Re: Expiration of Developer ID Installer certificates
Re: Expiration of Developer ID Installer certificates
- Subject: Re: Expiration of Developer ID Installer certificates
- From: Prema Kumar <email@hidden>
- Date: Mon, 14 Aug 2017 05:09:11 +0000
- Thread-topic: Expiration of Developer ID Installer certificates
Hi,
From my experience, Silent installation fails unless -allowUntrusted is
specified.
Regards
Prema Kumar
On 8/13/17, 2:53 AM, "Installer-dev on behalf of Stephane Sudre"
<installer-dev-bounces+prema.kumar=email@hidden on behalf of
email@hidden> wrote:
>On Sat, Aug 12, 2017 at 7:43 PM, Rob Prentiss <email@hidden> wrote:
>> Yes, but Installer doesn¹t stop you from installing something with an
>> expired signature. Gatekeeper does.
>
>This is not what I've been observing so far. Here's what I've observed so
>far:
>
>- Gatekeeper does not prevent someone from installing a distribution
>with an expired certificate.
>
>- Installer.app can present an alert sheet that states that the
>certificate has expired when you open a distribution.
>
>
>Evidence #1:
>
>
>OS X 10.10.5 - Installer.app 6.1.0 (815) - A flat distribution with an
>expired certificate and the com.apple.quarantine extended attribute
>set.
>
>1. Open the disk image
>2. Open the distribution.
>
>=> No Gatekeeper alert.
>
>The only way to notice that the certificate has expired is to click on
>the Installer.app document window Lock button (the one with a visual
>bug in OS X 10.10.5)
>
>
>Evidence #2:
>
>Mac OS X 10.7.6 - Installer.app 5.0.1 (538) The same flat distribution
>with the expired certificate and the com.apple.quarantine extended
>attribute set.
>
>1. Open the disk image
>2. Open the distribution.
>
>=> An alert sheet is displayed for the Installer.app document window
>stating:
>
>"xxxxx was signed with a certificate that has expired. If you acquired
>this package recently, it may not be authentic. Do you want to
>continue with the installation anyway?
>
>[ Show Certificate ] [ Cancel ] [ Continue ]"
>
>
>To remove any doubt, this is not related to Gatekeeper quarantine flag:
>
>1. __Remove__ the com.apple.quarantine extended attribute with xattr
>on the disk image.
>2. Open the disk image.
>3. Open the distribution.
>
>=> The alert sheet is displayed for the Installer.app document window.
>
>
>Depending on the version of Installer.appm, it does behave differently
>when a distribution or package is signed with an expired certificate.
>
>
>I don't have access to 10.5, 10.6, 10.8 and 10.9 OS partitions at this
>time, so I can't check whether one of these OS X version exhibits a
>different behavior that the ones already reported.
> _______________________________________________
>Do not post admin requests to the list. They will be ignored.
>Installer-dev mailing list (email@hidden)
>Help/Unsubscribe/Update your Subscription:
>m
>
>This email sent to email@hidden
Confidentiality notice: This message may contain confidential information. It
is intended only for the person to whom it is addressed. If you are not that
person, you should not use this message. We request that you notify us by
replying to this message, and then delete all copies including any contained in
your reply. Thank you.
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Installer-dev mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden