HEADS UP! Apple's installer certificate expires *TODAY*

RobertHammen
Valued Contributor II

Just a heads up that today, the installer certificates used to sign Apple OS installers (previous to Catalina) and update packages, will be expiring.

Any previous-to-this-month installer packages and OS installers (not Catalina, but earlier) will fail to run. They may report errors, or that the installer app is damaged.

Also, Apple has not updated all of the packages (ie ATM the 10.14.6 updaters, both regular and Combo, are expiring today. They're on it, but...)

I blogged in more detail about this here:
The Apple Packagepocalypse, 2019 Edition

You're going to need to audit ALL of your packages from Apple, potentially redownloading them (Suspicious Package is an incredibly useful tool for this). You're also going to need to re-download the Mojave/High Sierra/Sierra et. al. installers from Apple and, if you have any USB OS installers created, re-create them.

31 REPLIES 31

donmontalvo
Esteemed Contributor III

Thanks for the heads up. #shakesFistAtApple

UPDATE: Already getting tickets: "This copy of the install MacOS Mojave application is damaged".

--
https://donmontalvo.com

danielgrm
New Contributor III

Thank you for this! I am updating the packages as we speak.

donmontalvo
Esteemed Contributor III

Any idea how to get the full Mojave installer? The old method of following a URL to the hidden App Store download page for Mojave downloads a 22M file.

--
https://donmontalvo.com

kevinwilemon
New Contributor III

@donmontalvo https://support.apple.com/en-us/HT210190 Should get you the right link at Step 4. Currently a 6+GB download for me.

lazyGhost
New Contributor III

Anyone know if this certificate issue will affect iOS?

RobertHammen
Valued Contributor II

@lazyGhost It should not.

chris_hansen
Contributor

From a Catalina mac, you can download installers from terminal.

softwareupdate --fetch-full-installer --full-installer-version 10.14.6

Seems to work if the Mac you're running Catalina on supports the older version. So maybe upgrade the oldest Mac you have for the older OSs.
Learned from https://scriptingosx.com/2019/10/download-a-full-install-macos-app-with-softwareupdate-in-catalina/

donmontalvo
Esteemed Contributor III

@chris.hansen tried to download using that command on a macOS Catalina computer. Seems to download and try to install and fails. I ended up going to a Sierra computer and downloading using the links in the URL that @kevinwilemon posted (which Apple sent us as well when we opened a ticket on it). Good thing I have a 1G link at home. :)

--
https://donmontalvo.com

macmanmk
Contributor

Ugh. Still getting the Mojave stub installer at the link @kevinwilemon posted.

carlo_anselmi
Contributor III

Seems to be still working...
installinstallmacos.py

cdenesha
Valued Contributor II

Hi all,

Since we're talking about macOs installers... may I ask a question? How do you store (not deploy) your macOS installers for future use? I like to keep them on a couple of external drives in addition to a server share. Instead of an app bundle I used to use Disk Utility to Create a DMG from a folder but that hasn't worked in quite awhile. Now I right click them and compress to a zip file. However when I uncompress them to test them I am now consistently getting an error "Could not extract the file "Install macOS Mojave.app/Contents/SharedSupport/InstallESD.dmg" from the archive "Install macOS Mojave.app.zip": The archive file is incomplete".

Thoughts?

thank you!

chris

larry_barrett
Valued Contributor

@cdenesha I keep mine on portable media. I use an app called "Install Disk Creator" and make bootable USB installers. I work in a school so our needs aren't hyper specific. I have 3 installers with Mojave (most recent) and whatever the current version is. On a larger drive I'll partition them to have both Mojave and the current OS)

obi-k
Valued Contributor II

Thanks @RobertHammen. I wonder when Apple will update the security updates on their site https://support.apple.com/downloads. If you run the softwareupdate -ia command on a Mac, it updates fine.

Installing SecUpd2019-005Sierra.pkg... Installation failed. The installer reported: installer: Package name is Security Update 2019-005
installer: Certificate used to sign package is not trusted. Use -allowUntrusted to override. The results of this policy were not logged at the time of execution. The actual execution time was Thu Oct 24 20:57:52 EDT 2019.

mm2270
Legendary Contributor III

Thanks for the heads up on this one @RobertHammen. I hate when Apple's installer certs expire (not anyone's first rodeo with this) What a PITA.

In case anyone is curious, macOS Mojave Patcher still works to download the full Mojave installer. I just did it and the installer it pulls down has valid certificate expiration dates of "Saturday, April 14, 2029 at 5:28:23 PM Eastern" for all the included packages as far as I can see. I have not tried installing it yet, but it looks like it should work.

donmontalvo
Esteemed Contributor III

Didn't expect it to work (because why would Apple give a Catalina user the ability to download Mojave) but since some folks here are saying it works, thought I'd give it a try. As expected, it tried to download but purged it after download completed. Hope this is fixed in 10.15.1 (as in protect user from his/herself):

sudo softwareupdate --fetch-full-installer --full-installer-version 10.14.6

Opened a ticket with Apple, they came back with:

Hello Don Thanks for reaching out to Apple. I understand that you are looking for the full Mojave installer with an unexpired signing cert. This document has the links to the updated installers: https://support.apple.com/en-us/HT208052 Please let me know if the issue persists. Thanks, <redacted> AppleCare Enterprise Customer Support Engineering

Working from a 10.13.6 computer, followed the above URL, it downloaded the full installer.

Note: It appears if the App Store button shows "Get" it'll give you the full installer...whereas "Install" will download the stub.

#shakesFistAtApple

--
https://donmontalvo.com

mbezzo
Contributor III

And I JUST did this on a Mojave Mac and got the expired cert version.. Must be cached somewhere.. ugh.

obi-k
Valued Contributor II

Yeah, I just downloaded Mojave again, but the ​same thing. High Sierra is fine.

ooshnoo
Valued Contributor

Reboot. Then run the installer again.

obi-k
Valued Contributor II

Rebooted worked. Doh.

a_stonham
Contributor II

I have downloaded a brand new copy of Install macOS Mojave.app as per the links from apple. Howerver i am stil getting the certificate expiry issue when using startosinstall. Has any one else seen that?

Contents of /var/log/install.log

mountDiskImageWithPath: /Applications/Install macOS Mojave.app/Contents/SharedSupport/InstallESD.dmg
2019-10-27 13:04:16+08 wstpe8-m20728 osinstallersetupd[89527]: Failed to open OSInstaller because the installer is not trusted: Error Domain=PKProductErrorDomain Code=0 "(null)" UserInfo={PKTrustLevel=3, NSUnderlyingError=0x7fc94a7118a0 {Error Domain=NSOSStatusErrorDomain Code=-2147409654 "CSSMERR_TP_CERT_EXPIRED" UserInfo={SecTrustResult=5, PKTrustLevel=PKTrustLevelExpiredCertificate, NSLocalizedFailureReason=CSSMERR_TP_CERT_EXPIRED}}}

donmontalvo
Esteemed Contributor III

@a.stonham looks like others reported a reboot fixes that issue?

--
https://donmontalvo.com

a_stonham
Contributor II

@donmontalvo I tried a reboot same issue. The GUI installer works startosinstall fails.

donmontalvo
Esteemed Contributor III

Would open a tic with Apple.

--
https://donmontalvo.com

James_Shaw
New Contributor

Cheers for the heads up, this has helped us immensely

hcodfrie
Contributor

If you deploy the hp print driver pack you also need to gedownload that package

https://support.apple.com/kb/dl1888?locale=en_US

Mhomar
Contributor

Hi All, I am in the middle of deploying macOSUpd10.14.6Supplemental2.pkg and SecUpd2019-005HighSierra.pkg. As of the 24th, all computer that ran either one of these updates returned this in Jamf Pro: "Installation failed. The installer reported: installer: Package name is Security Update 2019-005
installer: Certificate used to sign package is not trusted. Use -allowUntrusted to override." as pointed out above, this is the Cert expired issue. Where can I get the updated security updates from? I need to be able to download them from an Apple site.

donmontalvo
Esteemed Contributor III

https://support.apple.com/downloads/

--
https://donmontalvo.com

Mhomar
Contributor

@donmontalvo I am not seeing any current updates there. They are still saying Sept 26th?

Mhomar
Contributor

@donmontalvo even then I do not see this package : macOSUpd10.14.6Supplemental2.pkg

donmontalvo
Esteemed Contributor III

This one is updated, even though the page itself isn't:

Download Security Update 2019-005 (High Sierra)

If the other one isn't updated, would open a ticket with AppleCare Enterprise Support to request download link.

They're pretty quick to response. They usually have to rattle someone's cage to get these pages updated. :)

--
https://donmontalvo.com

Hugonaut
Valued Contributor II