site_archiver@lists.apple.com Delivered-To: Installer-dev@lists.apple.com Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=efi.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=N3fKHCQWJkNgob6yERgMTnutHjLVeNruYk70hwOqlKA=; b=eOHB9eNxjMDMpcS+0d9EZrjAaoG/x2ZeIBpG2mBIdSimNvTj1ycoyENO64mzjpRznnFMUVN9wVsCPqbu8bmyCZaPyES1MsqtrCOGalPy9NCIDoa6xZ9Sj8i9jze9h91aiHuzyZE0I722Y3T12rXLVFmqlLaW7GHUphw+yK6L1eM= Spamdiagnosticmetadata: NSPM Spamdiagnosticoutput: 1:99 Thread-index: AQHTAVEYhoGj6c9uUUyb5Hrldg1KsaJzKaWAgAANEACAAPmqgIAJ9BCAgAGRfoCAAB4YAIABTn8AgAA9WwCAAnCYgA== Thread-topic: Expiration of Developer ID Installer certificates User-agent: Microsoft-MacOutlook/14.7.3.170325 Hi,

From my experience, Silent installation fails unless -allowUntrusted is specified.

Regards Prema Kumar On 8/13/17, 2:53 AM, "Installer-dev on behalf of Stephane Sudre" <installer-dev-bounces+prema.kumar=efi.com@lists.apple.com on behalf of dev.iceberg@gmail.com> wrote:

On Sat, Aug 12, 2017 at 7:43 PM, Rob Prentiss <rob@prentiss.name> wrote:

...

Yes, but Installer doesn¹t stop you from installing something with an expired signature. Gatekeeper does.

This is not what I've been observing so far. Here's what I've observed so far:

- Gatekeeper does not prevent someone from installing a distribution with an expired certificate.

- Installer.app can present an alert sheet that states that the certificate has expired when you open a distribution.

Evidence #1:

OS X 10.10.5 - Installer.app 6.1.0 (815) - A flat distribution with an expired certificate and the com.apple.quarantine extended attribute set.

1. Open the disk image 2. Open the distribution.

=> No Gatekeeper alert.

The only way to notice that the certificate has expired is to click on the Installer.app document window Lock button (the one with a visual bug in OS X 10.10.5)

Evidence #2:

Mac OS X 10.7.6 - Installer.app 5.0.1 (538) The same flat distribution with the expired certificate and the com.apple.quarantine extended attribute set.

1. Open the disk image 2. Open the distribution.

=> An alert sheet is displayed for the Installer.app document window stating:

"xxxxx was signed with a certificate that has expired. If you acquired this package recently, it may not be authentic. Do you want to continue with the installation anyway?

[ Show Certificate ] [ Cancel ] [ Continue ]"

To remove any doubt, this is not related to Gatekeeper quarantine flag:

1. __Remove__ the com.apple.quarantine extended attribute with xattr on the disk image. 2. Open the disk image. 3. Open the distribution.

=> The alert sheet is displayed for the Installer.app document window.

Depending on the version of Installer.appm, it does behave differently when a distribution or package is signed with an expired certificate.

I don't have access to 10.5, 10.6, 10.8 and 10.9 OS partitions at this time, so I can't check whether one of these OS X version exhibits a different behavior that the ones already reported. _______________________________________________ Do not post admin requests to the list. They will be ignored. Installer-dev mailing list (Installer-dev@lists.apple.com) Help/Unsubscribe/Update your Subscription: https://lists.apple.com/mailman/options/installer-dev/prema.kumar%40efi.co m

This email sent to prema.kumar@efi.com

Confidentiality notice: This message may contain confidential information. It is intended only for the person to whom it is addressed. If you are not that person, you should not use this message. We request that you notify us by replying to this message, and then delete all copies including any contained in your reply. Thank you. _______________________________________________ Do not post admin requests to the list. They will be ignored. Installer-dev mailing list (Installer-dev@lists.apple.com) Help/Unsubscribe/Update your Subscription: https://lists.apple.com/mailman/options/installer-dev/site_archiver%40lists.... This email sent to site_archiver@lists.apple.com