The Apple Packagepocalypse, 2019 Edition…

Apple uses certificates to digitally sign their installer packages (which are embedded inside their OS installers).

A few Mac admins noted that the primary certificate, and the intermediate certificate, used to sign many of their packages, was going to expire on October 24, 2019 (which happens to be today).

In the last couple of weeks, Mac admins have noticed that Apple has been replacing packages with new ones, which are signed with certificates that do not expire until 2029. Anyone still running an Apple Software Update Server, or Reposado, or netSUS, has seen the many gigabytes of newly-updated, but older, packages being published daily.

Well… Apple didn’t get them all replaced. As of this moment, the macOS 10.14.6 updaters presently on support.apple.com, and on Apple’s CDNs used by the software update mechanism, will expire in less than an hour.

I have made Apple aware of this issue, and they are attempting to get both the 10.14.6 issues fixed, as well as determine what other packages may yet need to be updated.

UPDATE: 10/24/2019 4:00 PM EDT: Apple has pulled and reissued the 10.14.6 Delta and Combo updaters, as well as several other update packages, in order to address this issue. It may still take time for the updated packages to replicate, and, if you have a Caching Server, or Software Update Server/Reposado/netSUS, for those to update as well. It appears that Security Update 2019-005 for both macOS High Sierra and macOS Sierra were also deprecated, and replaced, likely due to the cert expiry.

List of updated packages released on October 24, just before, and in some cases after, the originals expired

Keep in mind that any OS installers (older than macOS Catalina, which has used the new expires-in-2029 signing certificate, and is thus unaffected) that you may have laying around, will stop working after 1:29 pm EDT on 10/24/2019.

Symptoms of expired installers or packages would include dialogs about “This copy of Install macOS <version>.app is damaged”, or /private/var/log/install.log showing errors about “Failed to open <package name> because the installer is not trusted”

This is an example of an error message that you may see from an OS installer with an expired certificate.

You can use Suspicious Package from Mothers Ruin software to inspect any existing installer packages for the expiry problem:
https://mothersruin.com/software/SuspiciousPackage/

You can use SUS Inspector, written by Hannes Juutilainen, to review which packages are available on Apple’s update servers, and search, or sort by date:
https://github.com/hjuutilainen/sus-inspector

You may want to check the installer packages on your Jamf or Munki distribution points, as well as any OS installers or USB drives with OS installers on them (created by createinstallmedia or similar tools). They will all need to be replaced with the updated versions of packages where the certificate is not expired.

Munki users at leasts have the option of using the allow_untrusted key:
https://github.com/munki/munki/wiki/Allowing-Untrusted-Packages

Command-line method to check a package (pkgutil can’t handle wildcards):

/usr/sbin/pkgutil --check-signature /Path/To/package.pkg | grep Status

It should show:
Status: signed by a certificate that has since expired
for anything Apple affected by the Packagepocalypse 2019.

Download links for older OS installers:
Sierra: https://support.apple.com/en-us/HT208202
High Sierra: https://support.apple.com/en-us/HT208969
Mojave: https://support.apple.com/HT210190
Others: https://support.apple.com/downloads

You may also want to check/flush the data from/temporarily disable any Caching Servers on your network, to be sure you are getting the most recent packages. To do so, follow the instructions here:
https://support.apple.com/guide/mac-help/set-up-content-caching-on-mac-mchl3b6c3720/mac

Delete all cached content

1. On your Mac, choose Apple menu -> System Preferences, click Sharing, then select Content Caching.
2. Click Options.
3. Click Reset, then click Reset again to verify the request.

Three notes:

1. All of this has happened before, and will happen again (in 2029). Rich Trouton previously blogged about this here: https://derflounder.wordpress.com/2016/02/15/certificate-expiration-and-downloaded-mac-app-store-installers/
   And here:
   https://derflounder.wordpress.com/2012/03/24/apple-installer-package-certificate-expiration/
2. Special thanks to Dennis Moffett for originally pointing out the 10.14.6 update/combo update packages were not yet updated. And also, thanks to those anonymous Apple employees whom I reached out to, who lit fires under people to get these things on Apple’s radar. You folks are the Real MVP’s.
3. You can check to see if your {Mojave, High Sierra, Sierra} installers are expired, either by double-clicking them (if your Mac’s date and time is correct, and they open, you’re good), or mounting the InstallESD.dmg from inside the app bundle at Install macOS <Name>.app/Contents/SharedSupport/InstallESD.dmg and then checking the expiry on /Volumes/InstallESD/Packages/OSInstall.mpkg, or any of the other packages in that folder.