Software update on obsolete system: is it real

This is real, yes. A lot of older software updates (but also newer ones e.g. some 10.14.6 Supplemental Update from September 2019!) are signed with a certificate which becomes/became invalid on Oct, 24 2019.

To keep them in the update game the intermediate certificate authority and its certficates have been replaced – the payload stays the same – and they have been republished/reissued.

Further readings (with pics I don't want to deep-link here ?):

1. Beware Apple security certificates after 24 October: they may have expired

2. Certificate used to sign older Apple software expiring on October 24, 2019

To check the validity of software installer packages use:

pkgutil --check-signature /path/to/package.pkg

Example (the OSInstall.pkg inside the InstallESD.dmg of Install macOS Sierra.app d/led on Feb, 26 2019):

pkgutil --check-signature /Volumes/OS\ X\ Install\ ESD/Packages/OSInstall.pkg 
Package "OSInstall.pkg":
   Status: signed by a certificate that has since expired
   Certificate Chain:
    1. Software Update
       SHA1 fingerprint: 1E 34 E3 91 C6 44 37 DD 24 BE 57 B1 66 7B 2F DA 09 76 E1 FD
       -----------------------------------------------------------------------------
    2. Apple Software Update Certification Authority
       SHA1 fingerprint: FA 02 79 0F CE 9D 93 00 89 C8 C2 51 0B BC 50 B4 85 8E 6F BF
       -----------------------------------------------------------------------------
    3. Apple Root CA
       SHA1 fingerprint: 61 1E 5B 66 2C 59 3A 08 FF 58 D1 4A E2 24 52 D1 98 DF 6C 60

To check dmgs use:

spctl -a -t open --context context:primary-signature -v /path/to/dmg
spctl -a -v /path/to/dmg

or

codesign -dvvv /path/to/dmg

Not all dmgs are codesigned! The precise command is sometimes macOS-version-dependent, or requires a min macOS/OS X version. Please check man <command> (eg: man spctl).