If you've got an old macOS install image, it will probably stop working today
If you're like us, you've got a pile of macOS installers of various vintages lying about ready to go at a moment's notice. The problem with that is, the certificates on most of them them expire today, making them useless.
The expiring certificate on macOS Mojave update 10.14.6 - photo credit Medium
So here's what's going on -- Apple has security certificates on installers for macOS. Nearly all of these for older versions of the operating systems expire at some point on Thursday. It's not Apple's root certificate -- which would be worse -- but the primary and intermediate certificates that are expiring.
This means that all of those USB sticks that you've pre-loaded installs that you made that aren't Catalina are probably not going to work when you need them to. So, it's time to update them.
But maybe not just yet, though. As pointed out by a post on Medium, and confirmed just before we took this article live, the macOS Mojave 10.14.6 updater presently available through Apple has the old certificate. Therefore, you can download it now, but it won't work if you do, because it won't validate as it is after 1:29 PM Eastern time -- when the package expired.
Installed operating systems are fine, so there's nothing to worry about there. But, if you try to run an installer, you'll get a warning that the copy of the installer may be damaged, or will just fail to open because the package isn't trusted any more.
So, if you're a system administrator, or just like to be prepared, there's a little work to do to keep your tools functional. You may just want to wait until after October 24 to do it.
This has all happened before, and it will happen again. Fortunately, at least for the operating systems, you won't have to do it again until 2029 after you get the new images.
The expiring certificate on macOS Mojave update 10.14.6 - photo credit Medium
So here's what's going on -- Apple has security certificates on installers for macOS. Nearly all of these for older versions of the operating systems expire at some point on Thursday. It's not Apple's root certificate -- which would be worse -- but the primary and intermediate certificates that are expiring.
This means that all of those USB sticks that you've pre-loaded installs that you made that aren't Catalina are probably not going to work when you need them to. So, it's time to update them.
But maybe not just yet, though. As pointed out by a post on Medium, and confirmed just before we took this article live, the macOS Mojave 10.14.6 updater presently available through Apple has the old certificate. Therefore, you can download it now, but it won't work if you do, because it won't validate as it is after 1:29 PM Eastern time -- when the package expired.
Installed operating systems are fine, so there's nothing to worry about there. But, if you try to run an installer, you'll get a warning that the copy of the installer may be damaged, or will just fail to open because the package isn't trusted any more.
So, if you're a system administrator, or just like to be prepared, there's a little work to do to keep your tools functional. You may just want to wait until after October 24 to do it.
This has all happened before, and it will happen again. Fortunately, at least for the operating systems, you won't have to do it again until 2029 after you get the new images.
Comments
Certificates are managed at the Certificate Authority. Wouldn't Software Update reach out to see if there's a renewed certificate in the same way that browsers do for websites? But then again, certificates are stored within website hosting environments, so if the same happens for these software packages (the certificate bundled within), that does pose a problem.
- Command-Shift-4. (with or without Option key)
- Press the Space bar.
- Hover over the window that you want to capture.
- Click.
This works for Quick Look windows, too.The installer looks at its certificates and the systems date. So as long as the systems date is older than the expiring cert the installer won't be the wiser!
As an example I just installed Sierra on an old 2011 iMac. I altered the systems Date & Time setting to manual and then back dated it to Jan 2017. Restarted the system and then ran the OS installer USB thumb drive I've setup. Once done reset the Date and Time to automatic and its done!
The key point, is if you have an install disk or update image that isn't Catalina that's older than about three weeks, you're going to need to replace it.
High Sierra: https://support.apple.com/en-us/HT208969
Mojave: https://support.apple.com/HT210190
The rest: https://support.apple.com/downloads
Further back than that, the best way is hitting the App Store from a Yosemite Mac and checking out the Purchased tab -- assuming that's where you got the OS from.
Thanks so much for these details. But is it likely that Apple would update any of theses?
"This copy of the install MacOS XYZ application is damaged, and can't be used to install macOS"
I guess Apple have done this deliberately to ensure old installers expire, but that's pretty poor behaviour. How many Mac Admin's are today downloading / updating their cache of installers? How many man hours of wasted time? You can probably measure the drop in productivity against US GDP. It should be a crime to force us all to waste so much effort. Force employers all over the country to have their staff unproductive for a few hours - how about 4 hours of income fined from Apple - how would they feel about that?
There's no risks here! As long as you reset the Date and Time back to auto the Apple time server will set things for you. I've done quite a few systems haven't encountered any issues over the last 10 years.