hoakley October 18, 2019 Macs, Technology

Beware Apple security certificates after 24 October: they may have expired

A few days ago, Mac system administrators who have access to its Software Update Servers (SUS) noticed that those servers were reporting a very large number of new downloads of old software, for no apparent reason. These included different versions of Mavericks, for example.

The explanation for this has now become clear: most of Apple’s certificates used to sign those updates are due to expire on 24 October 2019. To ensure that those installers can still be used after that date, Apple has been hastily re-signing those installer packages before the deadline. The snag is that if you try to use an older version of that package after 24 October, once its certificate has expired, you’ll be unable to.

This is detailed in Rich Trouton’s blog.

If you have macOS or other Apple installers, chances are that they’ll be signed, or use as an intermediate certificate authority, by a certificate which expires very shortly. If you were to try installing that package, macOS will report that it’s damaged, and can’t be used. The installers affected can be very recent: I’ve checked an Installer package for the Mojave 10.14.6 Supplemental Update 2, which shipped on 23 September, just a month from the date of expiration, and both its intermediate and user certificates expire on 24 October 2019.

To check whether an installer is affected, double-click it to open it in the Installer app. At the top righthand corner of its window is a small padlock: click on that to review its certificate information. Most Apple installers refer to three levels of certificate:

Apple Root CA, the root certificate authority, should expire in 2035.
Apple Software Update Certification Authority provides the intermediate certificate, which is likely to expire on 24 October 2019.
Software Update, the user certificate, is also likely to expire on 24 October.

Normally it’s number 2 above which is the most critical: once an intermediate certificate has expired, all chained user certificates become invalid. Currently, the intermediate certificate for all third-party developer certificates doesn’t expire until 2027. It’s unclear why Apple gives its own certificates an intermediate which expires after less than five years (you may recall the last time this happened was in February 2015).

This is unfortunate timing, as it’s when those migrating to Catalina are likely to be downloading Mojave installers to give them a safe way back if necessary, or to use in a VM provided by Parallels Desktop or VMWare, for instance. In a week or two you could discover that those installers can no longer run because of this expiration. The only real solution is to wait until after 24 October, then download all important Apple installers, which should have new certificates.

Coincidentally, if you have a Mac running Catalina, you may find it the best way of getting earlier installers. According to Armin Briegel on Scripting OS X, the macOS 10.15 version of the softwareupdate command tool contains a new option which allows you to download full installers for specific versions of macOS. For example, the command
softwareupdate --fetch-full-installer --full-installer-version 10.14.6
should deliver you the latest Mojave installer. However, this probably doesn’t work for versions of macOS which aren’t supported on that model of Mac, and this doesn’t work in Mojave.

Thanks to Rich Trouton for explaining the imminent problem with Apple’s certificates on his invaluable blog.

23Comments

Add yours

1

Apple Security Certificates Expiring | Macessence Blog on October 18, 2019 at 5:55 pm

[…] to avoid any user problems, but this information is a little disconcerting to say the least. This article describes how this happened and what Apple is doing to correct […]

LikeLike
2

Samuel Herschbein on October 18, 2019 at 6:44 pm

In a VMware Catalina I tried downloading 10.11.6 via command line. It couldn’t find the update.

LikeLiked by 1 person
- 3
  
  hoakley on October 18, 2019 at 6:48 pm
  
  Was that on a Mac which was capable of running 10.11.6?
  softwareupdate will only download versions of macOS which can run on the Mac on which the command is run. For example, this iMac Pro shipped with 10.13.x, and can’t therefore download 10.12.x or earlier.
  Howard.
  
  LikeLike
4

Michael Tsai - Blog - Beware Apple Security Certificates After October 24 on October 18, 2019 at 8:16 pm

[…] Howard Oakley: […]

LikeLike
5

Apple: Wichtige Sicherheitszertifikate laufen aus - NG-A on October 21, 2019 at 9:59 am

[…] nicht sehr langfristig auf das Auslaufen der Zertifikate vorbereitet zu haben. Das Entwicklerblog Eclectic Light Company stellte fest, dass der Installer für das Mojave 10.14.6 Supplemental Update 2, das am 23. September ausgegeben […]

LikeLike
6

Apple: Wichtige Sicherheitszertifikate laufen aus – Mac & i – News on October 21, 2019 at 10:38 am

[…] nicht sehr langfristig auf das Auslaufen der Zertifikate vorbereitet zu haben. Das Entwicklerblog Eclectic Light Company stellte fest, dass der Installer für das Mojave 10.14.6 Supplemental Update 2, das am 23. September ausgegeben […]

LikeLike
7

Tony on October 23, 2019 at 9:35 pm

That’s interesting.

I have a Mojave Installer squirrelled away against problems in the future so I thought I would check it. The installer is dated 22nd August and I’m running Mojave 10.14.6 (the installer could be earlier than that but looks like 10.14.6.03?). I launched the installer and stepped through until I was presented with the ‘Install’ button.

At no time did I have a padlock icon. Do you have any other ideas of where to look (I’ve had a quick peek inside the bundle but don’t really know where to look)?

LikeLiked by 1 person
- 8
  
  hoakley on October 23, 2019 at 9:42 pm
  
  Thank you.
  My understanding is that this should only apply to Installer packages, rather than installer apps. As you know, app certificates are different from those of packages, and I think that the apps will run so long as the signature is valid at the time that they were signed.
  Unfortunately, getting information about certificates on apps seems harder: apps like Taccy and command tools will verify their signatures at the time, but not give detailed info about their certificates, in particular any intermediate certificate used, as the Installer app does.
  You don’t have long to wait now to discover whether you need to download it – and I and many others are in the same position.
  Howard.
  
  LikeLike
  - 9
    
    Tony on October 23, 2019 at 10:12 pm
    
    Ah, thank you. I’ll just wait then 😖
    
    LikeLiked by 1 person
  - 10
    
    Tony on October 25, 2019 at 9:26 pm
    
    My Mojave Installer does indeed now pronounce itself as ‘damaged’ and not open.
    
    LikeLiked by 1 person
    - 11
      
      hoakley on October 25, 2019 at 10:10 pm
      
      I’m sorry about that – every single Apple installer and updater I have here is now broken. I will write more about this for Sunday morning.
      Howard.
      
      LikeLike
12

R. Lynn Rardin on October 24, 2019 at 3:53 pm

The softwareupdate command appears to be able to pull down installers for currently supported versions of macOS only. On a Mac that can boot 10.7.x+, I was able to pull down the High Sierra 10.13.6 installer, but attempts to pull down versions of macOS/OS X earlier than High Sierra resulted in an Update not found error:

softwareupdate –fetch-full-installer –full-installer-version 10.12.6
Downloading and installing 10.12.6 installer
Install failed with error: Update not found

LikeLiked by 1 person
- 13
  
  hoakley on October 24, 2019 at 8:43 pm
  
  Thank you. This may reflect Apple’s support policy, of course, although the App Store and Software Update pane are still, I think, more liberal. They need to be, of course, now that all old certificates are invalid and many users will need to replace their old installers.
  Howard.
  
  LikeLike
14

John Gilbert on October 24, 2019 at 11:22 pm

Apple downloads now has new versions of 10.14.6 update, combo update and supplemental update along with the latest security updates for High Sierra and Sierra. The packages have creation dates on 21 or 22 of September, but all have expired certificates!! Nevertheless, you can ignore the expired certificate and continue.

I have started testing my archive of macOS installs by creating new VMs in VMware Fusion. So far:

10.14.6: Installs without drama.

10.13.6: Fails with “This copy of the install macOS High Sierra application is damaged, and can’t be used to install macOS.”. Download what is now the current version of 10.13.6. This installs correctly. The packages inside its InstallESD.dmg have newer certificates though file creation dates seem the same.

LikeLiked by 1 person
15

John Gilbert on October 25, 2019 at 12:59 am

Continuing….

10.12.6: With my existing Sierra install app, it fails with “This copy of the install macOS High Sierra application is damaged, and can’t be used to install macOS.”. Download what is available as the current version of 10.12.6 (using https://apps.apple.com/app/id1127487414?mt=12 from within my High Sierra VM). This also fails to install as being damaged.

My conclusion is that Apple has not only dropped support for Sierra (and I assume older), but Apple is no longer providing a valid install app.

LikeLiked by 1 person
- 16
  
  hoakley on October 25, 2019 at 6:20 am
  
  Thank you your survey.
  From all that I hear, Apple is still in the process of replacing installers and updaters with newly-signed versions. Don’t draw any conclusions just yet, as the situation will continue to change as engineers work through a very large backlog.
  There are also simpler ways of testing – an article is just about to appear here addressing that, and I have an update to Taccy which is currently in testing and due for release later today (UTC).
  Howard.
  
  LikeLike
17

Philip Noguchi on October 26, 2019 at 9:41 pm

Howard,

I managed to install Catalina on a external SSD in Thunderbolt connected enclosure. I was very surprised that all the apps I use currently ran without issue. Kudos to many developers.

Then I began to see the issue with the expired Apple security certificates after 24 October. I have been searching for ways to download appropriate unexpired installers. On my Catalina installation I managed to use the terminal command softwareupdate –fetch-full-installer –full-installer-version to download both the Catalina and Mojave installer.

Ironically I found an apple technical note for catalina installation that also contained some links for downloads from the App Store for Catalina, Mojave and High Sierra, and direct download links to disk images for Sierra and El Capitan that contained installer packages instead of installer apps (https://support.apple.com/en-us/HT201475). At the bottom of the this Tech Note:

“For the strongest security and latest features, upgrade to macOS Catalina. If you have hardware or software that isn’t compatible with Catalina, you might be able to install an earlier macOS, such as Mojave, High Sierra, Sierra, or El Capitan.

You can also use macOS Recovery to reinstall macOS.
Published Date: October 18, 2019”

Clicking on the Mojave etc links give another page with links for the particular MacOS. For both Sierra and El Capitan the name of the disk image is InstallMacOSX.dmg, so you need to rename to know whether it is Sierra or El Capitan. Since these later two images have packages, you need to open the package to create an installer that only can be created on a disk with a MacOS system installed. With Mojave I was able to create both Sierra and El Capitan installers, which wouldn’t open as expected.

Catalina is challenging. Backups with Time machine did not seem to work for me. The latest version of Carbon Copy Cloner was able to create an APSF formatted spinning drive that could back up Catalina AND could be booted from. It was much slower to be sure, but I was amazed that a spinning drive could actual boot and run Catalina!

LikeLiked by 1 person
- 18
  
  hoakley on October 26, 2019 at 10:04 pm
  
  Thank you, Philip.
  That’s a useful article to which I’ll provide links in due course.
  I’m sorry that you’ve experienced problems with Catalina’s Time Machine – it’s one feature which I haven’t looked at yet, but reports during the beta phase didn’t seem worrying. Apparently Catalina needs to convert existing TM backups in some way before it can run, and once they’re converted they can’t be used from Mojave or earlier, I believe.
  Enjoy!
  Howard.
  
  LikeLike
  - 19
    
    Philip Noguchi on October 28, 2019 at 6:58 pm
    
    Hi Howard,
    
    Some more “features” on old Macos installers. There is a thread on Macintouch that among other things reveals that the “new” Sierra installer has some unlikely “feature” that prevents making a bootable Sierra installer (https://www.macintouch.com/community/index.php?threads/app-store-software-updates.687/page-9.” It seems to be peculiar to the “new” Sierra installer, as the old one works fine to create a bootable installer. I have verified this “feature”, but have been able to create bootable installers for Catalina, Mojave, High Sierra, El Capitan and even Yosemite! (link for Yosemite on https://www.macrumors.com/how-to/how-to-fix-a-damaged-macos-installer/).
    
    When was it that the Macos “just worked”?
    
    LikeLiked by 1 person
    - 20
      
      hoakley on October 28, 2019 at 11:46 pm
      
      Thank you, Philip.
      There seem to be problems with some of the other installers: an El Cap package can’t apparently be installed in a VM, although its predecessor (now certificate-expired) could be.
      I think there’s a lot of dust to settle in this hurried and botched job of updating the installers and updaters.
      Howard.
      
      LikeLike
21

Sam on November 1, 2019 at 12:01 am

Why is this an issue? Microsoft has this all figured out, for quite a while, via signature timestamping. The signature of the file is uploaded to a CA, which signs the signature certifying that the time is correct. This prevents backdating, so if all the certificates were valid as of the date of the timestamp, then the signature is accepted anytime in the future.

LikeLiked by 1 person
- 22
  
  hoakley on November 1, 2019 at 12:08 am
  
  That’s the way that regular app signatures work AFAIK. So long as the signature was valid at the time of signing, and hasn’t been revoked, it’s accepted.
  But these aren’t ordinary apps. Apple therefore imposes additional requirements on them.
  There’s also the problem that one of the certificates is the intermediate: that’s required for the chain of trust.
  Howard
  
  LikeLike
23

MacOS Mojave installer keeps saying the file is damaged or corrupted, HELP! - I Hate Quick Questions on December 20, 2019 at 7:08 pm

[…] read this and it will all make […]

LikeLike