Package Apocalypse

Earlier this week a certificate Apple had used to sign flat packages over the last couple of years or so expired. This caused Apple to have to reissue a lot of update packages. This greatly affected sites running an Apple software update server, either Apple’s flavor, or the open-source Reposado replacement. See for more info on how this affects Software Update.

This also affects some update packages you might have downloaded from If they are flat packages, it’s possible they may also be signed with an expired certificate. Such packages can be manually installed – will display a warning, but you can choose to ignore the warning and proceed.

But if you have a mechanism that uses Apple’s command-line installer tool, these packages will fail to install. This will affect popular tools like InstaDMG, DeployStudio, Apple’s System Image Utility, and any software distribution mechanism that makes use of the command-line installer tool. Some examples include Munki, Casper, and AbsoluteManage.

Worse, this problem affects at least one software package originally distributed on DVD: iLife ’11. If you’ve imported the packages for iLife ’11 into your software distribution mechanism, they may now fail to install because of the expired certificate.

I am working on a tool to fix affected packages. (UPDATE: see this post.) But in the meantime, if you want to get an idea of how many packages you have that are affected by this issue, you might want to make use of a tool I wrote. It will scan a directory of packages or disk images containing packages and print information on any packages with bad or expired certificates.

Get it here.

The tool relies on a pkgutil option introduced in Lion, so you’ll need to run this on Lion!

An example of in use:

./ /Volumes/LaCie/InstaDMG/pkgs-10.6.8/

/Volumes/LaCie/SIU/Snow Leopard/pkgs-10.6.8/Install iTunes.pkg:
Package "Install iTunes":
Status: signed by a certificate that has since expired
/Volumes/LaCie/SIU/Snow Leopard/pkgs-10.6.8/JavaForMacOSX10.6Update4.pkg:
Package "JavaForMacOSX10.6Update4.pkg":
Status: signed by a certificate that has since expired
/Volumes/LaCie/SIU/Snow Leopard/pkgs-10.6.8/MacOSXUpdCombo10.6.8.pkg:
Package "MacOSXUpdCombo10.6.8.pkg":
Status: signed by a certificate that has since expired

Use this tool to scan any collection of packages you have to see which are affected by this issue. If a replacement package is available from Apple, you should replace it. If there is no replacement, there is hope. Keep checking back here for an update soon.

Package Apocalypse

Cauliflower Vest: FileVault 2 management for enterprise

Google’s MacOps team has released a new open source toolset for managing FileVault 2 for the enterprise: Cauliflower Vest.

Cauliflower Vest offers the ability to:

  • Forcefully enable FileVault 2 encryption.
  • Automatically escrow recovery keys to a secure Google App Engine server.
  • Delegate secure access to recovery keys so that volumes may be unlocked or reverted.

Cauliflower Vest: FileVault 2 management for enterprise

Update to Automated Installs of Mac OS X Lion

Updated tools are here, or if you’ve cloned the Git repo, do a `git pull` to get the changes.

When the “Install Mac OS X Lion” application runs, it queries Apple’s Software Update servers and downloads a package named “MacOS_10_7_IncompatibleAppList.pkg” and copies it and an “index.sproduct” file that lists this package to the “Mac OS X Install Data” directory as part of the preparation for installing Lion.

This package updates a list of software that is incompatible with Lion by updating “English.lproj/IncompatibleApplicationsStrings.strings” and “MigrationIncompatibleApplicationsList.plist”
inside /System/Library/PrivateFrameworks/SystemMigration.framework/Versions/A/Resources/.

Updating this list of incompatible software does not seem to be vital to the installation of Lion. The index.sproduct file must exist, however, or the automated install is aborted. If you do not include the MacOS_10_7_IncompatibleAppList.pkg and index.sproduct files inside the InstallLion.pkg, the postflight script will create an “index.sproduct” file containing an empty “Packages” array.

Still, it’s probably a good idea to include the current version of the MacOS_10_7_IncompatibleAppList.pkg in your InstallLion.pkg if possible.

I’ve provided a tool to help you download the current version of the incompatible app list package. It’s named “getIncompatibleAppListPkg”. It will download the MacOS_10_7_IncompatibleAppList.pkg and create an index.sproduct file, saving both in the current directory. They must be copied to the InstallLion.pkg/Contents/Resources/Mac OS X Install Data/ directory.

Here’s a sample execution of the tool:

% ./getIncompatibleAppListPkg
Writing index.sproduct...

You’d find MacOS_10_7_IncompatibleAppList.pkg and index.sproduct in your current working directory; you would then copy them to InstallLion.pkg/Contents/Resources/Mac OS X Install Data/

(Note: I found also that I could not add arbitrary packages to the Packages array of index.sproduct; the OS X Installer skipped any packages that were unsigned. Therefore the index.sproduct file is not easily used to install additional arbitrary packages. I was unwilling to go through the effort to convert my additional packages to “flat” packages and sign them to do further testing.)

Update to Automated Installs of Mac OS X Lion