Although Taccy 1.5 made it straightforward to check whether the signature of one of Apple’s macOS installer apps is still valid, it remained fiddly and prone to error. Version 1.6 tries to make this much simpler, without relying on messing about in the Finder.
In 1.6, there’s a new menu command in the File menu, to Mount Disk Image. Select this command, and in the Open File dialog, navigate through the installer app until you reach disk images. In all the installers that I have seen, they are in the path Contents/SharedSupport as shown here.
Select the largest of those disk images, typically named InstallESD.dmog, and click on the Mount button (as it’s now named). Taccy then attempts to mount that disk image, which should appear in the Finder once that’s complete.
Then, use Taccy’s Open command to select one of the Installer packages within that mounted disk image. They’re normally inside the Packages folder. Although all the packages there should be signed with the same certificates, it’s a good idea to select the largest of them, here Core.pkg. Then click the Open button.
Taccy then checks that package, and reports on its signature and certificates.
I did look at trying to do this in one fell swoop, but because of the variation between installer apps I don’t think that would be as reliable, and would be easily broken in the future.
Other improvements in this version include:
- I have added a ‘busy spinner’ to make it clear when Taccy is waiting for signature checks to complete.
- I have added support for checking older Installer packages, even though they’re all likely to return that the package is unsigned.
- Opening and checking installer apps is detailed in the Help book, which is now fiteen pages long.
Support for older Installer packages proved rather strange. Modern packages have a UTI of com.apple.installer-package-archive, which is specified as a document type which Taccy can work with. Although older packages use the same extension, they don’t share that UTI. So when you tried to open a file in Taccy, version 1.5 didn’t offer those as being suitable choices. Unfortunately, because these are older packages,they’re almost certainly unsigned, so there is precious little useful information about them.
One useful piece of information I have discovered testing Taccy is that installer apps for all release versions of Catalina appear to have new security certificates, so shouldn’t need to be downloaded again.