Re: Expiration of Developer ID Installer certificates
Re: Expiration of Developer ID Installer certificates
- Subject: Re: Expiration of Developer ID Installer certificates
- From: Prema Kumar <email@hidden>
- Date: Fri, 4 Aug 2017 06:32:15 +0000
- Thread-topic: Expiration of Developer ID Installer certificates
Hi,
According to the following link new installations will not work.
https://developer.apple.com/support/certificates/
Read the section "Developer ID Installer Certificate (Mac applications)”
Regards
Prema Kumar
From: Installer-dev
<installer-dev-bounces+prema.kumar=email@hidden<mailto:installer-dev-bounces+prema.kumar=email@hidden>>
on behalf of Brian Kendall <email@hidden<mailto:email@hidden>>
Date: Friday, August 4, 2017 at 2:38 AM
To: "email@hidden<mailto:email@hidden>"
<email@hidden<mailto:email@hidden>>
Subject: Re: Expiration of Developer ID Installer certificates
Additionally: I just tested several of my company's installers in macOS 10.11
and 10.12 with the system clock changed to a date after the certificate
expires. I found that none of these installers would display the "This package
was signed with a certificate that has expired..." message. Similar to what
Paul reported, in 10.11 it would mention the certificate had expired if I
clicked the lock icon in Installer.app, and in 10.12 it doesn't even say that
the certificate is expired.
Is it actually necessary for me to do anything with these old installers in
order to keep things working?
Any help or information that can clear up this confusion would be much
appreciated!
- Brian
On Aug 3, 2017, at 4:21 PM, Brian Kendall
<email@hidden<mailto:email@hidden>> wrote:
I'm afraid I don't have anything to add, but I'd just like to say that I have
exactly the same concerns and questions as Paul, and I'm also hoping that
someone can weigh in on this.
My company releases a lot of installers for third parties, and our installer
certificate is going to expire in a month. I had thought, like with
applications, that the certificate only had to be valid at the time of signing
the installer, not when running the installer. So I'm concerned that now we're
going to have to scramble to release new installers for every single client
that we have.
I'm also wondering why installers work this way in macOS in the first place...
who's being protected by allowing installers to effectively expire? Why not
have it work the same as applications and make the installers remain valid in
perpetuity as long as the certificate used to sign them was valid at the time
of signing?
- Brian
On Jul 20, 2017, at 8:09 AM, Paul Grathwohl
<email@hidden<mailto:email@hidden>> wrote:
Hello,
Since the introduction of Developer ID Installer, we have been signing our
product installers with our Developer ID Installer certificate with the command
productsign --sign "Our Developer ID Installer Certificate" unsignedPackage.pkg
resultPackage.pkg
This worked for us without problems from summer 2012 until June 2017. In April
2017 we created a new Developer ID Installer certificate, because our original
one was only valid until June 2017. We were under the impression that old
signed installers would still work, after the original certificate expired,
without problems. We thought we would need the new certificate only for signing
our newly created installers.
But now some of our old installers throw a message to the user: "This package
was signed with a certificate that has expired. If you acquired this package
recently, it may not be authentic. Do you want to continue with the
installation anyway?" -- Options: "Show Certificate", "Cancel", "Continue"
Then we found this website from apple
https://developer.apple.com/support/developer-id/
with this statement:
"Your installer package will only launch if your Developer ID Installer
certificate is valid. Installer packages signed with a Developer ID Installer
certificate that has expired must be re-signed with a valid Developer ID
Installer certificate in order to run."
Now we have some questions that maybe someone could shed some light on:
- Some of our installers with the expired certificate throw the above mentioned
message. But some continue to work, but when clicking on the lock icon in the
installer, it shows that the certificate has expired. (Additional irritation:
on 10.11 or older it says "This certifiate is expired" and on 10.12 or newer it
says "This certificate is valid" - even though one line above it shows that the
Expired date is in the past). We see no difference in our installers and their
surrounding dmg, and have no clue why they behave differently regarding the
warning message. Any ideas or links to documentation?
- Is there any background information why Developer ID Installer certificates
behave differently to Developer ID Application certificates regarding
expiration (see above link)?
- What is common practice to deal with the expiration of your old product
installers? Do you re-sign them from time to time? Do you tell your users to
trust the certificate anyway? How are we supposed to handle this? We normally
don't want to touch our once released installers again, as it generates quite
some extra work for us.
Thanks for any insight, and sorry for the long mail.
Best,
Paul
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - - - - - - - - - -
Phone: +49 (40) 21035-0 | Fax: +49 (40) 21035-300 |
www.steinberg.net<http://www.steinberg.net/>
President: Andreas Stelling | Managing Director: Thomas Schöpe, Yoshiyuki
Tsugawa
Registration Court: Hamburg HRB 86534
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - - - - - - - - - -
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Installer-dev mailing list
(email@hidden<mailto:email@hidden>)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden<mailto:email@hidden>
Confidentiality notice: This message may contain confidential information. It
is intended only for the person to whom it is addressed. If you are not that
person, you should not use this message. We request that you notify us by
replying to this message, and then delete all copies including any contained in
your reply. Thank you.
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Installer-dev mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden