Home > Mac administration, Mac OS X > Certificate authority expiration and Apple software updates

Certificate authority expiration and Apple software updates

February 10, 2015 Leave a comment Go to comments

A while back, there was an issue when the certificate Apple used to digitally sign installers expired. This issue was handled by Apple in a couple of ways:

  1. Reissuing installers signed with an updated certificate
  2. Adding the -allowUntrusted function to the installer command line tool

In the past couple of weeks, Apple has released new versions of a number of updates, which are now available for download by folks running Apple’s Software Update service or third-party tools like Reposado. Most of these updates were for older OSs where Apple has since stopped providing new updates. When these updates were checked, there didn’t seem to be any difference between the “old” and “new” versions of the installers.

So why is Apple pushing new copies of the updates to Mac admins’ software update servers? The answer appears to be again in the digital signing of the updates. For more details, see below the jump.

Unlike the previous episode, where the Software Update certificate directly associated with signing the installers had expired, this change appears to affect the Apple Software Update Certification Authority certificate authority. This is an intermediate certificate authority, which provides a way for the Software Update certificate to establish a chain of trust back to Apple’s root certificate authority. For older updates (those issued before 2013), the Apple Software Update Certification Authority certificate authority has an expiration date of Saturday, February 14th, 2015.

Screen Shot 2015-02-10 at 7.11.06 AM

Once the Apple Software Update Certification Authority certificate authority expires, that breaks the chain of trust for any certificates that rely on it. As a consequence, a Software Update certificate used to sign an installer which uses the expired Apple Software Update Certification Authority won’t be trusted even though the Software Update certificate itself expires in 2019.

Screen Shot 2015-02-10 at 8.05.38 AM

Apple is addressing this situation by re-signing and re-issuing updates, a process which will hopefully be completed before the Apple Software Update Certification Authority expiration date of 2-14-2015. It also appears that sometime in 2013, Apple started using a new Apple Software Update Certification Authority certificate authority when signing installers. This newer certificate authority has an expiration date of 10-24-2019.

Screen Shot 2015-02-10 at 7.26.04 AM

Categories: Mac administration, Mac OS X
  1. Carlo
    February 15, 2015 at 9:25 pm
    Reply

    Hello Rich, many thanks for sharing your knowledge here!!!
    I was wondering if what now happens to my cascading SUS may be somehow related to this subject
    I have some cascading 10.6.8 SUS pointing to a 10.9 central SUS and everything used to work perfectly (having modified swupd.conf and swupd.plist so that I can have 10.7-10.8-10.9 updates being served to local clients from the 10.6.8 SUS)
    Now it seems that all recent “old” updates Apple re-released can’t be passed to the cascading servers
    They all appears with the usual (old style) “grey dot + exclamation mark” as if they were not dowloaded (and if fact they were not!), catalogs seem fine but they don’t seem to be available on the central repository.
    All the others recent updates – including “XprotectPlistConfigData” released 02/12/15 and “Gatekeeper Configuration Data” released 02/11/15 are correctly downloaded
    The issue seems limited to the “old” updates re-released on Feb 9th and 10th

    Sun Feb 15 22:06:18 mycascadingSUS.com swupd_syncd[21280] : *** The suspect product file will not be downloaded.
    Sun Feb 15 22:06:18 mycascadingSUS.com swupd_syncd[21280] : *** Product file URL contains possible security violation.
    Sun Feb 15 22:06:18 mycascadingSUS.com swupd_syncd[21280] : *** Product ID: “031-11577”; file URL: “http://myMasterSUS.com:8088/content/downloads/34/23/031-11577/yjhkuzz0vas39cc491pwyk1ekrwcccfmsn/MacBookEFIUpdate.dst/031-11577.Spanish.dist”
    Sun Feb 15 22:06:18 mycascadingSUS.com swupd_syncd[21280] : *** Reason: file download path cannot be reached / does not exist.
    Sun Feb 15 22:06:18 mycascadingSUS.com swupd_syncd[21280] : *** The suspect product file will not be downloaded.

    Is there anything I can do? I have to stay on 10.6.8 on those servers because they can’t be upgraded.
    Many thanks for your help!
    Ciao
    Carlo

  2. carlo anselmi
    February 15, 2015 at 9:27 pm
    Reply

    Hello Rich, many thanks for sharing your knowledge here!!!
    I was wondering if what now happens to my cascading SUS may be somehow related to this subject
    I have some cascading 10.6.8 SUS pointing to a 10.9 central SUS and everything used to work perfectly (having modified swupd.conf and swupd.plist so that I can have 10.7-10.8-10.9 updates being served to local clients from the 10.6.8 SUS)
    Now it seems that all recent “old” updates Apple re-released can’t be passed to the cascading servers
    They all appears with the usual (old style) “grey dot + exclamation mark” as if they were not dowloaded (and if fact they were not!), catalogs seem fine but they don’t seem to be available on the central repository.
    All the others recent updates – including “XprotectPlistConfigData” released 02/12/15 and “Gatekeeper Configuration Data” released 02/11/15 are correctly downloaded
    The issue seems limited to the “old” updates re-released on Feb 9th and 10th

    Sun Feb 15 22:06:18 mycascadingSUS.com swupd_syncd[21280] : *** The suspect product file will not be downloaded.
    Sun Feb 15 22:06:18 mycascadingSUS.com swupd_syncd[21280] : *** Product file URL contains possible security violation.
    Sun Feb 15 22:06:18 mycascadingSUS.com swupd_syncd[21280] : *** Product ID: “031-11577”; file URL: “http://myMasterSUS.com:8088/content/downloads/34/23/031-11577/yjhkuzz0vas39cc491pwyk1ekrwcccfmsn/MacBookEFIUpdate.dst/031-11577.Spanish.dist”
    Sun Feb 15 22:06:18 mycascadingSUS.com swupd_syncd[21280] : *** Reason: file download path cannot be reached / does not exist.
    Sun Feb 15 22:06:18 mycascadingSUS.com swupd_syncd[21280] : *** The suspect product file will not be downloaded.

    Is there anything I can do? I have to stay on 10.6.8 on those servers because they can’t be upgraded.
    Many thanks for your help!
    Ciao
    Carlo

  3. MT
    October 24, 2019 at 6:09 pm
    Reply

    Today is October 24, 2019, and both the leaf and intermediate certs have now expired:

    $ openssl x509 -inform DER -in Software\ Update.cer -noout -enddate
    notAfter=Oct 24 17:29:17 2019 GMT
    $ openssl x509 -inform DER -in Apple\ Software\ Update\ Certification\ Authority.cer -noout -enddate
    notAfter=Oct 24 17:29:17 2019 GMT
    $

    This means, for example, that software updates for Safari v12.1.2 (Sierra and High Sierra pkgs) have expired. There are surely many others.

    Since Sierra is no longer supported, it’s unclear whether Apple will re-issue packages with updated certs.
    High Sierra users are still supported, so you should be able to install current versions.

    Of course, if you need to (re)install any of these expired packages, you will have to pass the -allowUntrusted flag to /usr/sbin/installer.

  1. No trackbacks yet.

Leave a comment