Certificate authority expiration and Apple software updates
A while back, there was an issue when the certificate Apple used to digitally sign installers expired. This issue was handled by Apple in a couple of ways:
- Reissuing installers signed with an updated certificate
- Adding the -allowUntrusted function to the installer command line tool
In the past couple of weeks, Apple has released new versions of a number of updates, which are now available for download by folks running Apple’s Software Update service or third-party tools like Reposado. Most of these updates were for older OSs where Apple has since stopped providing new updates. When these updates were checked, there didn’t seem to be any difference between the “old” and “new” versions of the installers.
So why is Apple pushing new copies of the updates to Mac admins’ software update servers? The answer appears to be again in the digital signing of the updates. For more details, see below the jump.
Unlike the previous episode, where the Software Update certificate directly associated with signing the installers had expired, this change appears to affect the Apple Software Update Certification Authority certificate authority. This is an intermediate certificate authority, which provides a way for the Software Update certificate to establish a chain of trust back to Apple’s root certificate authority. For older updates (those issued before 2013), the Apple Software Update Certification Authority certificate authority has an expiration date of Saturday, February 14th, 2015.
Once the Apple Software Update Certification Authority certificate authority expires, that breaks the chain of trust for any certificates that rely on it. As a consequence, a Software Update certificate used to sign an installer which uses the expired Apple Software Update Certification Authority won’t be trusted even though the Software Update certificate itself expires in 2019.
Apple is addressing this situation by re-signing and re-issuing updates, a process which will hopefully be completed before the Apple Software Update Certification Authority expiration date of 2-14-2015. It also appears that sometime in 2013, Apple started using a new Apple Software Update Certification Authority certificate authority when signing installers. This newer certificate authority has an expiration date of 10-24-2019.