10.7.4 command line installer tool can now install installer packages with expired certificates

One of the unpleasant surprises that popped up in March 2012 was that the certificate that Apple embedded in various Apple software installers expired. When using Installer.app, people started getting warnings about the certificate being invalid but were given the option of installing the package anyway.

However, the command line installer tool did not have the option of “certificate invalid, install anyway”. Instead, installations run with the installer tool failed when the installers were signed with expired certificates. This affected all scripts and system management tools that used Apple’s installer tool via the command line to install packages.

Fortunately, as part of the release of Mac OS X 10.7.4 in May 2012, Apple has now released a fix for this by including this new flag among installer‘s various functions.


-allowUntrusted
Allow install of a package signed by an untrusted (or expired) certificate.


The new function worked as advertised when I used it with installer to install an iLife ’11 installer which had expired certificates. Here’s the command I used (-dumplog and -verbose were also included to give me maximum logging to /var/log/install.log):


sudo installer -dumplog -verbose -allowUntrusted -pkg "path/to/iLife.pkg" -target /