I had a short window of opportunity to install the 10.12.5 update today, but the update wasn't showing up on the App Store, so I decided to download it directly. I noticed that the download was over unencrypted http.
That would be alright if I could validate the signature on the downloaded file. I could not find a checksum digest of the file. I have the Apple PGP key, but it's not clear to me that Apple actually signs the downloaded packages in any way. The instructions imply they only use the key to sign security notifications. Is there any way to validate the downloaded file?
Best Answer
You can verify the signature of the package:
Mount the dmg file (assuming it's downloaded to your Downloads folder):
Verify the pkg:
which should yield the following result:
Compare the SHA1 fingerprint of the Apple Software Update Certification Authority with one of the two valid Apple fingerprints: