Package Apocalypse

Earlier this week a certificate Apple had used to sign flat packages over the last couple of years or so expired. This caused Apple to have to reissue a lot of update packages. This greatly affected sites running an Apple software update server, either Apple’s flavor, or the open-source Reposado replacement. See for more info on how this affects Software Update.

This also affects some update packages you might have downloaded from If they are flat packages, it’s possible they may also be signed with an expired certificate. Such packages can be manually installed – will display a warning, but you can choose to ignore the warning and proceed.

But if you have a mechanism that uses Apple’s command-line installer tool, these packages will fail to install. This will affect popular tools like InstaDMG, DeployStudio, Apple’s System Image Utility, and any software distribution mechanism that makes use of the command-line installer tool. Some examples include Munki, Casper, and AbsoluteManage.

Worse, this problem affects at least one software package originally distributed on DVD: iLife ’11. If you’ve imported the packages for iLife ’11 into your software distribution mechanism, they may now fail to install because of the expired certificate.

I am working on a tool to fix affected packages. (UPDATE: see this post.) But in the meantime, if you want to get an idea of how many packages you have that are affected by this issue, you might want to make use of a tool I wrote. It will scan a directory of packages or disk images containing packages and print information on any packages with bad or expired certificates.

Get it here.

The tool relies on a pkgutil option introduced in Lion, so you’ll need to run this on Lion!

An example of in use:

./ /Volumes/LaCie/InstaDMG/pkgs-10.6.8/

/Volumes/LaCie/SIU/Snow Leopard/pkgs-10.6.8/Install iTunes.pkg:
Package "Install iTunes":
Status: signed by a certificate that has since expired
/Volumes/LaCie/SIU/Snow Leopard/pkgs-10.6.8/JavaForMacOSX10.6Update4.pkg:
Package "JavaForMacOSX10.6Update4.pkg":
Status: signed by a certificate that has since expired
/Volumes/LaCie/SIU/Snow Leopard/pkgs-10.6.8/MacOSXUpdCombo10.6.8.pkg:
Package "MacOSXUpdCombo10.6.8.pkg":
Status: signed by a certificate that has since expired

Use this tool to scan any collection of packages you have to see which are affected by this issue. If a replacement package is available from Apple, you should replace it. If there is no replacement, there is hope. Keep checking back here for an update soon.

Explore posts in the same categories: Deployment, Leopard, Lion, OS X, Python, Security

25 Comments on “Package Apocalypse”

  1. Don Montalvo Says:

    These are the kinds of bloopers that gives the Wintel guys ammo to beat up on Apple when we have our team meetings. To be honest, Apple deserves the embarassment. Do you know how long it will take for our internal Apple SUS servers to re-cache all the available packages…and from there to replicate to the other servers on our network? Our clients have fast connections, but it still means critical patches are delayed while everything refreshes.

    Don Montalvo

  2. [...] Managing OS X Trials and Tribulations of an OS X Administrator « Package Apocalypse [...]

  3. nate Says:

    is –check-signature only a pkgutil option in 10.7? doesn’t seem to be present on 10.6.8 here.

  4. [...] Greg Neagle’s checkPackageSignatures and flatpkgfixer scripts are extremely helpful here. checkPackageSignatures will help you find [...]

  5. [...] – 3-24-2012: If you are reading this after Friday, March 23 2012, make sure to remove iLife 11′s package signing using Greg Neagle’s flatpkgfixer script prior to using the repackaging procedure [...]

  6. willpolley Says:

    For Reposado, do you recommend the same process as Apple and completely repull the update files?

    Maybe Reposado is smarter than Apple’s update server?

  7. nick Says:

    FYI- there’s 2 expired packages in the Lion Installer being distributed by the App Store as of 12:30 pm PST today. I re-downloaded it when I started having problems with Casper imaging today . . . Here’s the output from greg’s checking script when run against the InstallESD’s packages directory:
    Last login: Mon Mar 26 13:04:41 on ttys001
    nbkali-mba:~ nbkali$ /Users/nbkali/Downloads/ /Volumes/Mac\ OS\ X\ Install\ ESD/Packages
    /Volumes/Mac OS X Install ESD/Packages/RemoteDesktop.pkg:
    Package “RemoteDesktop.pkg”:
    Status: signed by a certificate that has since expired
    /Volumes/Mac OS X Install ESD/Packages/SIUResources.pkg:
    Package “SIUResources.pkg”:
    Status: signed by a certificate that has since expired

  8. Cem Says:

    Hi Greg, thanks for this superb tool.
    But I seem to having problem running against my package repository. It just hangs there very very long time and nothinelse happens…

    /Volumes/CasperShare/Packages/10.6.4 Vanilla.dmg:
    Could not open package: /private/tmp/dmg.09cnHX/Library/Receipts/BSD.pkg

    am I doing something wrong? or it just doesn’t like the BSD.pkg?

    • GregN Says:

      It doesn’t like it. But you can ignore it.

      • Cem Says:

        if you let me know how… i will be the happiest :)

      • Cem Says:

        one of the guys from jamfnation said that it took for awhile for him to pass the BSD file.. I will run it overnight, as I have a quite few OS DMGs.

      • GregN Says:

        Don’t scan disk images that don’t contain installers. “0.6.4 Vanilla.dmg” sounds like a restore disk image, not something that gets fed to /usr/sbin/installer.

        Notice that it’s scanning /Library/Receipts/BSD.pkg — that’s _NOT_ an installer package; it’s a package receipt.

        checkPackageSignatures was meant to scan flat packages and disk images containing flat packages to install. Disk images meant for ASR-style imaging should not be scanned.

  9. Cem Says:

    Thanks Greg! I am sure there were be no harm to run it though. Correct me if I am wrong here please. It just saves me a lot of time to go through 100s of items from packages repository…. all I need is to identify expired packages.

  10. [...] Neagle has released to extremely useful scripts, checkPackageSignatures and flatpkgfixer. checkPackageSignatures will help you find expired certificates in your [...]

  11. ktappe Says:

    The utility gives me no output at all, no matter what package or directory I put through it. I strongly suspect one of my packages does have a signing issue as it won’t build into InstaDMG, so I’m curious if anyone else has had issues with this script. Also I suggest to Greg that the script should probably provide output whether the packages is positive or negative for problems. (Or maybe it already does, but I’m not seeing any.)

    • GregN Says:

      I’m going to suggest that since there is no output, no package in the given directory has an expired signature.

      If you’d like to double-check, try using pkgutil in Lion:
      pkgutil –check-signature

      If you’d like to modify the behavior of it’s a Python script. You can modify it any way you’d like.

  12. […] behind munki – managed software distribution) has released two extremely useful scripts, checkPackageSignatures and flatpkgfixer. checkPackageSignatures will help you find expired certificates in your […]

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


Get every new post delivered to your Inbox.

Join 170 other followers

%d bloggers like this: