{"id":743,"date":"2019-10-28T14:55:42","date_gmt":"2019-10-28T19:55:42","guid":{"rendered":"http:\/\/www.brunerd.com\/blog\/?p=743"},"modified":"2019-10-28T17:27:06","modified_gmt":"2019-10-28T22:27:06","slug":"time-to-die-when-mac-app-and-package-certificates-expire","status":"publish","type":"post","link":"https:\/\/www.brunerd.com\/blog\/2019\/10\/28\/time-to-die-when-mac-app-and-package-certificates-expire\/","title":{"rendered":"Time to Die: When Mac app and package certificates expire"},"content":{"rendered":"\n

So I had a Draft about this last week<\/em> but an usure feeling. I thought: “Do I really have anything to contribute? Folks are already aware of this.<\/a> What can I really add?” So, I let it slide, then Thurday came and there was a hiccup<\/a>: Apple hadn’t refreshed all their packages! Oh noes. Could this<\/em> have been something my script could have helped head off? No <\/strong>but<\/em> it might have made examining the packages Thursday afternoon a bit<\/em> easier. So with that, I present certChecker.command<\/a><\/strong><\/p>\n\n\n\n

I’d advise just copy pasting the raw script<\/a> into a new BBEdit<\/a> document and saving it as “certChecker.command<\/strong>“. The extension matters, BBEdit will set the executable bit and you won’t have to mess with cleaning off the com.apple.quaratine flag as you would if you downloaded it.<\/p>\n\n\n\n

\"\"
Not much of a looker at the command line but comes together nicely in Quick Look<\/figcaption><\/figure>\n\n\n\n

The need to find expired packages is critical if you use Jamf Pro to deploy your packages. macOS will throw an error if you try and install a pkg with an expired cert via the installer<\/code> command line tool. It will suggest you use the -allowUntrusted<\/code> flag, however this is not<\/em> an option with Jamf Pro. You either have to get a new resigned package or repack it<\/a>. Repacking is basically expanding the pacakge then flattening it again. This will strip out all<\/em> certs. repackPKGs.command<\/a><\/strong> is useful for when vendors have forgotten to issue new packages and you need a working package.<\/p>\n\n\n\n

Cert validation caveat: some packages can expire yet<\/em> remain valid! These are signed with \u201ctrusted time stamps” and Suspicious Package explains this quite well<\/a>. Their tool can better help you assess what a package will do when it’s expiration occurs. For certChecker.command<\/a><\/strong> I use pkgutil’s assesment for package files but for apps all we have is the the “not after” date.<\/p>\n\n\n\n

Speaking of apps: the Install macOS Mojave.app<\/strong> from the App Store<\/a> was giving me the \u201cdamaged\u201d message on Thursday around 1PM CST…<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

The application certs were all VALID, my script said so, what gives? Doing a bit of sleuthing revealed InstallESD.dmg to be different between the two installers. I used find<\/code> to run a md5<\/code> on all the files in each installer and send the output to two files. Running find from inside<\/em> the apps keeps the base paths the same and allows for easy comparison with diff or XCode’s FileMerge (a favorite).<\/p>\n\n\n\n

#compare two apps in Terminal
cd <ye olde installer app>
find . -type f -exec md5 {} \\; | sort > ~\/Desktop\/YE_OLDE.txt
cd <new installer app>
find . -type f -exec md5 {} \\; | sort > ~\/Desktop\/NEWNESS.txt
cd ~\/Desktop
diff YE_OLDE.txt NEWNESS.txt<\/code><\/p>\n\n\n\n

\"\"
FileMerge inside XCode.app is a great visual diff’er<\/figcaption><\/figure>\n\n\n\n
\"\"
Turns out we have some stowaways in the old installer.<\/figcaption><\/figure>\n\n\n\n
\"\"
All is well, app cert and InstallESD packages are looking good.<\/figcaption><\/figure>\n\n\n\n

By ~3pm CST they’d gotten everything fixed and the packages inside were all good. Not since the great expiration of 2015<\/a>, have we had to care about expiring Apple packages. This time Apple has only pushed the app certs out 1 1\/2 years to April 12th, 2021. That’s not long! The packages inside<\/em> InstallESD.dmg are good however until April 14, 2029. Which one will win? Will we care (will we be able to roll back?) I’ll leave that as an exercise\/rhetorical question for someone else.<\/p>\n\n\n\n

In the meantime you might have other packages lurking in your distribution points that need updating or repacking<\/a>. If so give certChecker.command<\/a><\/strong> a whirl to ferret them out. I hope it saves you some time and effort <insert reference to Roy Batty and “tears in the rain here<\/a>” :><\/p>\n\n\n\n

<\/p>\n","protected":false},"excerpt":{"rendered":"

So I had a Draft about this last week but an usure feeling. I thought: “Do I really have anything to contribute? Folks are already aware of this. What can I really add?” So, I let it slide, then Thurday came and there was a hiccup: Apple hadn’t refreshed all their packages! Oh noes. Could […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3,4,5,12],"tags":[],"class_list":["post-743","post","type-post","status-publish","format-standard","hentry","category-apple","category-os-x","category-packages","category-scripting"],"_links":{"self":[{"href":"https:\/\/www.brunerd.com\/blog\/wp-json\/wp\/v2\/posts\/743","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.brunerd.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.brunerd.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.brunerd.com\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.brunerd.com\/blog\/wp-json\/wp\/v2\/comments?post=743"}],"version-history":[{"count":10,"href":"https:\/\/www.brunerd.com\/blog\/wp-json\/wp\/v2\/posts\/743\/revisions"}],"predecessor-version":[{"id":778,"href":"https:\/\/www.brunerd.com\/blog\/wp-json\/wp\/v2\/posts\/743\/revisions\/778"}],"wp:attachment":[{"href":"https:\/\/www.brunerd.com\/blog\/wp-json\/wp\/v2\/media?parent=743"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.brunerd.com\/blog\/wp-json\/wp\/v2\/categories?post=743"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.brunerd.com\/blog\/wp-json\/wp\/v2\/tags?post=743"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}