Explainer: macOS updaters

Updating macOS used to be much like updating any other software, with some added twists to challenge the engineers. Most obvious among those is how to do this while running macOS. When all Macs supported removable media such as optical disks, one straightforward solution was to boot from that. Now the average Mac only has fixed internal storage, the solution lies in booting from a disk image provided within the update.

The next hurdle for macOS updaters is the requirement to install any required firmware update, introduced in 2015 when Apple stopped providing standalone firmware installations. Although fairly straightforward on Intel Macs without a T2 chip, this adds a sequence in which T2 Macs shut down the whole of the Intel side of the Mac in order to install firmware for the T2, still a chilling experience during which the computer plays dead.

Up to and including macOS Catalina, all the updater really had to do was replace all updated files in the system, then boot the Mac from that updated system. As this can be readily performed by an Installer package, Apple provided users with the option of updating online through the Software Update pane (or its command line equivalent softwareupdate), or downloading a standalone package to use offline. For the convenience of users, Apple provided two types of standalone package: a Delta update to go from the immediately previous version of macOS to the next, and a Combo update with all changes since the initial public release of that major version of macOS.

The only problems encountered with this practice were failed and faulty updates, and the eventual expiry of security certificates used to sign standalone Installer packages.

Prior to Big Sur, macOS didn’t perform any integrity checks on its system files. Once a copy of the system had been updated, there was no means by which the installer could verify that the updated copy was as intended by Apple. Errors were not uncommon, sometimes leaving system files without being updated, or leaving them damaged or corrupted. Users were only too familiar with the problems these caused, and solutions such as installing the Combo update or performing a full re-install of macOS.

Catalina made a small step in the right direction, in mounting the System volume read-only, which provided some protection from damage or corruption of system files after they had been updated. But it didn’t address problems occurring during updating at all. For that, we had to wait for Big Sur.

The updater’s tasks in Big Sur and Monterey are so much more complex than before that Apple has developed a completely different updater. In essence, this now:

  • boots the Mac from a custom minimal macOS system,
  • performs any firmware updates as before, with the addition of M1 firmware,
  • updates the contents of the System volume,
  • builds a tree of cryptographic hashes to include all files on the System volume,
  • hashes the top-level cryptographic hash (the Seal) to form its Signature, which is then checked with Apple’s expected value,
  • makes a snapshot of the signed and sealed System volume to form the boot System volume,
  • boots the Mac from the updated system and performs any configuration and clean-up.

In addition, Big Sur and later use huge cache files for the active contents of Frameworks and Private Frameworks code, which are assembled in /System/Library/dyld. As those frameworks are usually changed extensively in macOS updates, one of the big challenges for updaters is minimising the size of updates.

To accomplish this, the update takes three phases: download, preparation, and installation. The second of those, run by the Update Brain Service com.apple.MobileSoftwareUpdate.UpdateBrainService, assembles all the components required, verifies them, decompresses data and readies it for the final phase.

Building the hash tree and checking it against Apple’s master value uses tools which aren’t made available, and I suspect Apple sees it as a security advantage that they’re buried in the update where they’re far more difficult to extract or exploit. However, it takes much more than an Installer package to update Big Sur and Monterey. Apple therefore doesn’t provide any standalone form of updater equivalent to the Delta or Combo updates of the past, although there’s no engineering reason that a Delta installer app couldn’t be introduced.

From the initial release of Big Sur onwards, users have only two choices for updating macOS: they can perform an online Delta update using Software Update (or softwareupdate), or download the full macOS installer app and use that instead. Full installers should normally be able to hook their new System volume up with an existing Data volume, but there’s always the risk that won’t work, so being able to migrate from a recent backup is important if you decide to use the full installer app.

The immediate benefit of this change in updaters is that you can now have complete confidence that at the end of the update your Mac’s System volume is perfect in every respect, exactly as Apple intended, and can’t be tampered with in any way. That’s a big step forward from the wobbly updaters of the past, and makes the System volume more like secure on-disk firmware.