This is real, yes. A lot of older software updates (but also newer ones e.g. some 10.14.6 Supplemental Update from September 2019!) are signed with a certificate which becomes/became invalid on Oct, 24 2019.
To keep them in the update game the intermediate certificate authority and its certficates have been replaced – the payload stays the same – and they have been republished/reissued.
Further readings (with pics I don't want to deep-link here ?):
Beware Apple security certificates after 24 October: they may have expired
Certificate used to sign older Apple software expiring on October 24, 2019
To check the validity of software installer packages use:
pkgutil --check-signature /path/to/package.pkg
Example (the OSInstall.pkg inside the InstallESD.dmg of Install macOS Sierra.app d/led on Feb, 26 2019):
pkgutil --check-signature /Volumes/OS\ X\ Install\ ESD/Packages/OSInstall.pkg
Package "OSInstall.pkg":
Status: signed by a certificate that has since expired
Certificate Chain:
1. Software Update
SHA1 fingerprint: 1E 34 E3 91 C6 44 37 DD 24 BE 57 B1 66 7B 2F DA 09 76 E1 FD
-----------------------------------------------------------------------------
2. Apple Software Update Certification Authority
SHA1 fingerprint: FA 02 79 0F CE 9D 93 00 89 C8 C2 51 0B BC 50 B4 85 8E 6F BF
-----------------------------------------------------------------------------
3. Apple Root CA
SHA1 fingerprint: 61 1E 5B 66 2C 59 3A 08 FF 58 D1 4A E2 24 52 D1 98 DF 6C 60
To check dmgs use:
spctl -a -t open --context context:primary-signature -v /path/to/dmg
spctl -a -v /path/to/dmg
or
codesign -dvvv /path/to/dmg
Not all dmgs are codesigned! The precise command is sometimes macOS-version-dependent, or requires a min macOS/OS X version. Please check man <command>
(eg: man spctl
).
Disable the Automatically keep my Mac up to date check box.
Use the second “more info ...” blue link to get security updates until you are ready to take the invitation to upgrade. It’s listed below the Other Updates text in the middle of the window. If you like the command line you can pick and choose from any or all available update(s) and also suppress them by name.
sudo /usr/sbin/softwareupdate --ignore "macOS Big Sur"
Please read this entire article before trying sudo
for the first time, you could delete all your documents and photos with a syntax error or bad copy/paste of a good command. If you use Time Machine, one sudo
alone won’t delete your backups.
The article above explains the down side of trying to block Big Sur before it's advertised and the error message you will see in that case. A more invasive solution would be to use an MDM product to block the actual installer. Or compile an app like the following open-source tool which anyone can compile with a free AppleID and free version of Xcode.
Best Answer
This will be a little tricky to pick apart remotely. Your edits are super helpful to come up with next steps.
I would use the command line and try this in the terminal app.
You will be prompted to enter your password and if that accepts your password and starts to download and install the updates, you know it’s just a GUI account issue.
If you don’t like the command line, another path is to make a second admin user and log out of the problem user (Apple menu - log out) and then try the update from the second account. Either way, you can reduce the potential causes and maybe get your update done, too.
I get the same prompt, but it works for me today when yesterday I got password errors and I changed nothing. I have Apple Silicon on my Big Sur mini so ymmv.