Explainer: macOS updaters

Updating macOS used to be much like updating any other software, with some added twists to challenge the engineers. Most obvious among those is how to do this while running macOS. When all Macs supported removable media such as optical disks, one straightforward solution was to boot from that. Now the average Mac only has fixed internal storage, the solution lies in booting from a disk image provided within the update.

The next hurdle for macOS updaters is the requirement to install any required firmware update, introduced in 2015 when Apple stopped providing standalone firmware installations. Although fairly straightforward on Intel Macs without a T2 chip, this adds a sequence in which T2 Macs shut down the whole of the Intel side of the Mac in order to install firmware for the T2, still a chilling experience during which the computer plays dead.

Up to and including macOS Catalina, all the updater really had to do was replace all updated files in the system, then boot the Mac from that updated system. As this can be readily performed by an Installer package, Apple provided users with the option of updating online through the Software Update pane (or its command line equivalent softwareupdate), or downloading a standalone package to use offline. For the convenience of users, Apple provided two types of standalone package: a Delta update to go from the immediately previous version of macOS to the next, and a Combo update with all changes since the initial public release of that major version of macOS.

The only problems encountered with this practice were failed and faulty updates, and the eventual expiry of security certificates used to sign standalone Installer packages.

Prior to Big Sur, macOS didn’t perform any integrity checks on its system files. Once a copy of the system had been updated, there was no means by which the installer could verify that the updated copy was as intended by Apple. Errors were not uncommon, sometimes leaving system files without being updated, or leaving them damaged or corrupted. Users were only too familiar with the problems these caused, and solutions such as installing the Combo update or performing a full re-install of macOS.

Catalina made a small step in the right direction, in mounting the System volume read-only, which provided some protection from damage or corruption of system files after they had been updated. But it didn’t address problems occurring during updating at all. For that, we had to wait for Big Sur.

The updater’s tasks in Big Sur and Monterey are so much more complex than before that Apple has developed a completely different updater. In essence, this now:

boots the Mac from a custom minimal macOS system,
performs any firmware updates as before, with the addition of M1 firmware,
updates the contents of the System volume,
builds a tree of cryptographic hashes to include all files on the System volume,
hashes the top-level cryptographic hash (the Seal) to form its Signature, which is then checked with Apple’s expected value,
makes a snapshot of the signed and sealed System volume to form the boot System volume,
boots the Mac from the updated system and performs any configuration and clean-up.

In addition, Big Sur and later use huge cache files for the active contents of Frameworks and Private Frameworks code, which are assembled in /System/Library/dyld. As those frameworks are usually changed extensively in macOS updates, one of the big challenges for updaters is minimising the size of updates.

To accomplish this, the update takes three phases: download, preparation, and installation. The second of those, run by the Update Brain Service com.apple.MobileSoftwareUpdate.UpdateBrainService, assembles all the components required, verifies them, decompresses data and readies it for the final phase.

Building the hash tree and checking it against Apple’s master value uses tools which aren’t made available, and I suspect Apple sees it as a security advantage that they’re buried in the update where they’re far more difficult to extract or exploit. However, it takes much more than an Installer package to update Big Sur and Monterey. Apple therefore doesn’t provide any standalone form of updater equivalent to the Delta or Combo updates of the past, although there’s no engineering reason that a Delta installer app couldn’t be introduced.

From the initial release of Big Sur onwards, users have only two choices for updating macOS: they can perform an online Delta update using Software Update (or softwareupdate), or download the full macOS installer app and use that instead. Full installers should normally be able to hook their new System volume up with an existing Data volume, but there’s always the risk that won’t work, so being able to migrate from a recent backup is important if you decide to use the full installer app.

The immediate benefit of this change in updaters is that you can now have complete confidence that at the end of the update your Mac’s System volume is perfect in every respect, exactly as Apple intended, and can’t be tampered with in any way. That’s a big step forward from the wobbly updaters of the past, and makes the System volume more like secure on-disk firmware.

10Comments

Add yours

1

Duncan on March 19, 2022 at 12:10 pm

“The updater’s tasks in Big Sur and Monterey are so much more complex than before that Apple has developed a completely different updater…”

Whew! That’s quite an elaborate process, and I’m really impressed that you, as a non-Apple-employee without internal resources, have been able to not only sleuth out all the steps on your own, but are also able to explain it to laypeople in such a concise and understandable way.

I know you’ve been building up all this knowledge over decades but it’s still quite something to see these types of articles where you put it all together!

LikeLiked by 1 person
- 2
  
  hoakley on March 19, 2022 at 8:59 pm
  
  Thank you.
  Howard.
  
  LikeLike
3

BenSar on March 19, 2022 at 12:28 pm

Perfectly put Duncan.

Thank you.

LikeLiked by 1 person
4

alvarnell on March 19, 2022 at 1:05 pm

An additional fact that I learned a couple of days ago. The system volume only comes into alignment with the seal during the act of an OS install or upgrade, at which point the contents basically match what are put into the snapshot.

Should something adjust the System volume contents after the update/install is performed, as an example, you end up with a broken seal on the System volume. So indication of a broken seal of the System volume after use should not be a concern.

LikeLiked by 1 person
- 5
  
  hoakley on March 19, 2022 at 9:03 pm
  
  Thank you. Yes, this caused momentary panic when it was first observed in Big Sur.
  I think the root cause is that, once the snapshot has been made, sealed and signed, the fie system changes the volume metadata. So you’re more likely to see the volume reported as having a broken seal. As that’s the volume, which you don’t actually boot from, it’s immaterial, of course.
  Howard.
  
  LikeLike
6

edjusted on March 22, 2022 at 1:21 am

Does this mean I don’t have to download the huge full installers any more and can rely on the Software Update delta updaters? I’ve gotten into the habit of using the “combo installers” for the past few years to “clear out the cruft”. It’ll be nice to save some time just using the deltas.

LikeLiked by 1 person
- 7
  
  hoakley on March 22, 2022 at 8:29 am
  
  Yes. I have been trying to get this across to readers since the early days of Big Sur. The SSV guarantees that the System volume is perfect down to the last bit, and exactly as Apple intended. The result of a full install and an update are therefore demonstrably identical and guaranteed on Macs with T2 or M1 chips. On pre-T2 Intel Macs, they’re not quite so thoroughly guaranteed, but still far more reliable and robust than any macOS before.
  Howard.
  
  LikeLike
  - 8
    
    edjusted on March 23, 2022 at 4:22 am
    
    🎉I’ve been slowly *not* doing a lot of maintenance and troubleshooting steps because of this. It’s a great feeling!
    
    LikeLiked by 1 person
    - 9
      
      hoakley on March 23, 2022 at 6:46 am
      
      Thank you.
      Howard.
      
      LikeLike
10

Understanding macOS Updaters | Macessence on March 29, 2022 at 10:01 am

[…] operating system. The process has become more secure and streamlined resulting in less problems. This article describes how the macOS update process has changed including macOS Big Sur and Monterey. It is a technical […]

LikeLike

Share this:

Related