Home > Mac administration, Mac OS X > Apple installer package certificate expiration

Apple installer package certificate expiration

On Friday, March 23rd at 1:26 PM Eastern Daylight Time, the certificate that Apple embedded in various Apple software installers expired.

Screen Shot 2012-03-24 at 1.48.34 PM

If you’re using Installer.app in Mac OS X’s GUI, you’ll get a warning about the certificate being invalid and asked if you want to install it anyway.

Screen Shot 2012-03-24 at 1.48.30 PM

However, the command line installer tool does not have the option of “certificate invalid, install anyway.” Instead, installations run with the installer tool will fail. This affects any systems management tool that uses Apple’s installer tool via the command line to install packages.

At this time, the best recommendation I have is to download new copies of the various Apple-provided installers that you need for your workflow. The new installers should include a new certificate that’s good until 2019.

Screen Shot 2012-03-24 at 1.46.24 PM

One installer in particular that you may want to re-download is the 10.7.3 installer from the Mac App Store, as the installer has a RemoteDesktop.pkg installer included that may have an expired certificate. Re-downloading the 10.7.3 installer from the MAS after Friday, March 23rd will give you a 10.7.3 installer that works properly.

Update: Greg Neagle’s checkPackageSignatures and flatpkgfixer scripts are extremely helpful here. checkPackageSignatures will help you find expired certificates in your packages and disk images. flatpkgfixer will help you with any software you can’t re-download by removing package signing either from single flat packages or from disk images that contain packages.

  1. Sylvain
    April 9, 2012 at 10:40 am


    I found a workaround for this. Change your system’s date setting to an earlier date and rerun the package installer. Disable automatic date/time sync in the system prefs to make sure it does not resync with Apple nntp servers.
    It proved to work for a MacOS 10.6.8 combo update package installer on my side.
    Good luck,

    • January 1, 2013 at 10:12 am

      Thanks Sylvain for posting the suggestion. This worked perfectly for me.

  2. Mark-Leon Thorne
    May 12, 2013 at 6:09 am

    Thanks so much for this. It really helped me out of a very frustrating situation.

  3. franck
    April 5, 2020 at 1:39 pm

    Elegant solution for following error :

    “The Installer encountered an error that caused the installation to fail. Contact the software manufacturer for assistance.”

    More specifically the installer (in its log windows) complain about :

    “The package MacOSXUpdCombo10.6.8.pkg is untrusted”

    There is also a couple of error like this in the Main System Error Console :

    “PackageKit: Missing bundle path, skipping: ”

    This is all about the Root Apple certs expiration in March 2012 ( Aka. “Apple Package Apocalypse” )

    A workaround :

    In finder, open MacOSXUpdCombo10.6.8.dmg to mount disk image

    in terminal ,type the following 3 commands :

    > pkgutil –expand /Volumes/Mac\ OS\ X\ 10.6.8\ Update\ Combo/MacOSXUpdCombo10.6.8.pkg /tmp/MacOSXUpdCombo10.6.8.flat.pkg

    > pkgutil –flatten /tmp/MacOSXUpdCombo10.6.8.flat.pkg /tmp/MacOSXUpdCombo10.6.8.flat.fixed.pkg

    > open /tmp

    Back in finder (tmp folder), open MacOSXUpdCombo10.6.8.flat.fixed.pkg and finish the installation.

    This works because expanding and reflattening a flat package has a side-effect of removing the package signing.

    !Attention! /tmp folder will by wiped by next reboot.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: