Posted on 10-24-2019 10:31 AM
Just a heads up that today, the installer certificates used to sign Apple OS installers (previous to Catalina) and update packages, will be expiring.
Any previous-to-this-month installer packages and OS installers (not Catalina, but earlier) will fail to run. They may report errors, or that the installer app is damaged.
Also, Apple has not updated all of the packages (ie ATM the 10.14.6 updaters, both regular and Combo, are expiring today. They're on it, but...)
I blogged in more detail about this here:
The Apple Packagepocalypse, 2019 Edition
You're going to need to audit ALL of your packages from Apple, potentially redownloading them (Suspicious Package is an incredibly useful tool for this). You're also going to need to re-download the Mojave/High Sierra/Sierra et. al. installers from Apple and, if you have any USB OS installers created, re-create them.
Posted on 10-24-2019 11:37 AM
Thanks for the heads up. #shakesFistAtApple
UPDATE: Already getting tickets: "This copy of the install MacOS Mojave application is damaged".
Posted on 10-24-2019 01:23 PM
Thank you for this! I am updating the packages as we speak.
Posted on 10-24-2019 01:41 PM
Any idea how to get the full Mojave installer? The old method of following a URL to the hidden App Store download page for Mojave downloads a 22M file.
Posted on 10-24-2019 01:45 PM
@donmontalvo https://support.apple.com/en-us/HT210190 Should get you the right link at Step 4. Currently a 6+GB download for me.
Posted on 10-24-2019 02:39 PM
Anyone know if this certificate issue will affect iOS?
Posted on 10-24-2019 03:09 PM
@lazyGhost It should not.
Posted on 10-24-2019 05:10 PM
From a Catalina mac, you can download installers from terminal.
softwareupdate --fetch-full-installer --full-installer-version 10.14.6
Seems to work if the Mac you're running Catalina on supports the older version. So maybe upgrade the oldest Mac you have for the older OSs.
Learned from https://scriptingosx.com/2019/10/download-a-full-install-macos-app-with-softwareupdate-in-catalina/
Posted on 10-24-2019 07:28 PM
@chris.hansen tried to download using that command on a macOS Catalina computer. Seems to download and try to install and fails. I ended up going to a Sierra computer and downloading using the links in the URL that @kevinwilemon posted (which Apple sent us as well when we opened a ticket on it). Good thing I have a 1G link at home. :)
Posted on 10-24-2019 07:49 PM
Ugh. Still getting the Mojave stub installer at the link @kevinwilemon posted.
Posted on 10-25-2019 04:48 AM
Seems to be still working...
installinstallmacos.py
Posted on 10-25-2019 05:11 AM
Hi all,
Since we're talking about macOs installers... may I ask a question? How do you store (not deploy) your macOS installers for future use? I like to keep them on a couple of external drives in addition to a server share. Instead of an app bundle I used to use Disk Utility to Create a DMG from a folder but that hasn't worked in quite awhile. Now I right click them and compress to a zip file. However when I uncompress them to test them I am now consistently getting an error "Could not extract the file "Install macOS Mojave.app/Contents/SharedSupport/InstallESD.dmg" from the archive "Install macOS Mojave.app.zip": The archive file is incomplete".
Thoughts?
thank you!
chris
Posted on 10-25-2019 05:27 AM
@cdenesha I keep mine on portable media. I use an app called "Install Disk Creator" and make bootable USB installers. I work in a school so our needs aren't hyper specific. I have 3 installers with Mojave (most recent) and whatever the current version is. On a larger drive I'll partition them to have both Mojave and the current OS)
Posted on 10-25-2019 07:09 AM
Thanks @RobertHammen. I wonder when Apple will update the security updates on their site https://support.apple.com/downloads. If you run the softwareupdate -ia command on a Mac, it updates fine.
Installing SecUpd2019-005Sierra.pkg...
Installation failed. The installer reported: installer: Package name is Security Update 2019-005
installer: Certificate used to sign package is not trusted. Use -allowUntrusted to override.
The results of this policy were not logged at the time of execution.
The actual execution time was Thu Oct 24 20:57:52 EDT 2019.
Posted on 10-25-2019 07:27 AM
Thanks for the heads up on this one @RobertHammen. I hate when Apple's installer certs expire (not anyone's first rodeo with this) What a PITA.
In case anyone is curious, macOS Mojave Patcher still works to download the full Mojave installer. I just did it and the installer it pulls down has valid certificate expiration dates of "Saturday, April 14, 2029 at 5:28:23 PM Eastern" for all the included packages as far as I can see. I have not tried installing it yet, but it looks like it should work.
Posted on 10-25-2019 07:46 AM
Didn't expect it to work (because why would Apple give a Catalina user the ability to download Mojave) but since some folks here are saying it works, thought I'd give it a try. As expected, it tried to download but purged it after download completed. Hope this is fixed in 10.15.1 (as in protect user from his/herself):
sudo softwareupdate --fetch-full-installer --full-installer-version 10.14.6
Opened a ticket with Apple, they came back with:
Hello Don Thanks for reaching out to Apple. I understand that you are looking for the full Mojave installer with an unexpired signing cert. This document has the links to the updated installers: https://support.apple.com/en-us/HT208052 Please let me know if the issue persists. Thanks, <redacted> AppleCare Enterprise Customer Support Engineering
Working from a 10.13.6 computer, followed the above URL, it downloaded the full installer.
Note: It appears if the App Store button shows "Get" it'll give you the full installer...whereas "Install" will download the stub.
#shakesFistAtApple
Posted on 10-25-2019 09:07 AM
And I JUST did this on a Mojave Mac and got the expired cert version.. Must be cached somewhere.. ugh.
Posted on 10-25-2019 09:32 AM
Yeah, I just downloaded Mojave again, but the same thing. High Sierra is fine.
Posted on 10-25-2019 09:59 AM
Reboot. Then run the installer again.
Posted on 10-25-2019 10:04 AM
Rebooted worked. Doh.
Posted on 10-26-2019 10:14 PM
I have downloaded a brand new copy of Install macOS Mojave.app as per the links from apple. Howerver i am stil getting the certificate expiry issue when using startosinstall. Has any one else seen that?
Contents of /var/log/install.log
mountDiskImageWithPath: /Applications/Install macOS Mojave.app/Contents/SharedSupport/InstallESD.dmg
2019-10-27 13:04:16+08 wstpe8-m20728 osinstallersetupd[89527]: Failed to open OSInstaller because the installer is not trusted: Error Domain=PKProductErrorDomain Code=0 "(null)" UserInfo={PKTrustLevel=3, NSUnderlyingError=0x7fc94a7118a0 {Error Domain=NSOSStatusErrorDomain Code=-2147409654 "CSSMERR_TP_CERT_EXPIRED" UserInfo={SecTrustResult=5, PKTrustLevel=PKTrustLevelExpiredCertificate, NSLocalizedFailureReason=CSSMERR_TP_CERT_EXPIRED}}}
Posted on 10-27-2019 08:24 AM
@a.stonham looks like others reported a reboot fixes that issue?
Posted on 10-27-2019 02:04 PM
@donmontalvo I tried a reboot same issue. The GUI installer works startosinstall fails.
Posted on 10-27-2019 04:51 PM
Would open a tic with Apple.
Posted on 10-27-2019 06:40 PM
Cheers for the heads up, this has helped us immensely
Posted on 10-28-2019 01:32 PM
If you deploy the hp print driver pack you also need to gedownload that package
https://support.apple.com/kb/dl1888?locale=en_US
Posted on 10-28-2019 02:48 PM
Hi All, I am in the middle of deploying macOSUpd10.14.6Supplemental2.pkg and SecUpd2019-005HighSierra.pkg. As of the 24th, all computer that ran either one of these updates returned this in Jamf Pro:
"Installation failed. The installer reported: installer: Package name is Security Update 2019-005
installer: Certificate used to sign package is not trusted. Use -allowUntrusted to override." as pointed out above, this is the Cert expired issue. Where can I get the updated security updates from? I need to be able to download them from an Apple site.
Posted on 10-28-2019 02:55 PM
https://support.apple.com/downloads/
Posted on 10-28-2019 03:22 PM
@donmontalvo I am not seeing any current updates there. They are still saying Sept 26th?
Posted on 10-28-2019 03:25 PM
@donmontalvo even then I do not see this package : macOSUpd10.14.6Supplemental2.pkg
Posted on 10-29-2019 05:04 AM
This one is updated, even though the page itself isn't:
Download Security Update 2019-005 (High Sierra)
If the other one isn't updated, would open a ticket with AppleCare Enterprise Support to request download link.
They're pretty quick to response. They usually have to rattle someone's cage to get these pages updated. :)
Posted on 10-29-2019 07:55 AM
@brunerd has a great script for this - https://gist.github.com/brunerd/1e8402b70ab02115852badfd1536fd41
blog post about it - http://www.brunerd.com/blog/2019/10/28/time-to-die-when-mac-app-and-package-certificates-expire/