What happens when Developer ID Installer certificate expires?

Question

capso OP

Created Mar ’22

Replies 2

Boosts 0

Views 2.2k

Participants 4

Hello. According to Apple documentation,

Developer ID Installer Certificate (Mac applications): If your certificate expires, users can no longer launch installer packages for your Mac applications that were signed with this certificate.

https://developer.apple.com/support/certificates/

However, using installer signed before expiration, I can still install the application, even after certificate has expired and installer even shows it as Expired but valid.

Could you please clarify if the quote above is true? Or how is it possible that I can still install the application?

Thank you,

Jakub

Answered by DTS Engineer in 707637022

Could you please clarify if the quote above is true?

That article is definitely out of date. I’ve filed a bug to get it corrected (r. 90418064).

I believe that this info was correct in the past. However, modern installer packages include a trusted timestamp. For example:

% pkgutil --check-signature Test702219.pkg 
Package "Test702219.pkg":
  Status: signed by a developer certificate issued by Apple for distribution
  Notarization: trusted by the Apple notary service
  Signed with a trusted timestamp on: 2022-03-16 11:26:42 +0000
  Certificate Chain:
  1. Developer ID Installer: Quinn Quinn (SKMME9E2Y8)
    Expires: 2022-08-01 16:32:52 +0000
…

Note the Signed with a trusted timestamp item.

This trusted timestamp allows macOS to apply the same logic it does for Developer ID signed apps, that is: Was the Developer ID certificate valid at the time that the item was signed?

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Boost

Answer 1

DTS Engineer OP

Apple

Mar ’22

Accepted Answer

Could you please clarify if the quote above is true?

That article is definitely out of date. I’ve filed a bug to get it corrected (r. 90418064).

I believe that this info was correct in the past. However, modern installer packages include a trusted timestamp. For example:

% pkgutil --check-signature Test702219.pkg 
Package "Test702219.pkg":
  Status: signed by a developer certificate issued by Apple for distribution
  Notarization: trusted by the Apple notary service
  Signed with a trusted timestamp on: 2022-03-16 11:26:42 +0000
  Certificate Chain:
  1. Developer ID Installer: Quinn Quinn (SKMME9E2Y8)
    Expires: 2022-08-01 16:32:52 +0000
…

Note the Signed with a trusted timestamp item.

This trusted timestamp allows macOS to apply the same logic it does for Developer ID signed apps, that is: Was the Developer ID certificate valid at the time that the item was signed?

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

2

Answer 2

DTS Engineer OP

Apple

Apr ’22

For 10.15.3 don't see the "Signed with a trusted timestamp" line (for the same pkg), is that going to be an issue? Earlier OS versions?

I don’t know, but it should be pretty straightforward for you test given that you already have a testing environment setup for those old macOS versions.

Right?

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0