Fixing packages with expired signatures - heads up!

Cem
Valued Contributor

Just seen this (see link) and I thought give you all heads up...
It's about expired certs in Apple flat packages and how to fix.
Thanks Greg!

http://managingosx.wordpress.com/2012/03/24/fixing-packages-with-expired-signatures/#comments

25 REPLIES 25

acdesigntech
Contributor II

I'll be scanning my CasperShare first thing Monday morning...

donmontalvo
Esteemed Contributor III

Yep, us too...not only the CasperShare, but I sent out an email blast to alert all the techs and support staff to purge old Apple PKG installers and replace with new ones.

This really underscores the lack of management oversight over at Apple. I wonder if (I hope) Apple will come to terms with the need for an enterprise guru. Someone like Ed Marzack, Greg Neagle, etc...

[EDIT] Does anyone know how this may impact our OS installers (which contain bunches of PKG installers)? :)

Don

--
https://donmontalvo.com

acdesigntech
Contributor II

It's also going to affect ASUS -- http://support.apple.com/kb/HT5198

WTF Apple... it's REALLY time to start taking the enterprise seriously... I really wish I had come across this Friday AM, could've at least re-synced our SUS's over the weekend. As it is we're going to have to do this tomorrow evening...

At the very least we aren't using TOO many Apple pkgs via Casper. Most are home-brewed.

BTW, Thanks for the heads up about this, Cem!

donmontalvo
Esteemed Contributor III

From the MacEnterprise list:

Date: Mon, 26 Mar 2012 09:40:58 +1100 From: XXXXXXXXX Subject: Re: Mac OS X Server: Software Update Certificate expires tomorrow! My 10.6 server (with fixes for Lion updates) has seemed to copy all the updated updates without me needing to go through the process of removal of the previous updates. All the updated updates are not dated with the same date and are dated in groups from 16 March through 23 March. I did see a spike of downloads on the 23rd March, but only about 9GB or so, certainly not the 19GB that would happen if I'd emptied the html folder and started the download process from scratch. I have tested it since and the updates install fine on a freshly DeployStudio restored machine running the SoftwareUpdates on first boot in the finalize script. Has anyone else experienced this same behaviour (of not having to dump your SUS cache)? Charlie
--
https://donmontalvo.com

Cem
Valued Contributor

Yes I have seen some logs that some Macs ran apdates successfully. Also seen few has failed. So I have decided to do purging and redownloading...

I will also run Greg's fix script on CasperShares.

Cem
Valued Contributor

I seem to having problem running the checkPackageSignatures.py. It just hangs there very very long time and nothing else happens…

/Volumes/CasperShare/Packages/10.6.4 Vanilla.dmg:
Could not open package: /private/tmp/dmg.09cnHX/Library/Receipts/BSD.pkg

am I doing something wrong? or it just doesn’t like the BSD.pkg?

bentoms
Release Candidate Programs Tester

Took me a while on BSD too. Just left it running & went for lunch.

Cem
Valued Contributor

oh ! cheers Ben!

mm2270
Legendary Contributor III

Heh, I'm also seeing that a bunch of updates downloaded from Apple on 3/20 and 3/21, but nothing after that. Just tried the 10.7.3 combo on a machine that doesn't have it installed and Software Update is allowing it to download without complaints, so it seems at least some of them have fixed themselves. Still, it's definitely not everything, so we'll have to see what's now missing. I almost wonder if it would just be cleaner/safer to clear out the html folder and start fresh.

Cem
Valued Contributor

I will run it overnight, as I have a quite few OS DMGs.

Cem
Valued Contributor

@mm2270 ; thats what i have down and all looks good so far. Only annoying part was some of the packages didn't remember being enabled. So I had to take the screen grabs to compare, before I have proceeded.

nkalister
Valued Contributor

FYI- There are 2 packages with the expired certificate in the InstallESD.dmg file from the app store as of 1pm PST this afternoon . . . so make sure to fix your OS install, too! Took me a bit to figure out why imaging was suddenly broken this morning, but the expired certificate was the culprit.

bentoms
Release Candidate Programs Tester

Just about to post the same info!

Cem
Valued Contributor

what are packages? also could you confirm it was 10.7.3?

bentoms
Release Candidate Programs Tester

RemoteDesktop.pkg & SIUResources.pkg

Downloaded 10.7 install from app store this evening.

Cem
Valued Contributor

I will keep my eyes peeled for these...

nkalister
Valued Contributor

yup, like ben said, it's remote desktop and SIU resources, and this is definitely the current 10.7.3 InstallESD.dmg file downloaded from the app store on 3/26/2012
The error that was showing in install.log before I ran Greg's script on the InstallESD.dmg file was:

Mar 26 12:33:08 nbkali-mba installer[22366]: Failed install preflight: Error Domain=PKInstallErrorDomain Code=102 "The package “RemoteDesktop.pkg” is untrusted." UserInfo=0x7fe16387b140 {NSLocalizedDescription=The package “RemoteDesktop.pkg” is untrusted., NSURL=RemoteDesktop.pkg -- file://localhost/Volumes/Mac%20OS%20X%20Install%20ESD/Packages/OSInstall.mpkg, PKInstallPackageIdentifier=com.apple.pkg.RemoteDesktop, NSUnderlyingError=0x7fe1638a7fc0 "The operation couldn’t be completed. CSSMERR_TP_CERT_EXPIRED"}

Cem
Valued Contributor

Apple got to sort out this mess... its not just usual Enterprise ignorance, its also consumer level!!!??

donmontalvo
Esteemed Contributor III

That this effects consumers might just be the ticket for Apple to fix this issue...if it only effected enterprise I'm sure they'd just blow it off.

Don

--
https://donmontalvo.com

heathjw
New Contributor

So I understand the ramifications for SUS. What about our CasperShares? Are we doing to have to re-download and replace those pre-packaged pkgs that we got from Apple? We don't have many I just want to clarify what action is required to keep things running smoothly.

gregneagle
Valued Contributor

Yes, you'll need to replace or fix any packages in your CasperShares that have expired signatures if you want to be able to continue using Casper to install them.

jonscott
New Contributor

Thanks for the helpful info, one and all! Especially Greg for those tools.

Unfortunately, I seem to have trouble with a couple older monolithic images still in use. (Yes, I'm trying to revamp imaging here, but it's a slooow work in progress...)

When Greg's 'checkPackageSignatures' scans my repository, it does throw those BSD.pkg errors similar to
Could not open package: /private/tmp/dmg.fhUwhJ/Library/Receipts/BSD.pkg

For most, I know I can ignore that. But for some older monolithic images still in use, in addition to the BSD.pkg error above, I still get various "Package X signed by a cert that has since expired" messages as well.

So... this doesn't make sense to me. But pushing one of those images via Casper results in a machine that kernel panics every time I try to boot (plus 2+ hours to finish imaging). Any ideas? Running the flatpkgfixer script on the image throws errors too.

Is anyone else having trouble imaging with existing OS images build with "bad" packages? As I said, it doesn't make sense to me, so if anyone can explain I'll appreciate it! This is a monolithic image built on one machine and uploaded to Casper. It's big (read 100gb) but has worked fine enough so far. No one has imaged with it since before the Package Apocalypse until I tested it this week.

If we do need to rebuild these from scratch, it'll be a good excuse to move to a more modular style...

Thanks,
Jon

jonscott
New Contributor

I just realized my imaging problem may be related to the hardware I'm restoring to, regardless of the feedback I see from the PA scripts...

Will try pushing this image to newer hardware soon...

mthakur
Contributor

For anyone keeping track, the following pkg from Apple also has an expired certificate:

https://support.apple.com/kb/DL1653
Thunderbolt Firmware Update v1.2
Post Date: May 9, 2013
File Size: 1.22 MB

$ pkgutil --check-signature ThunderboltFirmwareUpdate.pkg Package "ThunderboltFirmwareUpdate.pkg": Status: signed by a certificate that has since expired Certificate Chain: 1. Software Update SHA1 fingerprint: 1E 34 E3 91 C6 44 37 DD 24 BE 57 B1 66 7B 2F DA 09 76 E1 FD ----------------------------------------------------------------------------- 2. Apple Software Update Certification Authority SHA1 fingerprint: 9C 86 47 71 48 B3 D7 04 24 7A 3C 3F 56 EA 2D E5 94 4B 01 C2 ----------------------------------------------------------------------------- 3. Apple Root CA SHA1 fingerprint: 61 1E 5B 66 2C 59 3A 08 FF 58 D1 4A E2 24 52 D1 98 DF 6C 60 $

The workaround is to simply expand and then flatten the package, which has the effect of stripping the (expired) certificate from the pkg:

$ pkgutil --expand ThunderboltFirmwareUpdate.pkg /tmp/thunderbolt.pkg $ pkgutil --flatten /tmp/thunderbolt.pkg ThunderboltFirmwareUpdate.nocert.pkg

(Obviously, you can use whatever name you wish for the newly flattened pkg.)

Now, the new package doesn't have any certificate at all and can be installed as usual:

$ pkgutil --check-signature ThunderboltFirmwareUpdate.nocert.pkg Package "ThunderboltFirmwareUpdate.nocert.pkg": Status: no signature $

McGinn
Contributor

the pkgutil expand/flatten commands did the trick for me. Thanks @mthakur !