It seems a bit weird to me. I run a small software company, and we sign our installers. When we sign the installer, the signature is timestamped. The certificate only needs to be valid at the time of timestamping. If you don't sign with a timestamp, then yes the signed installer is only valid for as long as the certificate is valid - but that's why you sign with a timestamp. It's pretty standard across the industry. It's why you can still install microsoft patches years later, or my own companies software.
I guess Apple have done this deliberately to ensure old installers expire, but that's pretty poor behaviour. How many Mac Admin's are today downloading / updating their cache of installers? How many man hours of wasted time? You can probably measure the drop in productivity against US GDP. It should be a crime to force us all to waste so much effort. Force employers all over the country to have their staff unproductive for a few hours - how about 4 hours of income fined from Apple - how would they feel about that?
Yes! Apple does this to drive people to the newer OS's. Even the warning pushes you "This copy of the installer MacOS XYZ application is damaged" You could down load five or six more times from even different sources everyone will fail as the installer compares the certificate expiration date and your systems clock setting if the cert has not expired. So if you back date your system you're good to go!
While its nice to have a properly signed installer given the date I'm using the installer, most of us just cheat as its just quicker! Many companies don't allow their users to alter their systems as often the applications and their licenses may prevent jumping to a newer OS. This gets back to how soon after a given OS release the legwork of testing and if needed getting the updated apps installed and testing them.
Personal systems and small business's have the advantage here as they can be more fleet footed, larger companies don't always have the latitude to be as reactive.
The installer looks at its certificates and the systems date. So as long as the systems date is older than the expiring cert the installer won't be the wiser!
As an example I just installed Sierra on an old 2011 iMac. I altered the systems Date & Time setting to manual and then back dated it to Jan 2017. Restarted the system and then ran the OS installer USB thumb drive I've setup. Once done reset the Date and Time to automatic and its done!
Workarounds (like yours) are good to know in a pinch. The fix is to download the images, with the new certificate, because setting back a system clock can have unintended consequences.
Mike you said ‘ The fix is to download the images, with the new certificate,‘ sorry if I am being dense, but how do you do this now the installers are no longer available?
Most are available now, minus a few. They should all be available by tomorrow.
The key point, is if you have an install disk or update image that isn't Catalina that's older than about three weeks, you're going to need to replace it.
Probably a dumb question, but now that the App Store is different, I can't find all the old OS versions (El Cap, Yosemite, High Sierra, etc.). Where do we get those?
Not a dumb question. The Medium post has most of them linked. Here they are:
Further back than that, the best way is hitting the App Store from a Yosemite Mac and checking out the Purchased tab -- assuming that's where you got the OS from.
Thanks for posting the links, but my God they are making it hard for Mac users who cannot or do not want to install the latest system. These are not iOS users.
The installer looks at its certificates and the systems date. So as long as the systems date is older than the expiring cert the installer won't be the wiser!
As an example I just installed Sierra on an old 2011 iMac. I altered the systems Date & Time setting to manual and then back dated it to Jan 2017. Restarted the system and then ran the OS installer USB thumb drive I've setup. Once done reset the Date and Time to automatic and its done!
Workarounds (like yours) are good to know in a pinch. The fix is to download the images, with the new certificate, because setting back a system clock can have unintended consequences.
Apple long since stopped signing the older installers ;-{ They only update the last two OS's now. Besides, its more work resetting up the installer USB drive.
There's no risks here! As long as you reset the Date and Time back to auto the Apple time server will set things for you. I've done quite a few systems haven't encountered any issues over the last 10 years.
There are risks, particularly in regulated systems with data security measures, like in federal service. There are a few other potential issues, like with computers enrolled in device management or other control systems. There are also potential problems with computers that may connect to a network share that's MAC-gated.
I agree that in small businesses there is less of one. Best practice is to to still get the new installer, like you said later.
The link for High Sierra (10.13) takes you to the app store which then gives an error that the requested version of macOS is not available. I assume this is because I'm running on Mojave (10.14) now and it's refusing to even download the older installer.
The link for High Sierra (10.13) takes you to the app store which then gives an error that the requested version of macOS is not available. I assume this is because I'm running on Mojave (10.14) now and it's refusing to even download the older installer.
Yup. The terminal command will still make the install drive, though.
The link for High Sierra (10.13) takes you to the app store which then gives an error that the requested version of macOS is not available. I assume this is because I'm running on Mojave (10.14) now and it's refusing to even download the older installer.
Yup. The terminal command will still make the install drive, though.
Not without the installer app it won't. I can't even download the app in the first place to even run the terminal command. It's the GET button in the app store that results in the error.
The link for High Sierra (10.13) takes you to the app store which then gives an error that the requested version of macOS is not available. I assume this is because I'm running on Mojave (10.14) now and it's refusing to even download the older installer.
Yup. The terminal command will still make the install drive, though.
Not without the installer app it won't. I can't even download the app in the first place to even run the terminal command. It's the GET button in the app store that results in the error.
The link for High Sierra (10.13) takes you to the app store which then gives an error that the requested version of macOS is not available. I assume this is because I'm running on Mojave (10.14) now and it's refusing to even download the older installer.
Yup. The terminal command will still make the install drive, though.
Not without the installer app it won't. I can't even download the app in the first place to even run the terminal command. It's the GET button in the app store that results in the error.
Duh, yeah, sorry. I read your comment wrong.
I just tried the app store link for High Sierra under MacOS Catalina beta and it started the download though Software Update. I canceled it since I didn't need it but wanted to test it. Perhaps Apple fixed the issue. Try again and report back and see if it works for you. Good luck!
Comments
While its nice to have a properly signed installer given the date I'm using the installer, most of us just cheat as its just quicker! Many companies don't allow their users to alter their systems as often the applications and their licenses may prevent jumping to a newer OS. This gets back to how soon after a given OS release the legwork of testing and if needed getting the updated apps installed and testing them.
Personal systems and small business's have the advantage here as they can be more fleet footed, larger companies don't always have the latitude to be as reactive.
https://www.apple.com/shop/product/D6377Z/A/os-x-mountain-lion
https://support.apple.com/en-us/HT201372
I agree that in small businesses there is less of one. Best practice is to to still get the new installer, like you said later.