Last Week on My Mac: Time management

Whatever they might teach on MBA courses, there’s an inevitability about time. Hide under the bedclothes as much as you like on Sunday, it’s an inescapable fact that tomorrow will be Monday. Almost twenty years ago, all those well-paid executives learned that they couldn’t stop the arrival of Y2K and had to prepare. Nearly five years ago, Apple’s senior managers learned that even Einstein couldn’t work his way around dates of expiry of security certificates. Yet last week we’ve borne the brunt of a repeat performance.

In case you hadn’t noticed it, almost all of Apple’s existing installers and updaters now lie in tatters, their signing certificates expired, because Apple did too little too late. It failed to plan for the progression of time.

The first time this struck Apple (and had impact on many users) was in March 2012, when a lot of the Software Update certificates on Mac installers expired. At the time, as Rich Trouton observed, users could work around this when using the Installer app, but it wasn’t so easy at the command line.

The problem struck again in February 2015, when an Intermediate Certificate from the Apple Software Update Certificate Authority expired. Apple then had to re-sign and reissue many installers and updaters to cope with that crisis. The new Intermediate Certificate used then was set to expire on 24 October 2019, a date which gave Apple over four years to plan for, to ensure that there’d be no disruption when it arrived.

Since the release of Mac OS X 10.6 Leopard in October 2007, major releases of Mac operating systems have taken place between July and October. Sure enough, this autumn/fall macOS 10.15 Catalina was scheduled for release, and the period September to October was going to be very busy with releases and updates. It wasn’t going to be a good time to have to change certificates, or to reissue old installers and updaters with new ones.

With the release of the last Supplemental Updates to Mojave and the imminence of Catalina, this was a time when a lot of users were downloading full Mojave installers, either to set up virtual machines or to keep at hand in case their upgrades went awry. But until the end of September, each of those Mojave installers was still being signed using certificates which were going to expire in less than a month. Now every downloadable installer or updater offered by Apple prior to the end of September has to be replaced with an identical installer using new certificates.

Thankfully, rumours that the first release Catalina installers also relied on certificates which expired on 24 October have proved to be false. However, as has transpired, checking when any given macOS installer app’s certificates expire has proved technically demanding, and not something ordinary users can do, say, in the Finder.

Looking at these re-signed Installer packages, the new Intermediate Certificate is valid from 22 March 2019, and doesn’t expire until 15 October 2031. The Software Update certificate itself is valid from 17 April 2019, and expires on 14 April 2029. The one lesson that Apple does appear to have learned is to issue certificates which don’t expire so soon.

But how come certificates which came into force in March and April of this year are only now being used in October? Were they actually created and ready to use that long ago, or has someone backdated them to make it look as if it was someone else’s fault that they haven’t been used for six months?

Meanwhile, as Apple’s engineers frantically try to dig its services out of this deep hole, crucial downloads just vanished. One example was Swift 5 Runtime Support for Command Tools, previously available from here, which just went missing for days (it’s available again, now). If you’re running any version of macOS prior to Mojave 10.14.4 – which includes High Sierra, still officially supported by Apple – you need to download and install this in order to run command tools built using Swift 5. Without it, you simply can’t run those tools because those libraries, incorporated into recent releases of macOS, aren’t supplied as part of previous versions of the system.

Like many other users, I now have tens of gigabytes of Apple installers and updaters whose certificates have expired. Replacing them isn’t going to be an easy task, as Apple thinks it’s good to hide them away, rather than providing ready access. Even if I can find El Capitan in the App Store, Software Update won’t let me download it, as neither of my current Macs can run it. Others report that they’re unable to obtain a re-signed copy of the El Capitan installer even on Macs which can run it.

As usual, Apple isn’t saying anything, not to users or developers. Its most meaningful communication about this inexcusable failure of support were the 404 errors from download pages. There’s no explanation, no apology, no timescale, no support. Yet again, it seems to hope that if it pretends nothing has happened, we’ll all forget about it. Just like Apple clearly did until someone’s Calendar notified them that crucial certificates expired in a few days time.

That’s corporate planning for you: just pretend the inexcusable never happened. Maybe that’s the MBA approach to time management.

6Comments

Add yours

1

leoofborg on October 27, 2019 at 1:05 pm

C’mon enduser. You can get any installer as long as you install Catalina Vista on just one machine.

You’ll like it. WE KNOW you’ll like it. And, it’s the only way you can get previous installers. And that Game thing. And busted up iTunes. And Notarization.

It’ll break anything that matters to you and lose you some old email but INSTALL CATALINA TO GET YOUR OLD INSTALLERS BACK.

Trust us.

LikeLiked by 1 person
2

Paul on October 28, 2019 at 3:09 pm

A colleague of mine has been installing Mojave this morning on a Mac Mini (he doesn’t want Catalina at this point) and post install, X Code installation has failed. It appears to be an out of date certificate. Pretty annoying as you suggest when you are in the midst of a clean install for an OS that has been live for a good deal of time. He is a web app / Android developer (Mac is a test device for iOS versions).

LikeLiked by 1 person
- 3
  
  hoakley on October 28, 2019 at 3:54 pm
  
  The App Store version of Xcode is likely to be the best bet until this is all sorted out, I’m afraid.
  Howard.
  
  LikeLike
4

Charlzm on October 30, 2019 at 4:59 pm

So this is the cause of archived Apple installers all failing last week? An expired certificate?

I tried to use squirreled-away installers for 10.14.5, 10.13.6 and 10.12.6 last Thursday and got a message about the installer being “damaged” on all of them.

Since then, newer installers have been released by Apple to replace the older ones. Problem is, if you want anything other than the last release of an OS (for instance, you want 10.12.5 instead of 10.12.6), you are simply screwed now. The old installers stopped working and Apple is not offering re-signed, new ones.

So, if you have software that is only certified up to, say 10.14.5, Apple is only offering 10.14.6. This is the case with some versions of Avid Media Composer that clients want installed on their rental machines. Apparently, the Adobe CC suite doesn’t run well on 10.14.6, either.

But wait! There is a workaround! If you use your previously-created bootable installer, boot into recovery mode, erase the internal hard drive, open Terminal and change the date on the system to some point before the date on the expired security certificate, you can still install!

UNLESS it’s a Mojave installer of some flavor. Those still don’t work.

Friggin’ Apple.

So, for the record: you can still get your old installer to work for any operating system from 10.13.X backwards by using Terminal. As of this moment, the only flavor of Mojave installer that is currently working is 10.14.6 and only then because i freshly downloaded it. I have 10.14.5, 10.14.3 and 10.14.0 installers that are now unusable with no solution I am aware of.

LikeLiked by 1 person
- 5
  
  hoakley on October 30, 2019 at 6:26 pm
  
  One warning to those who might try this at home: setting your system clock to an incorrect time can break quite of lot of things which you might not expect. Some security and protection systems rely on the clocks at each end being in close synchrony. When they’re not, those services won’t work. Another more obvious problem is that all file dates become rubbish and useless, which can also have serious consequences.
  I don’t recommend that you try this unless you really know what you’re doing, and the problems it imposes.
  Howard.
  
  LikeLike
6

Michael Tsai - Blog - Beware Apple Security Certificates After October 24 on October 31, 2019 at 7:23 pm

[…] Update (2019-10-31): Howard Oakley: […]

LikeLike

Share this:

Like this:

Related