Fixing packages with expired signatures
In my previous post, I provided a tool to enable you to check your collection(s) of packages to determine if any are affected by the Package Apocalypse.
But what to do once you’ve found packages with expired signatures? If Apple has provided an updated replacement package at http://support.apple.com/downloads/, it’s probably best to replace the package with the expired signature with the updated one.
But that might not always be possible — Apple has not provided replacements for every package that has been affected, or the replacement might not be practical to use.
For example, the packages included in the iLife ’11 Install DVD have expired signatures. The only “replacement” available would be the Mac App Store versions of the iLife 11 apps. Not all iLife ’11 apps from the DVD have App Store equivalents, and distributing the App Store versions is a whole different set of issues.
So the ideal solution here is to somehow fix the packages with expired signatures so they will work with your software distribution mechanism. It turns out that you can do this with an Apple-provided tool — pkgutil.
pkgutil --expand SomeFlat.pkg /tmp/SomeFlat.pkg
pkgutil --flatten /tmp/SomeFlat.pkg SomeFlatFixed.pkg
Expanding and reflattening a flat package has a side-effect of removing the package signing. the command-line installer tool will happily (at least as of this writing) install unsigned flat packages.
So there you have it — a way to fix packages broken by the Package Apocalypse. But it’s a tedious process. To help, I offer yet another tool — flatpkgfixer.py.
This tool will remove package signing either from a single flat package:
./flatpkgfixer.py /path/to/expired.pkg /path/to/new_fixed.pkg
or can fix up an entire disk image containing packages:
./flatpkgfixer.py /path/to/iLife11.dmg /path/to/iLife11_fixed.dmg
This tool is brand new, and could very well have bugs, but I hope it’s useful to some!Explore posts in the same categories: Deployment, Leopard, Lion, OS X, Python, Security