Redownload Archived macOS Installers to Address Expired Certificates

ace · October 28, 2019, 6:11pm

Originally published at: https://tidbits.com/2019/10/28/redownload-archived-macos-installers-to-address-expired-certificates/

Signing certificates for macOS installers have expired, so Apple consultants and IT admins who maintain troubleshooting toolkits containing older installers will need to download new copies.

blm · October 28, 2019, 7:56pm

Is there a way to see when the signing certificates expire? I thought I knew how, but when I use that procedure it shows the Mojave and Catalina installers I just downloaded expiring in April of 2021 (which is better than last Thursday, but still only 1.5 years away.)

ace · October 28, 2019, 9:05pm

Yes, in theory (I haven’t tried this—too much happening today). Howard Oakley explains at:

cwilcox · October 28, 2019, 9:15pm

For older OS’s that you can now download directly from the web (Sierra, El Capitan, Yosemite), open the .dmg and run the .pkg inside. The Installer window has a padlock in the top right corner you can click to see the certificate details. To do this with an “Install macOS ?.app” installer downloaded through the App Store, you have to right-click it, Show Package Contents, go to Contents/SharedSupport/, mount InstallESD.dmg, then open Packages/OSInstall.mpkg. I did this for copies of High Sierra and Mojave I just downloaded, they do expire April 14, 2029. Note that this doesn’t work if your computer is too new to run the OS you’re trying to check.

cwilcox · October 28, 2019, 9:54pm

I’ll add that if your computer is too new to run a particular OS installer, you can still check if the package certificate is valid, not expired. Run this in Terminal: pkgutil --check-signature /path/to/installer.pkg. The command is for any signed package, not just Apple OS installers. Here’s the output for the Yosemite installer:

pkgutil --check-signature /Volumes/Install\ OS\ X/InstallMacOSX.pkg 
Package "InstallMacOSX.pkg":
   Status: signed Apple Software
   Certificate Chain:
    1. Software Update
       SHA1 fingerprint: 75 86 00 B2 79 B3 ED 1D B5 52 46 5B 17 63 E5 89 87 85 D5 73
       -----------------------------------------------------------------------------
    2. Apple Software Update Certification Authority
       SHA1 fingerprint: E3 30 E5 04 00 4B D2 5C 45 80 0A F2 D5 1B 03 D5 77 27 B7 01
       -----------------------------------------------------------------------------
    3. Apple Root CA
       SHA1 fingerprint: 61 1E 5B 66 2C 59 3A 08 FF 58 D1 4A E2 24 52 D1 98 DF 6C 60

When I run the same command on OSInstall.mpkg from within the Mojave installer, the fingerprints are identical so that means the expiration dates are the same.

blm · October 28, 2019, 11:05pm

Thanks all. I was looking at the codesigning certificates on the installer applications themselves, when I dig down to the actual packages I see the 2029 date as expected.

mschmitt · October 29, 2019, 12:09am

I don’t get this. As explained in the macOS Code Signing in Depth technical note:

Signatures with cryptographic timestamps are validated against the signing time … the code signing and validation engines accept signatures made with expired certificates. This means that your signed code will not become invalid when your certificate expires.

In other words, when a code-signed application is validated, what matters is whether the certificate was valid as of the time the code was signed, not whether it later expires (unless, of course, it is revoked).

So why are we having to re-download the installers again? Is Apple not following their own rules?

cwilcox · October 29, 2019, 1:41am

Code signing applications is not the same as signing installation packages.

ron4 · October 29, 2019, 2:50am

When I try to get the High Sierra or Mojave installers, the link takes me to a page where the link only takes me to the app store where those installers do not appear anywhere that I can see. The links for El Capitan, Sierra, and Yosemite got me to a page where I could download a dmg so those seem to work.

marius · October 29, 2019, 2:56am

Just checked what I can download from an iMac running High Sierra and I am currently downloading Lion. Will report certificate status later.

marius · October 29, 2019, 3:25am

Just ran the freshly downloaded Lion installer. No complaints about expired certificates. However, I can not find the certificate information in the location that Curtis described.

Gobit · October 29, 2019, 4:01am

Similar problem for me:

currently installed and running MacOS is Mojave 10.14.6
both the Mojave and High Sierra links open up the App Store which promptly throws up an error message saying “Cannot connect to the App Store”. The error message is actually not true as I CAN search the App Store, check my account details, etc so must be connected.
Sierra, El Capitan and Yosemite all download.

Strange.

Cheers, Gobit

cwilcox · October 29, 2019, 4:38am

Right now I’m also getting a “Cannot Connect to App Store” dialog, maybe these specific resources are overloaded because so many people want the installers with current certificates.

cwilcox · October 29, 2019, 4:43am

Can you please provide the link you used to download Lion? Others have found they couldn’t locate OS installers older than Yosemite. If you downloaded it from within the App Store, the view within the Store should have a button with three dots next to the “Get” button, the three dots button has a Copy Link option.

If you ran an OS installer that ends in .app, it won’t have the padlock in the top right corner, that’s only displayed for .pkg (and .mpkg) files opened by Installer.

jim13 · October 29, 2019, 5:00am

This applies to other Apple installers besides macOS installers. We have been using a Ricoh printer driver installer from Apple that quit working last week, too.

ssj152 · October 29, 2019, 1:25pm

I have the same problems and get the same response on my 2017 iMac running Mojave and it was really bugging me until I saw that I wasn’t alone. Now I have hope that someone will find a solution or I will go with the date change workaround with the Installer I have.

dave2 · October 29, 2019, 2:48pm

I also was able to download the Yosemite, El Capitan and Sierra installers using the direct link in the Apple support documents, but the High Sierra and Mojave support documents lead to the ‘Cannot connect to App Store’ message.

So I called Apple and a senior AppleCare advisor told me he got the same message. He elevated the issue to engineering and said he’ll get back to me if engineering tells him anything. Will post what he says if he connects with me again.

CndRod · October 29, 2019, 6:00pm

I am sure that I am no where the technical level of the rest of you … so please do not laugh at this question. I just spent more than 2 hours in a chat with Apple support only to be told I could not upgrade any longer to Mojave from my current Sierra. At the very end of the chat I discovered this site and this info. No one at Apple knew anything about this … I spoke to 3 different people during my chat.

My question, can use the link you provided for Mojave that took me to app store to upgrade my Sierra to Mojave without any problems? Hoping I do not need any special computer software skills.

I truly appreciate any help and/or direction.
Thank you.

ace · October 29, 2019, 7:22pm

If you’re using a Mac that supports Mojave (which that page will clarify), then yes, you should be able to use the link in the article to download Mojave and install it. People were seeing App Store errors earlier today, but I just got through in another test, so it’s possible that Apple has fixed those.

johnbeare298 · October 29, 2019, 7:55pm

As others have noted High Sierra and Mojave are obtained via the App Store. I am still using El Capitan but had older copies of High Sierra and Mojave stored on my computer for future consideration. The App Store wanted to open these copies so I had to trash them before the updated copies would download.