This page is a wiki. Please login or create an account to begin editing.


25 posts / 0 new
Last post
SkyCapt's picture
Offline
Joined: 2017 Jan 11
Snow Leo Software Update pkg "certificate expiration"

I'm new to Snow Leo (OSX 10.6) and I just found out pkg updaters from Apple began coming with expiration dates called certificate. This is why most of the updates I've downloaded do not install. How do I install pkgs which have expired? Does rewinding the clock do the trick? Is there a more solid method than tampering with my clock?

Packages made in the Leopard era, before Snow Leopard, do not have these certificates, but, Apple managed to imbue knowledge of certificates into 10.5.8's Installer software.

For example, QuickTime 7.7 pkg for Leo was created in the Snow Leo era. I have a pkg that is different than the one already been on garden for a while. Using Leopard 10.5.8 on PPC, in which I've never before seen certificates, the pkg garden possesses puts a clickable gadget in the top right corner of Installer. Clicking it shows the Certificate. Garden's file was made on July 15 2011 and it expired on March 23 2012. Leopard doesn't enforce the expiration date, so it doesn't seem to matter - I can install expired pkgs using Leo.

But the file for Leo QT 7.7 which I managed to personally archive has a different date, different size, different checksum, and seemingly all because of a different Certificate expiration date. Apple reissued this file on March 13 2012 in preparation of its impending expiration, and, its updated expiration became October 24 2019 - also expired. Since the pkg is Leopard only and Leopard doesn't enforce expiration dates, why bother? Does garden need both these QT7.7 files? Is there a third newer file which hasn't expired yet?

Comments

24bit's picture
Offline
Joined: 2010 Nov 19

Thanks for sharing your findings!
Did run into the same issue when trying to upgrade Snow Leo to 10.6.8 with an old combo update stored locally. Downloading a fresh 10.6.8 combo update did solve that for now, but for how long shall we be allowed to use the old updaters?

MikeTomTom's picture
Offline
Joined: 2009 Dec 7

Shoot. I think that's just plain evil.

SkyCapt's picture
Offline
Joined: 2017 Jan 11

Best evidence in favor of having spotted evil - when attempting on SL to install an expired package, it withholds stating why. All it says is "an error occurred" and I barely connected the reason to that tiny button in the window corner nearly overlooked.

sfp1954's picture
Offline
Joined: 2013 Dec 29

Burn a DVD from a dmg. I find I have use DVDs for both Snow Leopard and Lion.

SkyCapt's picture
Offline
Joined: 2017 Jan 11

But when was the last time you tried your SL disc stored updates? October 24 2019 expiration date wasn't long ago. I've been looking and found tons of Apple SL updates were together clocked to expire at the same time 10/24/2019. There's some with older and newer expiration dates than that.

Protocol 7's picture
Offline
Joined: 2010 Aug 7

IIRC using pkgutil to expand and then flatten the pkg files will strip them of the certificates. I think the installer will happily install unsigned packages, just not ones with expired certs.

SkyCapt's picture
Offline
Joined: 2017 Jan 11

Right you are, tried that, it removes that record of certificate/expiry from our SL Installer pkgs.

SkyCapt's picture
Offline
Joined: 2017 Jan 11

Anybody know SL's highest versions of things?

Highest...

Safari
Java
Security Update

sfp1954's picture
Offline
Joined: 2013 Dec 29

10.6.8

https://macintoshgarden.org/sites/macintoshgarden.org/files/apps/MacOSXU...

Don't the auto updates still work? I used them recently.

SkyCapt's picture
Offline
Joined: 2017 Jan 11

Your link immediately begins downloading the 1.0 GB big 10.6.8 Updater. If it's the same one as on the page with SL Install DVDs then it checked good and doesn't "expire" until 2029. It is however missing the debut 10.6.8 datestamp which is 2011/07/22 . I have the "original" 2011 dmg and its pkg expired on March 23, 2012 same exp date as the oldest QT 7.7 (for Leopard not SL). I just made (if only for myself) the 2011 10.6.8 pkg file stripped of its expiry cert, using the method described above. Contents are still an exact match with your file.

Auto update? I don't know, don't use. My Macs aren't connected to internet. I do all my internet and gardening via an Android tablet, and apple.com treats me bad.

Protocol 7's picture
Offline
Joined: 2010 Aug 7

Here's what I have in my updates folder along with the 10.6.8 combo update:

iTunes11.4.dmg
JavaForMacOSX10.6update17.dmg
Safari5.1.10SnowLeopardManual.dmg
SecUpd2013-004.dmg

SkyCapt's picture
Offline
Joined: 2017 Jan 11

Great, it helps to know What to search for.
Found all SL updates on this one page :

https://archive.org/details/10.6.7-10j3250-disk-images

Has all the updater files for 10.6.8 client, including

AirPort 5.6.1
App-Store
Migration Assistant 1.1
Remote Desktop 3.5.4

This set of SL final updates was uploaded only one month ago.
They have "valid" certificates not about to expire
until "Saturday" April 14 2029 .

SolarstrikeVG's picture
Offline
Joined: 2019 Nov 1

Slightly unrelated but I also found out El Capitan's installer is also timebombed with its packages, which expired at some point after May 2019.

adespoton's picture
Offline
Joined: 2015 Feb 15

My solution has been to turn the time back during installation, then move it forwards again for updates.

sfp1954's picture
Offline
Joined: 2013 Dec 29

They are all available online. I find the safest thing is to download them as needed to the actual target machine so that you get the most current version.

https://support.apple.com/en-us/HT211683

SkyCapt's picture
Offline
Joined: 2017 Jan 11

By request,
Here is,
more specific how to convert a "locked" update to an unlocked package, useable any time any place.

OS X 10.5 and higher, PPC and Intel, in the Terminal >
let's say you want to unlock "filename.pkg", you know the pkg contains a "certificate" because of the tiny icon in the window title bar top right when attempting to launch the pkg.

pkgutil --expand filename.pkg filename_temporary
pkgutil --flatten filename_temporary filename-unlocked.pkg

You could then once again 'expand' the original pkg to a tempx named file, and expand your new unlocked pkg to a tempy named file, and compare with the Terminal command "diff -r tempx tempy" to ensure zero file transfer corruption happened prior to archiving this now unlocked version of some Installer.

If you don't already know, you need to learn how to drag desktop file and folder icons onto the Terminal window instead of typing long pathnames. And filenames without paths by default go in your "home" directory, until you "cd " (change directory) to some other folder's name.

I'm installing iTunes 11.4.0 in Snow Leopard now, downloaded iTunes 11.4.0 from the garden iTunes page's link to a big collection sporting checksums. Pkg expired October 24 2019 and now won't install (until tricked out as described in this post). The turning point was around late 2010 when Snow Leopard had matured and Lion was about to be released. Apple then began releasing expiration dated packages. Snow Leopard was already programmed to reject expired pkgs, Leopard 10.5 was made aware and can show you expiration dates by clicking the cert icon but 10.5 doesn't act toward rejecting any.

adespoton's picture
Offline
Joined: 2015 Feb 15

Hmm... I might just write up a little Platypus droplet app (PPC+x86) to strip certificates.. That way people can store the original installers and then easily use them post-strip without turning back the clock.

Thoughts?

MikeTomTom's picture
Offline
Joined: 2009 Dec 7

Yes please.

adespoton's picture
Offline
Joined: 2015 Feb 15

Here's a rough hack:
https://github.com/adespoton/pkgcertstrip/blob/main/StripPkgCert.zip?raw...

MikeTomTom's picture
Offline
Joined: 2009 Dec 7

Thanks for that. It doesn't seem to like my MackBook Pro (running SL 10.6.8)

StripPkgCert error message
(click to view)

I'd dragged the pkg over onto the StripPkgCert icon to launch it and got the above error. Then I tried double clicking the app to try and launch it but, both attempts resulted in the same error.
I have the crash logs, if they may help.

Protocol 7's picture
Offline
Joined: 2010 Aug 7

Here's a batch script option. Save the contents between the dotted lines to a file called stripcert.command (or anything you like, just with a .command extension). You may need to open the Terminal and make the file executable by typing "chmod +x" (without the quotes), dragging the file into the window and hitting enter.

Now put it in a folder with the pkg files you want to remove the certs from. Double-click it to run and it will create a subfolder called NoCerts with the cert-less pkg files.

---------------------------------------------------
#!/bin/bash -e
BASEDIR=`dirname "$0"`
cd "$BASEDIR"
clear
mkdir NoCerts
for d in *.pkg
do
echo "Processing $d..."
echo "Unpacking installer..."
pkgutil --expand "$d" nocerts.tmp
echo "Repacking installer..."
PKGNAME=`basename "$d" .pkg`
pkgutil --flatten nocerts.tmp NoCerts/"$PKGNAME (No Cert)".pkg
echo "Deleting temporary files..."
rm -rf nocerts.tmp
done
echo "All done!"
---------------------------------------------------

MikeTomTom's picture
Offline
Joined: 2009 Dec 7

@Protocol 7: Thank you for this script. This works very nicely.
I appreciate the batch aspect.

adespoton's picture
Offline
Joined: 2015 Feb 15

I suspect I know what's going on there. Oddly, it didn't do it on my 10.6.8 machine when I tested.

I'll build a new version sometime this week with a fix. Meanwhile, the shell script is essentially the same thing without the (currently broken) GUI.

MikeTomTom's picture
Offline
Joined: 2009 Dec 7

Thanks for this, SkyCapt.