site_archiver@lists.apple.com Delivered-To: Installer-dev@lists.apple.com Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=efi365.onmicrosoft.com; s=selector1-efi-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=c3+DxNnvCRR+7RfQruoPIa3TEADIGyoVRsfG+nUYEj4=; b=hYdhH39grkRp41ZJM6X4jPMqHAPmsk11QKbdF9ZyhbJ+eIiztZRD2S2hKM6iMqiKOI/TJYd7UyhHRuQ6ynBJk6kaUneIOjN+PqsN6LFdf5SCKoZZl5cu9lUVDE4yCCWNF10Jfx3KXkQedEp9fi2BLBt3+0k6LguEpcEN6JsCcCk= Spamdiagnosticmetadata: NSPM Spamdiagnosticoutput: 1:99 Thread-index: AQHTAVEYhoGj6c9uUUyb5Hrldg1KsaJzKaWAgAANEACAAPmqgA== Thread-topic: Expiration of Developer ID Installer certificates User-agent: Microsoft-MacOutlook/14.7.3.170325 Hi, According to the following link new installations will not work. https://developer.apple.com/support/certificates/ Read the section "Developer ID Installer Certificate (Mac applications)” Regards Prema Kumar From: Installer-dev <installer-dev-bounces+prema.kumar=efi.com@lists.apple.com<mailto:installer-dev-bounces+prema.kumar=efi.com@lists.apple.com>> on behalf of Brian Kendall <guygizmo@gmail.com<mailto:guygizmo@gmail.com>> Date: Friday, August 4, 2017 at 2:38 AM To: "Installer-dev@lists.apple.com<mailto:Installer-dev@lists.apple.com>" <Installer-dev@lists.apple.com<mailto:Installer-dev@lists.apple.com>> Subject: Re: Expiration of Developer ID Installer certificates Additionally: I just tested several of my company's installers in macOS 10.11 and 10.12 with the system clock changed to a date after the certificate expires. I found that none of these installers would display the "This package was signed with a certificate that has expired..." message. Similar to what Paul reported, in 10.11 it would mention the certificate had expired if I clicked the lock icon in Installer.app, and in 10.12 it doesn't even say that the certificate is expired. Is it actually necessary for me to do anything with these old installers in order to keep things working? Any help or information that can clear up this confusion would be much appreciated! - Brian On Aug 3, 2017, at 4:21 PM, Brian Kendall <guygizmo@gmail.com<mailto:guygizmo@gmail.com>> wrote: I'm afraid I don't have anything to add, but I'd just like to say that I have exactly the same concerns and questions as Paul, and I'm also hoping that someone can weigh in on this. My company releases a lot of installers for third parties, and our installer certificate is going to expire in a month. I had thought, like with applications, that the certificate only had to be valid at the time of signing the installer, not when running the installer. So I'm concerned that now we're going to have to scramble to release new installers for every single client that we have. I'm also wondering why installers work this way in macOS in the first place... who's being protected by allowing installers to effectively expire? Why not have it work the same as applications and make the installers remain valid in perpetuity as long as the certificate used to sign them was valid at the time of signing? - Brian On Jul 20, 2017, at 8:09 AM, Paul Grathwohl <p.grathwohl@steinberg.de<mailto:p.grathwohl@steinberg.de>> wrote: Hello, Since the introduction of Developer ID Installer, we have been signing our product installers with our Developer ID Installer certificate with the command productsign --sign "Our Developer ID Installer Certificate" unsignedPackage.pkg resultPackage.pkg This worked for us without problems from summer 2012 until June 2017. In April 2017 we created a new Developer ID Installer certificate, because our original one was only valid until June 2017. We were under the impression that old signed installers would still work, after the original certificate expired, without problems. We thought we would need the new certificate only for signing our newly created installers. But now some of our old installers throw a message to the user: "This package was signed with a certificate that has expired. If you acquired this package recently, it may not be authentic. Do you want to continue with the installation anyway?" -- Options: "Show Certificate", "Cancel", "Continue" Then we found this website from apple https://developer.apple.com/support/developer-id/ with this statement: "Your installer package will only launch if your Developer ID Installer certificate is valid. Installer packages signed with a Developer ID Installer certificate that has expired must be re-signed with a valid Developer ID Installer certificate in order to run." Now we have some questions that maybe someone could shed some light on: - Some of our installers with the expired certificate throw the above mentioned message. But some continue to work, but when clicking on the lock icon in the installer, it shows that the certificate has expired. (Additional irritation: on 10.11 or older it says "This certifiate is expired" and on 10.12 or newer it says "This certificate is valid" - even though one line above it shows that the Expired date is in the past). We see no difference in our installers and their surrounding dmg, and have no clue why they behave differently regarding the warning message. Any ideas or links to documentation? - Is there any background information why Developer ID Installer certificates behave differently to Developer ID Application certificates regarding expiration (see above link)? - What is common practice to deal with the expiration of your old product installers? Do you re-sign them from time to time? Do you tell your users to trust the certificate anyway? How are we supposed to handle this? We normally don't want to touch our once released installers again, as it generates quite some extra work for us. Thanks for any insight, and sorry for the long mail. Best, Paul - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Phone: +49 (40) 21035-0 | Fax: +49 (40) 21035-300 | www.steinberg.net<http://www.steinberg.net/> President: Andreas Stelling | Managing Director: Thomas Schöpe, Yoshiyuki Tsugawa Registration Court: Hamburg HRB 86534 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - _______________________________________________ Do not post admin requests to the list. They will be ignored. Installer-dev mailing list (Installer-dev@lists.apple.com<mailto:Installer-dev@lists.apple.com>) Help/Unsubscribe/Update your Subscription: https://lists.apple.com/mailman/options/installer-dev/guygizmo%40gmail.com This email sent to guygizmo@gmail.com<mailto:guygizmo@gmail.com> Confidentiality notice: This message may contain confidential information. It is intended only for the person to whom it is addressed. If you are not that person, you should not use this message. We request that you notify us by replying to this message, and then delete all copies including any contained in your reply. Thank you. _______________________________________________ Do not post admin requests to the list. They will be ignored. Installer-dev mailing list (Installer-dev@lists.apple.com) Help/Unsubscribe/Update your Subscription: https://lists.apple.com/mailman/options/installer-dev/site_archiver%40lists.... This email sent to site_archiver@lists.apple.com