Skip to main content
Jamf Nation, hosted by Jamf, is the largest Apple IT management community in the world. Dialog with your fellow IT professionals, gain insight about Apple device deployments, share best practices and bounce ideas off each other. Join the conversation.
CCA Badge CCE Badge CJA Badge

Fixing packages with expired signatures - heads up!

Posted: 3/25/12 at 6:07 AM by Cem

Just seen this (see link) and I thought give you all heads up...
It's about expired certs in Apple flat packages and how to fix.
Thanks Greg!


Posted: 3/25/12 at 1:08 PM by acdesigntech

I'll be scanning my CasperShare first thing Monday morning...

CCA Badge CCE Badge CMA Badge CUG Badge

Posted: 3/25/12 at 7:42 PM by donmontalvo

Yep, us too...not only the CasperShare, but I sent out an email blast to alert all the techs and support staff to purge old Apple PKG installers and replace with new ones.

This really underscores the lack of management oversight over at Apple. I wonder if (I hope) Apple will come to terms with the need for an enterprise guru. Someone like Ed Marzack, Greg Neagle, etc...

[EDIT] Does anyone know how this may impact our OS installers (which contain bunches of PKG installers)? :)


Posted: 3/25/12 at 8:19 PM by acdesigntech

It's also going to affect ASUS --

WTF Apple... it's REALLY time to start taking the enterprise seriously... I really wish I had come across this Friday AM, could've at least re-synced our SUS's over the weekend. As it is we're going to have to do this tomorrow evening...

At the very least we aren't using TOO many Apple pkgs via Casper. Most are home-brewed.

BTW, Thanks for the heads up about this, Cem!

CCA Badge CCE Badge CMA Badge CUG Badge

Posted: 3/26/12 at 12:30 PM by donmontalvo

From the MacEnterprise list:

Date: Mon, 26 Mar 2012 09:40:58 +1100 From: XXXXXXXXX Subject: Re: Mac OS X Server: Software Update Certificate expires tomorrow! My 10.6 server (with fixes for Lion updates) has seemed to copy all the updated updates without me needing to go through the process of removal of the previous updates. All the updated updates are not dated with the same date and are dated in groups from 16 March through 23 March. I did see a spike of downloads on the 23rd March, but only about 9GB or so, certainly not the 19GB that would happen if I'd emptied the html folder and started the download process from scratch. I have tested it since and the updates install fine on a freshly DeployStudio restored machine running the SoftwareUpdates on first boot in the finalize script. Has anyone else experienced this same behaviour (of not having to dump your SUS cache)? Charlie
CCA Badge CCE Badge CJA Badge

Posted: 3/26/12 at 12:50 PM by Cem

Yes I have seen some logs that some Macs ran apdates successfully. Also seen few has failed. So I have decided to do purging and redownloading...

I will also run Greg's fix script on CasperShares.

CCA Badge CCE Badge CJA Badge

Posted: 3/26/12 at 3:47 PM by Cem

I seem to having problem running the It just hangs there very very long time and nothing else happens…

/Volumes/CasperShare/Packages/10.6.4 Vanilla.dmg:
Could not open package: /private/tmp/dmg.09cnHX/Library/Receipts/BSD.pkg

am I doing something wrong? or it just doesn’t like the BSD.pkg?

CCA Badge CCE Badge CUG Badge Integrator Badge

Posted: 3/26/12 at 4:06 PM by bentoms

Took me a while on BSD too. Just left it running & went for lunch.

CCA Badge CCE Badge CJA Badge

Posted: 3/26/12 at 4:15 PM by Cem

oh ! cheers Ben!

CCA Badge

Posted: 3/26/12 at 4:45 PM by mm2270

Heh, I'm also seeing that a bunch of updates downloaded from Apple on 3/20 and 3/21, but nothing after that. Just tried the 10.7.3 combo on a machine that doesn't have it installed and Software Update is allowing it to download without complaints, so it seems at least some of them have fixed themselves. Still, it's definitely not everything, so we'll have to see what's now missing. I almost wonder if it would just be cleaner/safer to clear out the html folder and start fresh.

CCA Badge CCE Badge CJA Badge

Posted: 3/26/12 at 4:45 PM by Cem

I will run it overnight, as I have a quite few OS DMGs.

CCA Badge CCE Badge CJA Badge

Posted: 3/26/12 at 4:53 PM by Cem

@mm2270 ; thats what i have down and all looks good so far. Only annoying part was some of the packages didn't remember being enabled. So I had to take the screen grabs to compare, before I have proceeded.

CCT Badge CCA Badge CCE Badge CJA Badge

Posted: 3/26/12 at 4:56 PM by nkalister

FYI- There are 2 packages with the expired certificate in the InstallESD.dmg file from the app store as of 1pm PST this afternoon . . . so make sure to fix your OS install, too! Took me a bit to figure out why imaging was suddenly broken this morning, but the expired certificate was the culprit.

CCA Badge CCE Badge CUG Badge Integrator Badge

Posted: 3/26/12 at 4:58 PM by bentoms

Just about to post the same info!

CCA Badge CCE Badge CJA Badge

Posted: 3/26/12 at 5:12 PM by Cem

what are packages? also could you confirm it was 10.7.3?

CCA Badge CCE Badge CUG Badge Integrator Badge

Posted: 3/26/12 at 5:14 PM by bentoms

RemoteDesktop.pkg & SIUResources.pkg

Downloaded 10.7 install from app store this evening.

CCA Badge CCE Badge CJA Badge

Posted: 3/26/12 at 5:17 PM by Cem

I will keep my eyes peeled for these...

CCT Badge CCA Badge CCE Badge CJA Badge

Posted: 3/26/12 at 5:24 PM by nkalister

yup, like ben said, it's remote desktop and SIU resources, and this is definitely the current 10.7.3 InstallESD.dmg file downloaded from the app store on 3/26/2012
The error that was showing in install.log before I ran Greg's script on the InstallESD.dmg file was:

Mar 26 12:33:08 nbkali-mba installer[22366]: Failed install preflight: Error Domain=PKInstallErrorDomain Code=102 "The package “RemoteDesktop.pkg” is untrusted." UserInfo=0x7fe16387b140 {NSLocalizedDescription=The package “RemoteDesktop.pkg” is untrusted., NSURL=RemoteDesktop.pkg -- file://localhost/Volumes/Mac%20OS%20X%20Install%20ESD/Packages/OSInstall.mpkg,, NSUnderlyingError=0x7fe1638a7fc0 "The operation couldn’t be completed. CSSMERR_TP_CERT_EXPIRED"}
CCA Badge CCE Badge CJA Badge

Posted: 3/26/12 at 5:28 PM by Cem

Apple got to sort out this mess... its not just usual Enterprise ignorance, its also consumer level!!!??

CCA Badge CCE Badge CMA Badge CUG Badge

Posted: 3/26/12 at 6:27 PM by donmontalvo

That this effects consumers might just be the ticket for Apple to fix this issue...if it only effected enterprise I'm sure they'd just blow it off.


CCA Badge

Posted: 4/2/12 at 9:01 AM by heathjw

So I understand the ramifications for SUS. What about our CasperShares? Are we doing to have to re-download and replace those pre-packaged pkgs that we got from Apple? We don't have many I just want to clarify what action is required to keep things running smoothly.

Posted: 4/2/12 at 10:08 AM by gregneagle

Yes, you'll need to replace or fix any packages in your CasperShares that have expired signatures if you want to be able to continue using Casper to install them.

Posted: 4/11/12 at 12:59 PM by jonscott

Thanks for the helpful info, one and all! Especially Greg for those tools.

Unfortunately, I seem to have trouble with a couple older monolithic images still in use. (Yes, I'm trying to revamp imaging here, but it's a slooow work in progress...)

When Greg's 'checkPackageSignatures' scans my repository, it does throw those BSD.pkg errors similar to
Could not open package: /private/tmp/dmg.fhUwhJ/Library/Receipts/BSD.pkg

For most, I know I can ignore that. But for some older monolithic images still in use, in addition to the BSD.pkg error above, I still get various "Package X signed by a cert that has since expired" messages as well.

So... this doesn't make sense to me. But pushing one of those images via Casper results in a machine that kernel panics every time I try to boot (plus 2+ hours to finish imaging). Any ideas? Running the flatpkgfixer script on the image throws errors too.

Is anyone else having trouble imaging with existing OS images build with "bad" packages? As I said, it doesn't make sense to me, so if anyone can explain I'll appreciate it! This is a monolithic image built on one machine and uploaded to Casper. It's big (read 100gb) but has worked fine enough so far. No one has imaged with it since before the Package Apocalypse until I tested it this week.

If we do need to rebuild these from scratch, it'll be a good excuse to move to a more modular style...


Posted: 4/11/12 at 1:07 PM by jonscott

I just realized my imaging problem may be related to the hardware I'm restoring to, regardless of the feedback I see from the PA scripts...

Will try pushing this image to newer hardware soon...

Posted: 1/21/16 at 2:02 PM by mthakur

For anyone keeping track, the following pkg from Apple also has an expired certificate:
Thunderbolt Firmware Update v1.2
Post Date: May 9, 2013
File Size: 1.22 MB

$ pkgutil --check-signature ThunderboltFirmwareUpdate.pkg Package "ThunderboltFirmwareUpdate.pkg": Status: signed by a certificate that has since expired Certificate Chain: 1. Software Update SHA1 fingerprint: 1E 34 E3 91 C6 44 37 DD 24 BE 57 B1 66 7B 2F DA 09 76 E1 FD ----------------------------------------------------------------------------- 2. Apple Software Update Certification Authority SHA1 fingerprint: 9C 86 47 71 48 B3 D7 04 24 7A 3C 3F 56 EA 2D E5 94 4B 01 C2 ----------------------------------------------------------------------------- 3. Apple Root CA SHA1 fingerprint: 61 1E 5B 66 2C 59 3A 08 FF 58 D1 4A E2 24 52 D1 98 DF 6C 60 $

The workaround is to simply expand and then flatten the package, which has the effect of stripping the (expired) certificate from the pkg:

$ pkgutil --expand ThunderboltFirmwareUpdate.pkg /tmp/thunderbolt.pkg $ pkgutil --flatten /tmp/thunderbolt.pkg ThunderboltFirmwareUpdate.nocert.pkg

(Obviously, you can use whatever name you wish for the newly flattened pkg.)

Now, the new package doesn't have any certificate at all and can be installed as usual:

$ pkgutil --check-signature ThunderboltFirmwareUpdate.nocert.pkg Package "ThunderboltFirmwareUpdate.nocert.pkg": Status: no signature $

Posted: 4/4/17 at 10:29 AM by McGinn

the pkgutil expand/flatten commands did the trick for me. Thanks @mthakur !