• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Re: Expiration of Developer ID Installer certificates
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Expiration of Developer ID Installer certificates

  • Subject: Re: Expiration of Developer ID Installer certificates
  • From: Stephane Sudre <email@hidden>
  • Date: Sat, 12 Aug 2017 23:23:34 +0200
On Sat, Aug 12, 2017 at 7:43 PM, Rob Prentiss <email@hidden> wrote:
> Yes, but Installer doesn’t stop you from installing something with an
> expired signature. Gatekeeper does.

This is not what I've been observing so far. Here's what I've observed so far:

- Gatekeeper does not prevent someone from installing a distribution
with an expired certificate.

- Installer.app can present an alert sheet that states that the
certificate has expired when you open a distribution.


Evidence #1:


OS X 10.10.5 - Installer.app 6.1.0 (815) - A flat distribution with an
expired certificate and the com.apple.quarantine extended attribute
set.

1. Open the disk image
2. Open the distribution.

=> No Gatekeeper alert.

The only way to notice that the certificate has expired is to click on
the Installer.app document window Lock button (the one with a visual
bug in OS X 10.10.5)


Evidence #2:

Mac OS X 10.7.6 - Installer.app 5.0.1 (538) The same flat distribution
with the expired certificate and the com.apple.quarantine extended
attribute set.

1. Open the disk image
2. Open the distribution.

=> An alert sheet is displayed for the Installer.app document window stating:

"xxxxx was signed with a certificate that has expired. If you acquired
this package recently, it may not be authentic. Do you want to
continue with the installation anyway?

[ Show Certificate ]     [ Cancel ]  [ Continue ]"


To remove any doubt, this is not related to Gatekeeper quarantine flag:

1. __Remove__ the com.apple.quarantine extended attribute with xattr
on the disk image.
2. Open the disk image.
3. Open the distribution.

=> The alert sheet is displayed for the Installer.app document window.


Depending on the version of Installer.appm, it does behave differently
when a distribution or package is signed with an expired certificate.


I don't have access to 10.5, 10.6, 10.8 and 10.9 OS partitions at this
time, so I can't check whether one of these OS X version exhibits a
different behavior that the ones already reported.
 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Installer-dev mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden
  • Follow-Ups:
    • Re: Expiration of Developer ID Installer certificates
      • From: Prema Kumar <email@hidden>
References: 
 >Re: Expiration of Developer ID Installer certificates (From: Brian Kendall <email@hidden>)
 >Re: Expiration of Developer ID Installer certificates (From: Prema Kumar <email@hidden>)
 >Re: Expiration of Developer ID Installer certificates (From: Brian Kendall <email@hidden>)
 >Re: Expiration of Developer ID Installer certificates (From: Rob Prentiss <email@hidden>)
 >Re: Expiration of Developer ID Installer certificates (From: Stephane Sudre <email@hidden>)
 >Re: Expiration of Developer ID Installer certificates (From: Rob Prentiss <email@hidden>)

  • Prev by Date: Re: Expiration of Developer ID Installer certificates
  • Next by Date: Re: Expiration of Developer ID Installer certificates
  • Previous by thread: Re: Expiration of Developer ID Installer certificates
  • Next by thread: Re: Expiration of Developer ID Installer certificates
  • Index(es):
    • Date
    • Thread