Security – How to Validate Signature on Apple Updates

Securitysoftware-update

I had a short window of opportunity to install the 10.12.5 update today, but the update wasn't showing up on the App Store, so I decided to download it directly. I noticed that the download was over unencrypted http.

That would be alright if I could validate the signature on the downloaded file. I could not find a checksum digest of the file. I have the Apple PGP key, but it's not clear to me that Apple actually signs the downloaded packages in any way. The instructions imply they only use the key to sign security notifications. Is there any way to validate the downloaded file?

Best Answer

You can verify the signature of the package:

Mount the dmg file (assuming it's downloaded to your Downloads folder):

hdiutil attach ~/Downloads/macosupdcombo10.12.5.dmg

Verify the pkg:

pkgutil --check-signature /Volumes/macOS\ Sierra\ Update/macOSUpdCombo10.12.5.pkg

which should yield the following result:

Package "macOSUpdCombo10.12.5.pkg":
   Status: signed Apple Software
   Certificate Chain:
    1. Software Update
       SHA1 fingerprint: 1E 34 E3 91 C6 44 37 DD 24 BE 57 B1 66 7B 2F DA 09 76 E1 FD
       -----------------------------------------------------------------------------
    2. Apple Software Update Certification Authority
       SHA1 fingerprint: FA 02 79 0F CE 9D 93 00 89 C8 C2 51 0B BC 50 B4 85 8E 6F BF
       -----------------------------------------------------------------------------
    3. Apple Root CA
       SHA1 fingerprint: 61 1E 5B 66 2C 59 3A 08 FF 58 D1 4A E2 24 52 D1 98 DF 6C 60

Compare the SHA1 fingerprint of the Apple Software Update Certification Authority with one of the two valid Apple fingerprints:

SHA1 FA 02 79 0F CE 9D 93 00 89 C8 C2 51 0B BC 50 B4 85 8E 6F BF
SHA1 9C 86 47 71 48 B3 D7 04 24 7A 3C 3F 56 EA 2D E5 94 4B 01 C2
Related Question