Thursday, April 14, 2016

Check Packages for Expired Certificates in Mac OS X

How to check package files for expired certificates
Many Mac users will download package files of combo updates or other software in order to install them on multiple computers, thereby avoiding updating with the Mac App Store. This is particularly common with Mac systems administrators, where it makes more sense to download a single package update or installer once and distribute it over a network or perhaps install manually through a USB drive. There is nothing wrong with this approach at all, and in fact it’s much more efficient for multi-Mac management, but one potential hiccup arrives when a package installer or update file has an expired certificate, which will prevent the package from installing entirely, a situation that becomes obvious when you get an “(application installer) was signed with a certificate that has expired” error message.

To avoid this situation, you can check package signatures yourself to see if they are valid, if they have expired, or even if they have no signature at all.

How to Check Package Signature Status in Mac OS X with pkgutil

The excellent pkgutil command line utility can easily determine the status of any package signature and certificate. It’s easy to use, so launch the Terminal app from /Applications/Utilities/ and try it out yourself.
The basic syntax to use for checking a package signature status is like so:
pkgutil --check-signature /Path/to/Example.pkg
Hit return and you’ll find out if the signature is valid, if the signature has expired, or if there is no signature at all.
For example, let’s say we have an Mac OS X Combo Update software installer package, a common scenario for sysadmins updating multiple Macs, you could check the status of that packages signature like so:
pkgutil --check-signature ~/Downloads/OSXUpdateCombo10.10.2.pkg
Package "OSXUpdateCombo10.10.2.pkg":
Status: signed by a certificate that has since expired

In this case, the signature for the update package has expired, meaning it will throw an error if usage is attempted.
Not all package installers have signatures however, and while any software update file from Apple will, packages from third parties often do not. For example, this example package installer file has no signature, and should be treated appropriately (i.e. if you don’t trust the source, perhaps reconsider using it).
pkgutil --check-signature ~/Downloads/MysterySketchyInstaller-21.pkg
Package "MysterySketchyInstaller-21.pkg":
Status: no signature

If a package file is dubious, you can verify the code signature and extract the package without installing it with pkgutil to give it a further inspection, or if you prefer to use the GUI then an app like Pacifist offers similar package management tools in a friendlier interface, even if it’s still on the advanced side of things.
Like all good command line tools, you can even feed pkgutil wildcards to easily check multiple packages at the same time, in this example we’ll check the signature of every *.pkg file contained within ~/Downloads:
pkgutil --check-signature ~/Downloads/*.pkg
Package "irssi-0.8.17-0.pkg":
Status: no signature

Package "wget-4.8.22-0.pkg":
Status: no signature
Package "ComboUpdateOSXElCapitan.pkg":
Status: signed by a certificate that has since expired
Package "InstallOSXSequoiaBeta.pkg":
Status: valid
Package "HRFDeveloperTools.pkg":
Status: valid

Wildcards will make quick work of checking certificate status of many different package files, just be sure you specify *.pkg for the process to complete without stopping on a file that is not a recognized package.

Source Url and Image: Check Packages for Expired Certificates in Mac OS X
Share:

0 nhận xét:

Post a Comment

Subscribe to TIIPSYS

Subscribe to RSS Subscribe to Twitter Feed Follow on Facebook Subscribe to eMail Updates