Redownload Archived macOS Installers to Address Expired Certificates

posted in: November 2019 | 0
25 comments

Redownload Archived macOS Installers to Address Expired Certificates

Apple digitally signs the installers used by its software updates to ensure that they haven’t been tampered with. That’s sensible, but there’s a gotcha: the certificates Apple uses to sign these installers have expiration dates. On his Der Flounder blog, Rich Trouton explains what happens when these certificates expire—Apple reissues the installers with new certificates. That has happened again, since many, if not all of Apple’s recent installers had an expiration date of 24 October 2019, which came and went last week.

For most Mac users, this kerfuffle is largely irrelevant—if you need an installer for an older version of macOS, you’ll get one that will work when you download it. The people who are being impacted are Apple consultants and IT admins who have built troubleshooting toolkits that contain a selection of macOS installers for rebuilding Macs with whatever version of macOS is required.

A collection of old macOS installers

The Finder may report that those installers can’t be verified and may have been corrupted or tampered with during download.

Screenshot of an installer with an expired certificate

Getting New Installers

Apple has now re-signed and re-released older installers, giving them a new expiration date of 14 April 2029—nearly 10 years in the future. If you want to rebuild your archive, you can download new installers from links on these pages:

Apple says that earlier versions are not available for download, and as far as I can tell, that’s true. Historically, they appeared in the App Store app, in your list of purchased items, but the only operating systems still showing up there for me are the developer beta of Sierra and the GM candidate for El Capitan (and I doubt they’d work anyway).

However, if you have installers for 10.9 Mavericks, 10.8 Mountain Lion, and 10.7 Lion, TidBITS Talk reader gastropod suggested a workaround for their expired certificates. Before you install, set the clock on the Mac to a date when the certificate was valid, perform the install, and then reset the date back after installation. To change the date from Terminal (which is likely all that will be accessible), follow these steps, which set it to 1 February 2016:

  1. In the installer, choose Utilities > Terminal.
  2. Enter sudo date 0201010116, press Return, and enter your password.
  3. Quit Terminal and continue the install.

Catalina Enhances softwareupdate Command-Line Tool

Speaking of Terminal, Armin Briegel has written on his Scripting OS X blog that the softwareupdate command has a new option in Catalina that lets you download the full installer for a specific version of macOS. This seems to work with versions of 10.14 Mojave and 10.13 High Sierra, but nothing older.

This command downloads the latest Install macOS application to your Applications folder.

softwareupdate --fetch-full-installer

And this one downloads 10.13.6 specifically.

softwareupdate --fetch-full-installer --full-installer-version 10.13.6

In the Year 2525

This isn’t the first time we’ve needed to rebuild our collections of macOS installers—see “Previously Downloaded OS X Installers No Longer Work” (2 March 2016)—and it won’t be the last. Although it’s mostly just an annoyance to redownload everything now, the situation is more troubling over the long term. Silicon Valley always wants to look to the future, but academics and researchers of that future will also want to look back. Expiring certificates could make it difficult or even impossible to bring older Macs back to life for historical or reference purposes. Apple is unlikely to exist forever, but will the final employee re-sign all the old installers with a certificate that expires on the last possible date of 31 December 9999? And then what happens in the year 10,000?