A few days ago, Mac system administrators who have access to its Software Update Servers (SUS) noticed that those servers were reporting a very large number of new downloads of old software, for no apparent reason. These included different versions of Mavericks, for example.
The explanation for this has now become clear: most of Apple’s certificates used to sign those updates are due to expire on 24 October 2019. To ensure that those installers can still be used after that date, Apple has been hastily re-signing those installer packages before the deadline. The snag is that if you try to use an older version of that package after 24 October, once its certificate has expired, you’ll be unable to.
This is detailed in Rich Trouton’s blog.
If you have macOS or other Apple installers, chances are that they’ll be signed, or use as an intermediate certificate authority, by a certificate which expires very shortly. If you were to try installing that package, macOS will report that it’s damaged, and can’t be used. The installers affected can be very recent: I’ve checked an Installer package for the Mojave 10.14.6 Supplemental Update 2, which shipped on 23 September, just a month from the date of expiration, and both its intermediate and user certificates expire on 24 October 2019.
To check whether an installer is affected, double-click it to open it in the Installer app. At the top righthand corner of its window is a small padlock: click on that to review its certificate information. Most Apple installers refer to three levels of certificate:
- Apple Root CA, the root certificate authority, should expire in 2035.
- Apple Software Update Certification Authority provides the intermediate certificate, which is likely to expire on 24 October 2019.
- Software Update, the user certificate, is also likely to expire on 24 October.
Normally it’s number 2 above which is the most critical: once an intermediate certificate has expired, all chained user certificates become invalid. Currently, the intermediate certificate for all third-party developer certificates doesn’t expire until 2027. It’s unclear why Apple gives its own certificates an intermediate which expires after less than five years (you may recall the last time this happened was in February 2015).
This is unfortunate timing, as it’s when those migrating to Catalina are likely to be downloading Mojave installers to give them a safe way back if necessary, or to use in a VM provided by Parallels Desktop or VMWare, for instance. In a week or two you could discover that those installers can no longer run because of this expiration. The only real solution is to wait until after 24 October, then download all important Apple installers, which should have new certificates.
Coincidentally, if you have a Mac running Catalina, you may find it the best way of getting earlier installers. According to Armin Briegel on Scripting OS X, the macOS 10.15 version of the
softwareupdate command tool contains a new option which allows you to download full installers for specific versions of macOS. For example, the command
softwareupdate --fetch-full-installer --full-installer-version 10.14.6
should deliver you the latest Mojave installer. However, this probably doesn’t work for versions of macOS which aren’t supported on that model of Mac, and this doesn’t work in Mojave.
Thanks to Rich Trouton for explaining the imminent problem with Apple’s certificates on his invaluable blog.