What happens when Developer ID Installer certificate expires?

Hello. According to Apple documentation,

Developer ID Installer Certificate (Mac applications): If your certificate expires, users can no longer launch installer packages for your Mac applications that were signed with this certificate.

https://developer.apple.com/support/certificates/

However, using installer signed before expiration, I can still install the application, even after certificate has expired and installer even shows it as Expired but valid.

Could you please clarify if the quote above is true? Or how is it possible that I can still install the application?

Thank you,

Jakub

Up vote post of capso Down vote post of capso
1.9k views
Posted by
capso
Reply
Add a Comment

Accepted Reply

Could you please clarify if the quote above is true?

That article is definitely out of date. I’ve filed a bug to get it corrected (r. 90418064).

I believe that this info was correct in the past. However, modern installer packages include a trusted timestamp. For example:

% pkgutil --check-signature Test702219.pkg 
Package "Test702219.pkg":
  Status: signed by a developer certificate issued by Apple for distribution
  Notarization: trusted by the Apple notary service
  Signed with a trusted timestamp on: 2022-03-16 11:26:42 +0000
  Certificate Chain:
  1. Developer ID Installer: Quinn Quinn (SKMME9E2Y8)
    Expires: 2022-08-01 16:32:52 +0000
…

Note the Signed with a trusted timestamp item.

This trusted timestamp allows macOS to apply the same logic it does for Developer ID signed apps, that is: Was the Developer ID certificate valid at the time that the item was signed?

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Post marked as solved

  • That's great and good to know. Matches our testing. And see the "Signed with a trusted timestamp" for 10.15.7+

    For 10.15.3 don't see the "Signed with a trusted timestamp" line (for the same pkg), is that going to be an issue? Earlier OS versions?

    Thanks.

    sdunn

  • Dear Quinn, sounds good, but today I see that the page still says: "Developer ID Installer Certificate (Mac applications) If your certificate expires, users can no longer launch installer packages for your Mac applications that were signed with this certificate. Previously installed apps will continue to run however new installations won't be possible until you have re-signed your installer package with a valid Developer ID Installer certificate." So, what is correct now (hope it's you)? Koen

    KoenT_SS
Add a Comment

Replies

Could you please clarify if the quote above is true?

That article is definitely out of date. I’ve filed a bug to get it corrected (r. 90418064).

I believe that this info was correct in the past. However, modern installer packages include a trusted timestamp. For example:

% pkgutil --check-signature Test702219.pkg 
Package "Test702219.pkg":
  Status: signed by a developer certificate issued by Apple for distribution
  Notarization: trusted by the Apple notary service
  Signed with a trusted timestamp on: 2022-03-16 11:26:42 +0000
  Certificate Chain:
  1. Developer ID Installer: Quinn Quinn (SKMME9E2Y8)
    Expires: 2022-08-01 16:32:52 +0000
…

Note the Signed with a trusted timestamp item.

This trusted timestamp allows macOS to apply the same logic it does for Developer ID signed apps, that is: Was the Developer ID certificate valid at the time that the item was signed?

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Post marked as solved

  • That's great and good to know. Matches our testing. And see the "Signed with a trusted timestamp" for 10.15.7+

    For 10.15.3 don't see the "Signed with a trusted timestamp" line (for the same pkg), is that going to be an issue? Earlier OS versions?

    Thanks.

    sdunn

  • Dear Quinn, sounds good, but today I see that the page still says: "Developer ID Installer Certificate (Mac applications) If your certificate expires, users can no longer launch installer packages for your Mac applications that were signed with this certificate. Previously installed apps will continue to run however new installations won't be possible until you have re-signed your installer package with a valid Developer ID Installer certificate." So, what is correct now (hope it's you)? Koen

    KoenT_SS
Add a Comment

For 10.15.3 don't see the "Signed with a trusted timestamp" line (for the same pkg), is that going to be an issue? Earlier OS versions?

I don’t know, but it should be pretty straightforward for you test given that you already have a testing environment setup for those old macOS versions.

Right?

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment