Checking a macOS installer app is easier with Taccy 1.6

Although Taccy 1.5 made it straightforward to check whether the signature of one of Apple’s macOS installer apps is still valid, it remained fiddly and prone to error. Version 1.6 tries to make this much simpler, without relying on messing about in the Finder.

In 1.6, there’s a new menu command in the File menu, to Mount Disk Image. Select this command, and in the Open File dialog, navigate through the installer app until you reach disk images. In all the installers that I have seen, they are in the path Contents/SharedSupport as shown here.

Select the largest of those disk images, typically named InstallESD.dmog, and click on the Mount button (as it’s now named). Taccy then attempts to mount that disk image, which should appear in the Finder once that’s complete.

Then, use Taccy’s Open command to select one of the Installer packages within that mounted disk image. They’re normally inside the Packages folder. Although all the packages there should be signed with the same certificates, it’s a good idea to select the largest of them, here Core.pkg. Then click the Open button.

Taccy then checks that package, and reports on its signature and certificates.

I did look at trying to do this in one fell swoop, but because of the variation between installer apps I don’t think that would be as reliable, and would be easily broken in the future.

Other improvements in this version include:

I have added a ‘busy spinner’ to make it clear when Taccy is waiting for signature checks to complete.
I have added support for checking older Installer packages, even though they’re all likely to return that the package is unsigned.
Opening and checking installer apps is detailed in the Help book, which is now fiteen pages long.

Support for older Installer packages proved rather strange. Modern packages have a UTI of com.apple.installer-package-archive, which is specified as a document type which Taccy can work with. Although older packages use the same extension, they don’t share that UTI. So when you tried to open a file in Taccy, version 1.5 didn’t offer those as being suitable choices. Unfortunately, because these are older packages,they’re almost certainly unsigned, so there is precious little useful information about them.

One useful piece of information I have discovered testing Taccy is that installer apps for all release versions of Catalina appear to have new security certificates, so shouldn’t need to be downloaded again.

Taccy version 1.6 is available from here: taccy16
from Downloads above, from its Product Page, and through its auto-update feature.

9Comments

Add yours

1

moses241 on October 28, 2019 at 8:46 am

This is great, keep it up dear

LikeLiked by 1 person
2

Ingo on October 28, 2019 at 6:36 pm

Thank you, Howard. I want to add, that it’s important, to really look at one of the Install-Packages that are stored in the InstallESD.dmg as given in your description. The ‘Install OS X El Capitan.app’, downloaded in September 2019, has got an OSInstall.mpkg next to the InstallESD.dmg in the directory SharedSupport. This OSInstall.mpkg doesn’t carry a certificate but the packages, including another incarnation of the OSInstall.mpkg, in the InstallESD do. A question remains, why a copy of the OSInstall.mpg is present outside the InstallESD.dmg at all. Though it will start upon Open and ask for the Acknowledgment of the Software License Agreement it will finally abort execution with a message like “Couldn’t find the necessary files”.

LikeLiked by 1 person
3

Valdo on October 29, 2019 at 8:12 am

Interesting app, not possible to implement PGP Signature check if this is available in the installer?

LikeLiked by 1 person
- 4
  
  hoakley on October 29, 2019 at 8:28 am
  
  Not impossible, but as Apple installers don’t use PGP signatures, there would appear to be very little need.
  Howard.
  
  LikeLike
5

Valdo on October 29, 2019 at 3:26 pm

OK, now I understood that this is limited to Apple. The logic was that tick box next to Apple…

LikeLiked by 1 person
- 6
  
  hoakley on October 29, 2019 at 4:05 pm
  
  No it’s not.
  The current emergency is about Apple installers and updaters, but the same features can be used with any updater or installer.
  To be able to use that updater or installer on Catalina, it has to be signed and notarised. Signing requires a valid signature, which Taccy checks. Notarisation requires the package or app being checked by Apple and issued with a ticket, which Taccy checks.
  Of course someone could produce an unsigned installer app or updater, but that isn’t going to be simple when used in Catalina. To do that, you’d maybe use a proprietary format. Taccy can’t be expected to know how to deal with that, I’m afraid.
  Did you have something specific in mind?
  Howard.
  
  LikeLike
7

Valdo on October 29, 2019 at 4:38 pm

As example, Tor is providing PGP signature only and no Checksum, the later can be handled with a nice GUI from AppStore. See this:

https://www.coindesk.com/fake-tor-browser-has-been-spying-stealing-bitcoin-for-years

LikeLiked by 1 person
- 8
  
  hoakley on October 29, 2019 at 5:24 pm
  
  That verifies the download, not whether its contents are validly signed etc.
  What format installers and updaters are you looking at?
  Howard.
  
  LikeLike
9

Checking macOS Installer Certificates | Macessence Blog on November 6, 2019 at 7:00 am

[…] Here is a link on the Electric Light website with more detailed information on how Taccy works. […]

LikeLike

Share this:

Related