Re: Expiration of Developer ID Installer certificates
Re: Expiration of Developer ID Installer certificates
- Subject: Re: Expiration of Developer ID Installer certificates
- From: Brian Kendall <email@hidden>
- Date: Thu, 3 Aug 2017 17:08:36 -0400
Additionally: I just tested several of my company's installers in macOS 10.11
and 10.12 with the system clock changed to a date after the certificate
expires. I found that none of these installers would display the "This package
was signed with a certificate that has expired..." message. Similar to what
Paul reported, in 10.11 it would mention the certificate had expired if I
clicked the lock icon in Installer.app, and in 10.12 it doesn't even say that
the certificate is expired.
Is it actually necessary for me to do anything with these old installers in
order to keep things working?
Any help or information that can clear up this confusion would be much
appreciated!
- Brian
> On Aug 3, 2017, at 4:21 PM, Brian Kendall <email@hidden> wrote:
>
> I'm afraid I don't have anything to add, but I'd just like to say that I have
> exactly the same concerns and questions as Paul, and I'm also hoping that
> someone can weigh in on this.
>
> My company releases a lot of installers for third parties, and our installer
> certificate is going to expire in a month. I had thought, like with
> applications, that the certificate only had to be valid at the time of
> signing the installer, not when running the installer. So I'm concerned that
> now we're going to have to scramble to release new installers for every
> single client that we have.
>
> I'm also wondering why installers work this way in macOS in the first
> place... who's being protected by allowing installers to effectively expire?
> Why not have it work the same as applications and make the installers remain
> valid in perpetuity as long as the certificate used to sign them was valid at
> the time of signing?
>
> - Brian
>
>
>> On Jul 20, 2017, at 8:09 AM, Paul Grathwohl <email@hidden
>> <mailto:email@hidden>> wrote:
>>
>> Hello,
>>
>> Since the introduction of Developer ID Installer, we have been signing our
>> product installers with our Developer ID Installer certificate with the
>> command
>> productsign --sign "Our Developer ID Installer Certificate"
>> unsignedPackage.pkg resultPackage.pkg
>>
>> This worked for us without problems from summer 2012 until June 2017. In
>> April 2017 we created a new Developer ID Installer certificate, because our
>> original one was only valid until June 2017. We were under the impression
>> that old signed installers would still work, after the original certificate
>> expired, without problems. We thought we would need the new certificate only
>> for signing our newly created installers.
>>
>> But now some of our old installers throw a message to the user: "This
>> package was signed with a certificate that has expired. If you acquired this
>> package recently, it may not be authentic. Do you want to continue with the
>> installation anyway?" -- Options: "Show Certificate", "Cancel", "Continue"
>>
>> Then we found this website from apple
>> https://developer.apple.com/support/developer-id/
>> <https://developer.apple.com/support/developer-id/>
>> with this statement:
>> "Your installer package will only launch if your Developer ID Installer
>> certificate is valid. Installer packages signed with a Developer ID
>> Installer certificate that has expired must be re-signed with a valid
>> Developer ID Installer certificate in order to run."
>>
>> Now we have some questions that maybe someone could shed some light on:
>>
>> - Some of our installers with the expired certificate throw the above
>> mentioned message. But some continue to work, but when clicking on the lock
>> icon in the installer, it shows that the certificate has expired.
>> (Additional irritation: on 10.11 or older it says "This certifiate is
>> expired" and on 10.12 or newer it says "This certificate is valid" - even
>> though one line above it shows that the Expired date is in the past). We see
>> no difference in our installers and their surrounding dmg, and have no clue
>> why they behave differently regarding the warning message. Any ideas or
>> links to documentation?
>>
>> - Is there any background information why Developer ID Installer
>> certificates behave differently to Developer ID Application certificates
>> regarding expiration (see above link)?
>>
>> - What is common practice to deal with the expiration of your old product
>> installers? Do you re-sign them from time to time? Do you tell your users to
>> trust the certificate anyway? How are we supposed to handle this? We
>> normally don't want to touch our once released installers again, as it
>> generates quite some extra work for us.
>>
>> Thanks for any insight, and sorry for the long mail.
>> Best,
>> Paul
>> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
>> - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
>>
>> Phone: +49 (40) 21035-0 | Fax: +49 (40) 21035-300 | www.steinberg.net
>> <http://www.steinberg.net/>
>>
>> President: Andreas Stelling | Managing Director: Thomas Schöpe, Yoshiyuki
>> Tsugawa
>>
>> Registration Court: Hamburg HRB 86534
>>
>> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
>> - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
>> _______________________________________________
>> Do not post admin requests to the list. They will be ignored.
>> Installer-dev mailing list (email@hidden
>> <mailto:email@hidden>)
>> Help/Unsubscribe/Update your Subscription:
>>
>> This email sent to email@hidden
>
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Installer-dev mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden