and installs when you run Garage Band the first time.

    pkgutil has problems trying to extract the Payload file.

    Any ideas how to fix this?

  17. decio1 Says:

    We were massdeploying when i strumbled upon your news: know we know why iLife11, Garageband, ARD, … refuse to install and how to fix it.
    You saved our day!
    Thank you very much for sharing.
    Greetings from some grateful swiss k-12 macadmins.

  18. gparalis Says:

    I have fixed all iLife11 pkg with /flatpkgfixer.py /path/to/iLife11.dmg /path/to/iLife11_fixed.dmg command line, copyed all the fixed pkg to my Iceberg project and, after that, I have replaced the untouched iLife.pkg (original one) to my Iceberg project to get the compilated package to work.

    thanks for your help!!

    Pour que iLife11 fonctionne j’ai utilisé le script flatpkgfixer.py en corrigeant les signatures des pkg de iLife a l’aide de la commande /flatpkgfixer.py /path/to/iLife11.dmg /path/to/iLife11_fixed.dmg, après avoir déplacé les pkg fixé dans mon dossier projet de Iceberg, j’ai remis l’original iLife.pkg dans mon dossier projet de Iceberg avant la compilation final.

    Merci pour votre précieuse aide.

  19. thad gann Says:

    This is wonderful work and the fix looks great. Sadly I’m stuck on 10.6.8 for some months to come and was wondering if there was anything I could do to fix the packages that I hanve now.

  20. David Young Says:

    Good Day Sir

    Sorry for a very dumb question but I really need to fix my ilife2011.dmg.

    where will I open the flatpkgfixer.py and where will i type

    ./flatpkgfixer.py /path/to/iLife11.dmg /path/to/iLife11_fixed.dmg

    Thank You so much!!! I really need your help

  21. David Young Says:

    its says…

    Last login: Thu Mar 29 11:04:27 on ttys000
    cd ‘/Users/macservemanila/’ && ‘/usr/bin/pythonw’ ‘/Users/macservemanila/flatpkgfixer.py’ && echo Exit status: $? && exit 1
    MacServeManilas-MacBook:~ macservemanila$ cd ‘/Users/macservemanila/’ && ‘/usr/bin/pythonw’ ‘/Users/macservemanila/flatpkgfixer.py’ && echo Exit status: $? && exit 1
    Too few arguments!
    Usage: flatpkgfixer.py sourceitem destination

    MacServeManilas-MacBook:~ macservemanila$ ./flatpkgfixer.py /Users/macservemanila/iLife.dmg /Users/macservemanila/iLife11_fixed.dmg-bash: ./flatpkgfixer.py: Permission denied
    MacServeManilas-MacBook:~ macservemanila$

    Please help me sir… Thank You so much

    • GregN Says:

      flatpackagefixer.py is a Python script. You’ll either need to set the execute bit:

      chmod a+x /Users/macservemanila/flatpackagefixer.py

      Then:

      /Users/macservemanila/flatpackagefixer.py /Users/macservemanila/iLife.dmg /Users/macservemanila/iLife11_fixed.dmg

      (all one line)

      Or call it from python:

      python /Users/macservemanila/flatpackagefixer.py /Users/macservemanila/iLife.dmg /Users/macservemanila/iLife11_fixed.dmg

      (all one line)

  22. David Young Says:

    I knew how to run it. Thank you sir!!!!

  23. David Vandenborn Says:

    A big thank you for sharing this tool!

    It could be enhanced if it also converted the packages within a .mpkg file.

    • David Vandenborn Says:

      Never mind, I was a bit too eager.
      I wanted to use the tool with iWork09.mpkg. But that file doesn’t have a certificate to begin with.

  24. Graeme Challis Says:

    love your work, thanks heaps!

  25. Bob Reed Says:

    I am not able to download flatpackagefixer.py using the link you’ve provided. Is that link now dead?

  26. John Says:

    Another solution to the problem is to set the clock in an earlier date. I’ve installed all iTunes updates after setting the clock prior to March 23th and the installation worked like a charm.

    • Quilty Says:

      that totally worked for me as well! thanks Greg for making this post and for the script. Thanks John for the alternate solution!


  27. The signature on a pkg can be quickly identified and stripped without extracting and flattening the package. I put together a quick proof of concept tool to do it: https://github.com/etrepum/strip_pkg_signature


  28. [...] posted as reply to Greg Neagle’s post regarding his very helpful tool to fix PKG installers with expired certs, this deserves some [...]

  29. Wajeeha Harris Says:

    Thanks a lot, you’re my hero

  30. akismet-c8fc1337f1fe51f60fdf3a1e9a7e248d Says:

    I just ran into this with deploystudio trying to install some (still current) Apple distributed printer drivers.

    I found it easier to just add the -allowUntrusted flag to the /usr/bin/installer command, but of course I’m only comfortable with that because I know every package on the server, there’s an obvious security risk in doing it this way.


  31. [...] Neagle has released two extremely useful scripts, checkPackageSignatures and flatpkgfixer. checkPackageSignatures will help you find expired certificates in your packages and disk [...]

  32. Sandro Says:

    Many thanks for this script :-P

  33. Tacti Says:

    this is a life saver for me! Thanks!

  34. armando Says:

    thank you thank you thank you sooooo much !! you saved my day !! make my life so much easier !! you’re my heroe ! marry me !!

  35. fakhry hasan Says:

    thankyou for this. i thought i have to redownload combo update , but with your help, i could update easily without doing it…

  36. Jacques Paul Says:

    Worked for me but for one thing.
    After installation software update do not offer me update for iPhoto.
    iPhoto not working, have to be updated.
    Somebody have the same problem.

  37. Richard Dwyer Says:

    Still lost. Uncertain what my dmg needs to be named. I named it “iLife ’11 Install DVD” but get a file doesn’t exist error. What should my dog be named?

    • GregN Says:

      You may name it anything you’d like. Are you tripping over embedded spaces in the name? Perhaps you might want to copy and paste exactly what you are trying and what results you have.

  38. Richard Dwyer Says:

    What should my dog be named? Ooops! What should my dog be named?

  39. Richard Dwyer Says:

    dog = .dmg What the hell?

  40. Richard Dwyer Says:

    embedded spaces in the name? Don’t understand

    • GregN Says:

      I’m guessing you haven’t used the command-line much, then. Please copy and paste what you are trying to do so we don’t have to guess.

  41. Richard Dwyer Says:

    can you call me, or can I call you?

  42. Richard Dwyer Says:

    I think I got it going. Says: Mounting /Users/richarddwyer/Desktop/iLife ’11 Install DVD.dmg…

  43. taycha Says:

    File “strip_pkg_signature.py”, line 28
    VERSIONS = {0, 1}
    ^
    SyntaxError: invalid syntax

    • taycha Says:

      Did not work for me

    • GregN Says:

      That’s not my script. Looks like you are trying to use Bob Ippolito (@etrepum)’s script.

      You might want to open an issue here:
      https://github.com/etrepum/strip_pkg_signature

      • taycha Says:

        I tried your script with success however, it still says that I need to update to the latest version before I can run the software…

      • Jacques Paul Says:

        Yes Taycha, you have to update manually especially for iPhoto.

        This a post from this forum, READ THAT:
        More info for iPhoto 9 vs Software Update

        It appears that the only update for iPhoto 9 currently offered in Apple Software Update is the iPhoto 9.3 update.

        There are two problems with this.

        This update requires Mac OS X 10.7.4. If you are running anything older, it will not be shown as an available update.
        This update requires iPhoto 9.1. If you are running iPhoto 9.0, it will not be shown as an available update.

        Workarounds:
        For 10.7.4 machines, install the standalone iPhoto 9.1 update. The 9.3 update will become available. (Of course you could just use the standalone updates to update all the way to iPhoto 9.3.)

        For machines running OS X versions earlier than 10.7.4, you’ll need to use the standalone updates to first update to iPhoto 9.1, then to iPhoto 9.2.3.

        You will have to download the updates from the Apple site:
        iMovie 9.0.4
        http://support.apple.com/kb/DL1412
        iPhoto 9.1 first and 9.2.3 second (the two are necessary if you are not on Lion 10.7.4).
        http://support.apple.com/kb/DL1322
        http://support.apple.com/kb/DL1514

        Hope that help

  44. Jacques Paul Says:

    This is all the info I have collected from the different posts and from my own experience with it to have a perfectly working iLife 2011 installed over Lion and Snow Leopard.
    I put everything together in one post to facilitate the use of this wonderful script to everybody.

    This is for the one that have a problem to install iLife 2011 from the original DVD or .dmg – unexpected error or Expired certificate.
    The solution is a script that will remove the certificate from iLife 2011.dmg using terminal.
    Expanding and reflattening a flat package has a side-effect of removing the package signing
    So there you have it — a way to fix packages broken by the Package Apocalypse.
    You can also use that script for others Apple broken package (you change the name in the script).
    The source for this information: Forum: http://managingosx.wordpress.com/2012/03/24/fixing-packages-with-expired-signatures/#comment-10832
    Download link for the script flatpkgfixer.py:
    http://dl.dropbox.com/u/8119814/flatpkgfixer.py

    HOW TO by Joe Sofia:
    In my case I used a iLife 11 Install DMG that I created in Disk Utility. Saved that to the desktop. We ultimately are modifying this DMG, which is the whole point of this script to a new DMG, that has the flat files repaired. First you have to take the script that he makes available and save it as a text document, saving it as a .py (Python Script) extension. in this case flatpkgfixer.py . I saved the file to my desktop. From there you have to give the script executable permissions by opening up the terminal and running the command:
    sudo chmod a+x ~/Desktop/flatpkgfixer.py
    from there it should promt you for your password. Enter it and continue.
    Now comes time to execute the script. I will tell you what worked for me.
    From terminal
    sudo python ~/Desktop/flatpkgfixer.py ~/Desktop/iLife\ \’11\ Install\ DVD.dmg ~/Desktop/iLife11_fixed.dmg
    From there it will create a newly repaired iLife 11 DMG. Hope that explains it.

    Note: you have to have a password in order to use the Terminal
    Make sure that the name (iLife ‘2011) in the script is exactly the name of your .dmg
    If not the terminal will tell you that he cannot find your .dmg (copy the name from terminal and paste it on your .dmg

    Software update will NOT offer you the update for iPhoto and iMovie but you gone have it for GarageBand, iDVD and iWeb.

    You will have to download the updates from the Apple site:
    iMovie 9.0.4
    http://support.apple.com/kb/DL1412
    iPhoto 9.1 first and 9.2.3 second (the two are necessary if you are not on Lion 10.7.4).
    http://support.apple.com/kb/DL1322
    http://support.apple.com/kb/DL1514

    More info for iPhoto 9 vs Software Update

    It appears that the only update for iPhoto 9 currently offered in Apple Software Update is the iPhoto 9.3 update.

    There are two problems with this.

    This update requires Mac OS X 10.7.4. If you are running anything older, it will not be shown as an available update.
    This update requires iPhoto 9.1. If you are running iPhoto 9.0, it will not be shown as an available update.

    Workarounds:
    For 10.7.4 machines, install the standalone iPhoto 9.1 update. The 9.3 update will become available. (Of course you could just use the standalone updates to update all the way to iPhoto 9.3.)

    For machines running OS X versions earlier than 10.7.4, you’ll need to use the standalone updates to first update to iPhoto 9.1, then to iPhoto 9.2.3.

    Hope that help

  45. fred payet Says:

    just worked like a charm for iLife11. many thanks for this tool !

    • Chris Baker Says:

      OK, so I am running Mountain Lion (10.8) and I am trying to install iWeb 3.0.4 manual update using the DMG file from CNET downloads. I currently have an older version of iWeb installed, but it doesn’t give me an error that others are having where it tells you it cannot find the previous version. I followed the instructions above using the Python script. Everything was successful, and the _fixed.dmg was created on the Desktop path with no errors. When I try to install from the fixed DMG, I still get the error, “iWeb Update can’t be installed on this disk. This update requires Mac OS X 10.7 or newer.”

      Any ideas?

  46. Richard Says:

    Hello, thank you for your help! When I write sudo python ~/Desktop/flatpkgfixer.py ~/Volumes/iLife\ \’11\ Install\ DVD.dmg ~/Desktop/iLife11_fixed.dmg in Terminal, the answer is that it doesn’t exist. And when I open the finder, I can’t see it on User/Desktop, but I can see it on my real desktop. I don’t understand at all. Is that because I’m working on Snow Leopard?

    • GregN Says:

      Do this instead:

      Make sure the iLife ’11 Install DVD is NOT mounted. If the dmg is on your desktop then:

      sudo python ~/Desktop/flatpkgfixer.py ~/Desktop/iLife\ \’11\ Install\ DVD.dmg ~/Desktop/iLife11_fixed.dmg

  47. Pepe Grillo Says:

    I think you are missing further information about the code I had to refer to some commentary

  48. bernard Says:

    thank you so much for this – it worked with the newly installed mountain lion – now Iphoto works again. Had I known it would cause so many problems I would not have bothered with it at all. Thanks again.

  49. Jorge Says:

    Sorry Greg for the complete noob question. I googled a lot on how to execute .py on mac. How do I execute your script python on ML ?

    • GregN Says:

      A similar question was asked and answered earlier in this set of comments. I replied then:

      flatpackagefixer.py is a Python script. You’ll either need to set the execute bit:

      chmod a+x /path/to/flatpackagefixer.py

      Then:

      /path/to/flatpackagefixer.py /path/to/iLife.dmg /path/to/iLife11_fixed.dmg

      (all one line)

      Or call it from python:

      python /path/to/flatpackagefixer.py /path/to/iLife.dmg /path/to/iLife11_fixed.dmg

      (all one line)

  50. zanuf Says:

    Reblogged this on Zanuf….


  51. [...] I was not able to install the downloaded MAC to the flash drive for the installation. I was getting the "Certificate Expired Error" and by doing google I found a script which fixes this issue. http://managingosx.wordpress.com/201…ed-signatures/ [...]

  52. Philip Says:

    Great tool–thank you!!! Unfortunately, I’m unable to get it to work properly. After the python script runs for a few minutes (expanding/flattening the different packages), it ends up giving me an error during what I think is nearly the end of the process:

    Excerpt of lines just prior to the failure:

    Expanding /private/tmp/dmg.1NOv20/Installer/Packages/iPhotoLibraryUpgradeTool.pkg to /tmp/tmpo8zsi9/iPhotoLibraryUpgradeTool.pkg…
    Flattening /tmp/tmpo8zsi9/iPhotoLibraryUpgradeTool.pkg to /tmp/tmpKWA4TZ/iPhotoLibraryUpgradeTool.pkg…
    Expanding /private/tmp/dmg.1NOv20/Installer/Packages/iWeb.pkg to /tmp/tmpo8zsi9/iWeb.pkg…
    Problem extracting file from package: /tmp/tmpo8zsi9/iWeb.pkg/Payload
    ERROR: Command ‘['/usr/sbin/pkgutil', '--expand', '/private/tmp/dmg.1NOv20/Installer/Packages/iWeb.pkg', '/tmp/tmpo8zsi9/iWeb.pkg']‘ returned non-zero exit status 1 expanding /private/tmp/dmg.1NOv20/Installer/Packages/iWeb.pkg

    I tried re-running the entire workflow, step-by-step as described on this page (thanks for the wonderful instructions). However, it failed at the exact same place again, with the same error message. I know just enough to be dangerous, so could somebody please kindly enlighten me as to what my problem might be, and how I might go around fixing it? Just in case it helps, here are the exact commands I’m running:

    sudo chmod a+x ~/Desktop/flatpkgfixer.py

    sudo python ~/Desktop/flatpkgfixer.py ~/Desktop/Apple/iLife\ \’11\ Install\ DVD.dmg ~/Desktop/iLife11_fixed.dmg

    • GregN Says:

      Sounds like the disk image of your iLife DVD might be corrupt, since it can’t successfully expand the iWeb.pkg.

      You could confirm by trying to do it manually.

      • Philip Says:

        Thanks for the tip! Fortunately, iWeb is one of the features I DON’T want, so maybe I can redo all the others individually. I believe there are instructions above to do just that (I was trying to do the whole install dmg in one fell swoop), but I’ll re-read this page. Thank you.

    • Philip Says:

      I was able to successfully complete the process, though I had to use the script referenced above on this page:

      Bob Ippolito (@etrepum) Says:

      April 12, 2012 at 4:08 pm
      The signature on a pkg can be quickly identified and stripped without extracting and flattening the package. I put together a quick proof of concept tool to do it: https://github.com/etrepum/strip_pkg_signature

      Reply
      GregN Says:

      April 12, 2012 at 4:11 pm
      That seems like it would be a lot faster than my method! Please go back in time three weeks and release your tool!

      Reply

      This process worked well, and was very fast indeed! I had to make a new dmg, but I deleted the programs I don’t want anyway to make a smaller dmg. THANK YOU for hosting this page and creating the solutions!!! Install was successful, THANKS TO YOU!!

  53. Whitney Says:

    I keep getting “SyntaxError: unexpected character after line continuation character” in terminal

    • GregN Says:

      When you do what, exactly?

      • Whitney Says:

        I’ve saved the flatpkgfixer.py to my desktop and then I entered

        “sudo chmod a+x ~/Desktop/flatpkgfixer.py

        from there it should promt you for your password. Enter it and continue.

        Now comes time to execute the script. I will tell you what worked for me.

        From terminal

        sudo python ~/Desktop/flatpkgfixer.py ~/Desktop/iLife\ \’11\ Install\ DVD.dmg ~/Desktop/iLife11_fixed.dmg”

  54. Tunde Says:

    You have syntax errors from rampant use of ” and spaces.
    Check those and it should work.

  55. サボ 靴 Says:

    スペード バック

  56. neric Says:

    thk you sooooooo muuuuuuuuuuuuuch Joe


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


Follow

Get every new post delivered to your Inbox.

Join 177 other followers

%d bloggers like this: