In my previous post, I provided a tool to enable you to check your collection(s) of packages to determine if any are affected by the Package Apocalypse.
But what to do once you’ve found packages with expired signatures? If Apple has provided an updated replacement package at http://support.apple.com/downloads/, it’s probably best to replace the package with the expired signature with the updated one.
But that might not always be possible — Apple has not provided replacements for every package that has been affected, or the replacement might not be practical to use.
For example, the packages included in the iLife ’11 Install DVD have expired signatures. The only “replacement” available would be the Mac App Store versions of the iLife 11 apps. Not all iLife ’11 apps from the DVD have App Store equivalents, and distributing the App Store versions is a whole different set of issues.
So the ideal solution here is to somehow fix the packages with expired signatures so they will work with your software distribution mechanism. It turns out that you can do this with an Apple-provided tool — pkgutil.
pkgutil --expand SomeFlat.pkg /tmp/SomeFlat.pkg
pkgutil --flatten /tmp/SomeFlat.pkg SomeFlatFixed.pkg
Expanding and reflattening a flat package has a side-effect of removing the package signing. the command-line installer tool will happily (at least as of this writing) install unsigned flat packages.
So there you have it — a way to fix packages broken by the Package Apocalypse. But it’s a tedious process. To help, I offer yet another tool — flatpkgfixer.py.
This tool will remove package signing either from a single flat package:
./flatpkgfixer.py /path/to/expired.pkg /path/to/new_fixed.pkg
or can fix up an entire disk image containing packages:
./flatpkgfixer.py /path/to/iLife11.dmg /path/to/iLife11_fixed.dmg
This tool is brand new, and could very well have bugs, but I hope it’s useful to some!
Managing OS X 
[…] Greg Neagle’s checkPackageSignatures and flatpkgfixer scripts are extremely helpful here. checkPackageSignatures will help you find expired certificates […]
I’ve tested this on a iLife 11 retail disk image and it works as advertised. Once package signing was removed from the flat packages contained in iLife .dmg, I was able to install iLife 11 and then update it with the correct updates from Software Update.
[…] this after Friday, March 23 2012, make sure to remove iLife 11′s package signing using Greg Neagle’s flatpkgfixer script prior to using the repackaging procedure […]
Thanks so much Greg this has saved the day.
How do you do it? I’m clueless, pls help ASAP!
You must be as confused as I was Matthew. I figured it out though. In my case I used a iLife 11 Install DMG that I created in Disk Utility. Saved that to the desktop. We ultimately are modifying this DMG, which is the whole point of this script to a new DMG, that has the flat files repaired. First you have to take the script that he makes available and save it as a text document, saving it as a .py (Python Script) extension. in this case flatpkgfixer.py . I saved the file to my desktop. From there you have to give the script executable permissions by opening up the terminal and running the command:
sudo chmod a+x ~/Desktop/flatpkgfixer.py
from there it should promt you for your password. Enter it and continue.
Now comes time to execute the script. I will tell you what worked for me.
From terminal
sudo python ~/Desktop/flatpkgfixer.py ~/Desktop/iLife\ \’11\ Install\ DVD.dmg ~/Desktop/iLife11_fixed.dmg
From there it will create a newly repaired iLife 11 DMG. Hope that explains it.
Does anyone here know of a way to add a bundle identifier to an existing package? When I run Apple software update, I get a ton of errors for “missing bundle identifiers” in Office 2008 receipt files. I know that Office is running fine and the problem is limited only to the Office packages in /Library/Receipts. So I thought if I could somehow add a bundle identifier to each of the offending packages, I’d stop getting the errors for my users.
Followed your very clear instructions and all when well.
Installed iLife 2011 on Lion 10.7.4 without problem.
The only FLAW is with software update.
Do not offering me iPhoto updates (only all the other).
iPhoto is not working on Lion without update (9.1 follow by 9.2.3).
Do you met the same problem.
This is great news to wake up to this morning. Thanks for finding this for us and sharing, Greg- our workflows aren’t as broken as they looked on Friday.
[…] Trials and Tribulations of an OS X Administrator « Xcode 4 Cocoa-Python Templates Fixing packages with expired signatures […]
Reblogged this on acdesigntech and commented:
Since this is a pretty big deal in the world of Apple System Management, I am re-blogging this on acdesigntech so it gets more coverage. Thanks for everything, Greg!
It’s so nice not to have my hands tied with this anymore (or at least, less tied). Despite underscoring a true need for some enterprise support oversight at Apple, this is going to give way too much ammo to our windows admins now. le sigh…
Wow…dude….U ROK!!!!! :):):)
Why am i getting failed to create at the end? Am i doing anything wrong?
Is the destination directory writable and does it have enough space? What is the specific error?
It was my fault, re-did it and it work! Thanks man 😀
do in terminal “chmod a+x /path/flatpkgfixer.py before using.
Thank you for the script, is perfect!
oops! don’t use “, is only chmod a+x /path/flatpkgfixer.py
Thank you, thank you, thank you!
Now we have an automated solution for those packages not re-signed by Apple, and don’t have to task some monkey with repackaging them all!
Greg,
What can I say man?? Your work and diligence saved me again. Luckily, I had some time and plenty of bandwidth over our spring break this week to deal with re-downloading our software update mirrors.
Without your fix, imaging this summer would have been very bad!! Not fond of having to apply this to legitimate installer CDs such as iLife 11 and iWork 09, but at least I know of the issue and have a fix thanks to you.
Made sure to kick a note up to the Apple rep though on the discs and forwarded your posts on to other K-12 Mac admins in Indiana and Michigan so maybe they can plan accordingly.
Quick question…that you can run the script on a DMG and have it recursively “fix” all the PKG installers within it…does this mean we can run it on an entire share and have it “fix” all the PKG installers on that share?
Else do we have to run it once on each PKG on that share?
Thanks,
Don
Sorry, flatpkgfixer.py works on a single flat package or single disk image at a time. It needs a source and destination.
Someone else can write a wrapper that fixes up an entire share!
I can’t seem to get the script to work on the GarageBandBasicContent.pkg package that the App Store version of Garage Band 6.x downloads and installs when you run Garage Band the first time.
pkgutil has problems trying to extract the Payload file.
Any ideas how to fix this?
[…] https://managingosx.wordpress.com/2012/03/24/package-apocalypse/ https://managingosx.wordpress.com/2012/03/24/fixing-packages-with-expired-signatures/ […]
We were massdeploying when i strumbled upon your news: know we know why iLife11, Garageband, ARD, … refuse to install and how to fix it.
You saved our day!
Thank you very much for sharing.
Greetings from some grateful swiss k-12 macadmins.
I have fixed all iLife11 pkg with /flatpkgfixer.py /path/to/iLife11.dmg /path/to/iLife11_fixed.dmg command line, copyed all the fixed pkg to my Iceberg project and, after that, I have replaced the untouched iLife.pkg (original one) to my Iceberg project to get the compilated package to work.
thanks for your help!!
Pour que iLife11 fonctionne j’ai utilisé le script flatpkgfixer.py en corrigeant les signatures des pkg de iLife a l’aide de la commande /flatpkgfixer.py /path/to/iLife11.dmg /path/to/iLife11_fixed.dmg, après avoir déplacé les pkg fixé dans mon dossier projet de Iceberg, j’ai remis l’original iLife.pkg dans mon dossier projet de Iceberg avant la compilation final.
Merci pour votre précieuse aide.
This is wonderful work and the fix looks great. Sadly I’m stuck on 10.6.8 for some months to come and was wondering if there was anything I could do to fix the packages that I hanve now.
You should be able to run the flatpkgfixer.py script on Snow Leopard.
Good Day Sir
Sorry for a very dumb question but I really need to fix my ilife2011.dmg.
where will I open the flatpkgfixer.py and where will i type
./flatpkgfixer.py /path/to/iLife11.dmg /path/to/iLife11_fixed.dmg
Thank You so much!!! I really need your help
its says…
Last login: Thu Mar 29 11:04:27 on ttys000
cd ‘/Users/macservemanila/’ && ‘/usr/bin/pythonw’ ‘/Users/macservemanila/flatpkgfixer.py’ && echo Exit status: $? && exit 1
MacServeManilas-MacBook:~ macservemanila$ cd ‘/Users/macservemanila/’ && ‘/usr/bin/pythonw’ ‘/Users/macservemanila/flatpkgfixer.py’ && echo Exit status: $? && exit 1
Too few arguments!
Usage: flatpkgfixer.py sourceitem destination
MacServeManilas-MacBook:~ macservemanila$ ./flatpkgfixer.py /Users/macservemanila/iLife.dmg /Users/macservemanila/iLife11_fixed.dmg-bash: ./flatpkgfixer.py: Permission denied
MacServeManilas-MacBook:~ macservemanila$
Please help me sir… Thank You so much
flatpackagefixer.py is a Python script. You’ll either need to set the execute bit:
chmod a+x /Users/macservemanila/flatpackagefixer.py
Then:
/Users/macservemanila/flatpackagefixer.py /Users/macservemanila/iLife.dmg /Users/macservemanila/iLife11_fixed.dmg
(all one line)
Or call it from python:
python /Users/macservemanila/flatpackagefixer.py /Users/macservemanila/iLife.dmg /Users/macservemanila/iLife11_fixed.dmg
(all one line)
I knew how to run it. Thank you sir!!!!
A big thank you for sharing this tool!
It could be enhanced if it also converted the packages within a .mpkg file.
Never mind, I was a bit too eager.
I wanted to use the tool with iWork09.mpkg. But that file doesn’t have a certificate to begin with.
love your work, thanks heaps!
I am not able to download flatpackagefixer.py using the link you’ve provided. Is that link now dead?
Nope — I just checked it and it’s fine. Maybe Dropbox was down for a bit?
Another solution to the problem is to set the clock in an earlier date. I’ve installed all iTunes updates after setting the clock prior to March 23th and the installation worked like a charm.
that totally worked for me as well! thanks Greg for making this post and for the script. Thanks John for the alternate solution!
The signature on a pkg can be quickly identified and stripped without extracting and flattening the package. I put together a quick proof of concept tool to do it: https://github.com/etrepum/strip_pkg_signature
That seems like it would be a lot faster than my method! Please go back in time three weeks and release your tool!
[…] posted as reply to Greg Neagle’s post regarding his very helpful tool to fix PKG installers with expired certs, this deserves some […]
[…] […]
Thanks a lot, you’re my hero
I just ran into this with deploystudio trying to install some (still current) Apple distributed printer drivers.
I found it easier to just add the -allowUntrusted flag to the /usr/bin/installer command, but of course I’m only comfortable with that because I know every package on the server, there’s an obvious security risk in doing it this way.
[…] Neagle has released two extremely useful scripts, checkPackageSignatures and flatpkgfixer. checkPackageSignatures will help you find expired certificates in your packages and disk […]
Many thanks for this script 😛
this is a life saver for me! Thanks!
thank you thank you thank you sooooo much !! you saved my day !! make my life so much easier !! you’re my heroe ! marry me !!
thankyou for this. i thought i have to redownload combo update , but with your help, i could update easily without doing it…
Worked for me but for one thing.
After installation software update do not offer me update for iPhoto.
iPhoto not working, have to be updated.
Somebody have the same problem.
See this:
Thank for your answer Greg
I did the updates downloading manually from Apple site.
At least I have now a iLife 2011.dmg that is working without unexpected error or expired certificate.
Still lost. Uncertain what my dmg needs to be named. I named it “iLife ’11 Install DVD” but get a file doesn’t exist error. What should my dog be named?
You may name it anything you’d like. Are you tripping over embedded spaces in the name? Perhaps you might want to copy and paste exactly what you are trying and what results you have.
What should my dog be named? Ooops! What should my dog be named?
dog = .dmg What the hell?
embedded spaces in the name? Don’t understand
I’m guessing you haven’t used the command-line much, then. Please copy and paste what you are trying to do so we don’t have to guess.
can you call me, or can I call you?
I think I got it going. Says: Mounting /Users/richarddwyer/Desktop/iLife ’11 Install DVD.dmg…
File “strip_pkg_signature.py”, line 28
VERSIONS = {0, 1}
^
SyntaxError: invalid syntax
Did not work for me
That’s not my script. Looks like you are trying to use Bob Ippolito (@etrepum)’s script.
You might want to open an issue here:
https://github.com/etrepum/strip_pkg_signature
I tried your script with success however, it still says that I need to update to the latest version before I can run the software…
Yes Taycha, you have to update manually especially for iPhoto.
This a post from this forum, READ THAT:
More info for iPhoto 9 vs Software Update
It appears that the only update for iPhoto 9 currently offered in Apple Software Update is the iPhoto 9.3 update.
There are two problems with this.
This update requires Mac OS X 10.7.4. If you are running anything older, it will not be shown as an available update.
This update requires iPhoto 9.1. If you are running iPhoto 9.0, it will not be shown as an available update.
Workarounds:
For 10.7.4 machines, install the standalone iPhoto 9.1 update. The 9.3 update will become available. (Of course you could just use the standalone updates to update all the way to iPhoto 9.3.)
For machines running OS X versions earlier than 10.7.4, you’ll need to use the standalone updates to first update to iPhoto 9.1, then to iPhoto 9.2.3.
You will have to download the updates from the Apple site:
iMovie 9.0.4
http://support.apple.com/kb/DL1412
iPhoto 9.1 first and 9.2.3 second (the two are necessary if you are not on Lion 10.7.4).
http://support.apple.com/kb/DL1322
http://support.apple.com/kb/DL1514
Hope that help
This is all the info I have collected from the different posts and from my own experience with it to have a perfectly working iLife 2011 installed over Lion and Snow Leopard.
I put everything together in one post to facilitate the use of this wonderful script to everybody.
This is for the one that have a problem to install iLife 2011 from the original DVD or .dmg – unexpected error or Expired certificate.
The solution is a script that will remove the certificate from iLife 2011.dmg using terminal.
Expanding and reflattening a flat package has a side-effect of removing the package signing
So there you have it — a way to fix packages broken by the Package Apocalypse.
You can also use that script for others Apple broken package (you change the name in the script).
The source for this information: Forum: https://managingosx.wordpress.com/2012/03/24/fixing-packages-with-expired-signatures/#comment-10832
Download link for the script flatpkgfixer.py:
http://dl.dropbox.com/u/8119814/flatpkgfixer.py
HOW TO by Joe Sofia:
In my case I used a iLife 11 Install DMG that I created in Disk Utility. Saved that to the desktop. We ultimately are modifying this DMG, which is the whole point of this script to a new DMG, that has the flat files repaired. First you have to take the script that he makes available and save it as a text document, saving it as a .py (Python Script) extension. in this case flatpkgfixer.py . I saved the file to my desktop. From there you have to give the script executable permissions by opening up the terminal and running the command:
sudo chmod a+x ~/Desktop/flatpkgfixer.py
from there it should promt you for your password. Enter it and continue.
Now comes time to execute the script. I will tell you what worked for me.
From terminal
sudo python ~/Desktop/flatpkgfixer.py ~/Desktop/iLife\ \’11\ Install\ DVD.dmg ~/Desktop/iLife11_fixed.dmg
From there it will create a newly repaired iLife 11 DMG. Hope that explains it.
Note: you have to have a password in order to use the Terminal
Make sure that the name (iLife ‘2011) in the script is exactly the name of your .dmg
If not the terminal will tell you that he cannot find your .dmg (copy the name from terminal and paste it on your .dmg
Software update will NOT offer you the update for iPhoto and iMovie but you gone have it for GarageBand, iDVD and iWeb.
You will have to download the updates from the Apple site:
iMovie 9.0.4
http://support.apple.com/kb/DL1412
iPhoto 9.1 first and 9.2.3 second (the two are necessary if you are not on Lion 10.7.4).
http://support.apple.com/kb/DL1322
http://support.apple.com/kb/DL1514
More info for iPhoto 9 vs Software Update
It appears that the only update for iPhoto 9 currently offered in Apple Software Update is the iPhoto 9.3 update.
There are two problems with this.
This update requires Mac OS X 10.7.4. If you are running anything older, it will not be shown as an available update.
This update requires iPhoto 9.1. If you are running iPhoto 9.0, it will not be shown as an available update.
Workarounds:
For 10.7.4 machines, install the standalone iPhoto 9.1 update. The 9.3 update will become available. (Of course you could just use the standalone updates to update all the way to iPhoto 9.3.)
For machines running OS X versions earlier than 10.7.4, you’ll need to use the standalone updates to first update to iPhoto 9.1, then to iPhoto 9.2.3.
Hope that help
just worked like a charm for iLife11. many thanks for this tool !
OK, so I am running Mountain Lion (10.8) and I am trying to install iWeb 3.0.4 manual update using the DMG file from CNET downloads. I currently have an older version of iWeb installed, but it doesn’t give me an error that others are having where it tells you it cannot find the previous version. I followed the instructions above using the Python script. Everything was successful, and the _fixed.dmg was created on the Desktop path with no errors. When I try to install from the fixed DMG, I still get the error, “iWeb Update can’t be installed on this disk. This update requires Mac OS X 10.7 or newer.”
Any ideas?
Hello, thank you for your help! When I write sudo python ~/Desktop/flatpkgfixer.py ~/Volumes/iLife\ \’11\ Install\ DVD.dmg ~/Desktop/iLife11_fixed.dmg in Terminal, the answer is that it doesn’t exist. And when I open the finder, I can’t see it on User/Desktop, but I can see it on my real desktop. I don’t understand at all. Is that because I’m working on Snow Leopard?
Do this instead:
Make sure the iLife ’11 Install DVD is NOT mounted. If the dmg is on your desktop then:
sudo python ~/Desktop/flatpkgfixer.py ~/Desktop/iLife\ \’11\ Install\ DVD.dmg ~/Desktop/iLife11_fixed.dmg
It works!! Wonderful. Thank you very much.
I think you are missing further information about the code I had to refer to some commentary
thank you so much for this – it worked with the newly installed mountain lion – now Iphoto works again. Had I known it would cause so many problems I would not have bothered with it at all. Thanks again.
Sorry Greg for the complete noob question. I googled a lot on how to execute .py on mac. How do I execute your script python on ML ?
A similar question was asked and answered earlier in this set of comments. I replied then:
flatpackagefixer.py is a Python script. You’ll either need to set the execute bit:
chmod a+x /path/to/flatpackagefixer.py
Then:
/path/to/flatpackagefixer.py /path/to/iLife.dmg /path/to/iLife11_fixed.dmg
(all one line)
Or call it from python:
python /path/to/flatpackagefixer.py /path/to/iLife.dmg /path/to/iLife11_fixed.dmg
(all one line)
Reblogged this on Zanuf….
[…] I was not able to install the downloaded MAC to the flash drive for the installation. I was getting the "Certificate Expired Error" and by doing google I found a script which fixes this issue. https://managingosx.wordpress.com/201…ed-signatures/ […]
Great tool–thank you!!! Unfortunately, I’m unable to get it to work properly. After the python script runs for a few minutes (expanding/flattening the different packages), it ends up giving me an error during what I think is nearly the end of the process:
Excerpt of lines just prior to the failure:
Expanding /private/tmp/dmg.1NOv20/Installer/Packages/iPhotoLibraryUpgradeTool.pkg to /tmp/tmpo8zsi9/iPhotoLibraryUpgradeTool.pkg…
Flattening /tmp/tmpo8zsi9/iPhotoLibraryUpgradeTool.pkg to /tmp/tmpKWA4TZ/iPhotoLibraryUpgradeTool.pkg…
Expanding /private/tmp/dmg.1NOv20/Installer/Packages/iWeb.pkg to /tmp/tmpo8zsi9/iWeb.pkg…
Problem extracting file from package: /tmp/tmpo8zsi9/iWeb.pkg/Payload
ERROR: Command ‘[‘/usr/sbin/pkgutil’, ‘–expand’, ‘/private/tmp/dmg.1NOv20/Installer/Packages/iWeb.pkg’, ‘/tmp/tmpo8zsi9/iWeb.pkg’]’ returned non-zero exit status 1 expanding /private/tmp/dmg.1NOv20/Installer/Packages/iWeb.pkg
I tried re-running the entire workflow, step-by-step as described on this page (thanks for the wonderful instructions). However, it failed at the exact same place again, with the same error message. I know just enough to be dangerous, so could somebody please kindly enlighten me as to what my problem might be, and how I might go around fixing it? Just in case it helps, here are the exact commands I’m running:
sudo chmod a+x ~/Desktop/flatpkgfixer.py
sudo python ~/Desktop/flatpkgfixer.py ~/Desktop/Apple/iLife\ \’11\ Install\ DVD.dmg ~/Desktop/iLife11_fixed.dmg
Sounds like the disk image of your iLife DVD might be corrupt, since it can’t successfully expand the iWeb.pkg.
You could confirm by trying to do it manually.
Thanks for the tip! Fortunately, iWeb is one of the features I DON’T want, so maybe I can redo all the others individually. I believe there are instructions above to do just that (I was trying to do the whole install dmg in one fell swoop), but I’ll re-read this page. Thank you.
I was able to successfully complete the process, though I had to use the script referenced above on this page:
Bob Ippolito (@etrepum) Says:
April 12, 2012 at 4:08 pm
The signature on a pkg can be quickly identified and stripped without extracting and flattening the package. I put together a quick proof of concept tool to do it: https://github.com/etrepum/strip_pkg_signature
Reply
GregN Says:
April 12, 2012 at 4:11 pm
That seems like it would be a lot faster than my method! Please go back in time three weeks and release your tool!
Reply
This process worked well, and was very fast indeed! I had to make a new dmg, but I deleted the programs I don’t want anyway to make a smaller dmg. THANK YOU for hosting this page and creating the solutions!!! Install was successful, THANKS TO YOU!!
I keep getting “SyntaxError: unexpected character after line continuation character” in terminal
When you do what, exactly?
I’ve saved the flatpkgfixer.py to my desktop and then I entered
“sudo chmod a+x ~/Desktop/flatpkgfixer.py
from there it should promt you for your password. Enter it and continue.
Now comes time to execute the script. I will tell you what worked for me.
From terminal
sudo python ~/Desktop/flatpkgfixer.py ~/Desktop/iLife\ \’11\ Install\ DVD.dmg ~/Desktop/iLife11_fixed.dmg”
You have syntax errors from rampant use of ” and spaces.
Check those and it should work.
スペード バック
thk you sooooooo muuuuuuuuuuuuuch Joe