Previously Downloaded OS X Installers No Longer Work
File this one under “Obscure problems that could ruin your day.” TidBITS reader Randy Singer alerted us that due to an expired certificate, OS X installers downloaded prior to 14 February 2016 won’t work.
The Apple Worldwide Developer Relations Intermediate Certificate is required for all apps in the Mac App Store, including OS X installers. When used to sign an app, the certificate enables OS X to confirm that the app has not been corrupted or modified by an attacker. This certificate expired on 14 February 2016, causing error dialogs and preventing some apps from launching. Most affected apps have already been updated with the new certificate. But if you
downloaded an OS X installer in case of trouble, you may be in for a surprise the next time you try to use it.
Happily, this is an easy problem to fix ahead of time:
- Delete any old OS X installers in the Applications folder or in other locations (be sure to look on external hard drives too; if the App Store detects an old installer, it won’t let you get a new one). These installers have names like Install OS X El Capitan and Install OS X Yosemite.
- Open the App Store app by choosing Apple menu > App Store.
Click the Purchased tab. Enter your App Store password if prompted.
Scroll down to the OS X installer you want and click Download.
The new installers are signed with a certificate that expires on 7 February 2023, so it will be quite a few years before Mac users are affected again.
Those who have created any bootable install disks for OS X will need to recreate them with the new installers. Dan Frakes wrote a guide to creating OS X 10.11 El Capitan install disks for Macworld.
There is one qualification to all this. Apple won’t allow a newer Mac to download versions of OS X that aren’t compatible with that Mac, so on a 27-inch iMac with Retina display, for instance, the App Store app refuses to let you download Mac OS X 10.7 Lion.
If you are in the middle of an OS X install and get tripped up by the expired certificate, Randy Singer offers a suggestion on how you can work around the problem quickly, without having to download a new installer:
- In the OS X Installer, choose Utilities > Terminal.
sudo date 0201010116, press Return, and enter your password.
- Quit Terminal and continue the install.
That Terminal command sets your system date to 1 February 2016 — before the certificate’s expiration — so the installer can continue. Once you have completed the installation, visit System Preferences > Date & Time to reset the system date. Thanks to Randy for the heads up on this issue and the workaround!
As noted, this expired certificate affects more than just OS X installers — a number of Mac App Store apps suffered from it as well. If downloading a new version of an affected installer isn’t an option for some reason, Rich Trouton noted in 2012 that there’s an
-allowUntrusted flag for the command line
installer utility that might help, as might Greg Neagle’s flatpkgfixer.py tool.
As indicated by those posts from 2012, this is only the latest in a series of expired certificate snafus that have rendered Mac App Store apps unusable — the last one hit in November 2015 (see “The Mac App Store Is Breaking Apps,” 12 November 2015). Put bluntly, Apple needs to do a better job in managing its Worldwide Developer Relations Intermediate Certificate and alerting both users and developers to the implications of any expiration or revocation. Having this sort of sporadic failure is decidedly a strike against “It just works.”
Does anyone know which OS X installer is the oldest one that is affected?
If I had to guess, I would think that the Lion installer, for instance, would not be affected because (if I remember correctly) Gatekeeper was introduced some time after Lion.
I would think any that came via the Mac App Store will be affected.
Mavericks is as far back as I've bothered to check though.
Gatekeeper is not part of the equation in this instance. Install packages could be signed with certificates long before the introduction of Gatekeeper, and Apple was signing the OS installer at least as far back at 10.7 (may be earlier, maybe much earlier).
Thank god for Tidbits !!
However the article raises more questions than it answers for me.
And now the questions:
Are the current downloads as of this date, 3/2/2016, that are available from the App Store > Purchased, the newest versions with valid certificates?
If not, how will we know when the latest and greatest are ready for download?
Are the previous version updates such as 10.11.1 Combo Update, 10.11.2 Combo Update, etc also affected?
Are the various Security Updates affected?
Hope someone that really knows can answer these questions. Not just guesses.
I need to re-download Mountain Lion through El Capitan. About an hour for each so do not wish to jump the gun and have to do it all over.
I assume all MAS downloads have been re-signed by now. I've personally only tried Mavericks, Yosemite and El Capitan.
I'd not thought about the Combo updates and security updates, but it's not too much of a concern since your new OSX installation can fetch fresh copies.
I agree with Mark - as far as I know, all Apple installers have been re-signed. The main catch will be if your Mac is old enough for Apple to allow you to get Mountain Lion and Mavericks again. :-(
Glad to see a news site covering this. I stumbled across this issue last week and managed to piece pretty much the same things together. Recorded on http://www.sallonoroff.co.uk/blog/2016/02/when-the-os-x-installer-cant-be-verified/ including the OpenSSL command to check the expiry dates on any installers you might already have saved.
Yeah, I'm kicking myself slightly, since I was aware of the certificate problem in mid-February, but got distracted by other things before getting around to writing about the apps. And although a few people raised the installer issue at that point, I didn't notice until Randy posted on TidBITS Talk.
If you want to download a fresh copy of an older OS X installer, make sure you log into App Store on a Mac old enough to run it.
For example, Apple will not allow a 2013 MacPro to download Lion for an older Mac that still uses it.
Good point, Jim, thanks! We'll add that to the article. On my 27-inch Retina iMac, Apple won't let me download the Lion, Mountain Lion, or Mavericks installers.
That is a very good point, Jim. I'd not even considered it, since all my Macs are old enough. ;)
If all your previously downloaded installers show DOWNLOADED in your Purchases list, is there some simple way to clear that so that you can re-download these newer installers? I have tried clearing cookies and resetting the App from the Developer menu, and also purging all store caches from ~/Library/Caches but no dice...
And deleted the installers from /Applications, just to clarify.
Have you rebooted after deleting everything? I can't think of anything else that would be necessary, although you could also try signing out of the App Store and back in (from Store > Sign Out).
Did you empty trash? This article, and this method just helped me to re-dl the Yosemite installer. I had the exact symptoms you list.
Great article Josh & team!
I'm not a huge fan of using Terminal.
The temporary solution to set system date to 1 Feb 2016 via terminal scares me.
Can the same thing be done using System Preferences > Date & Time if "Set date and time automatically" is unchecked and date set to 2/1/2016?
If Terminal must be used, what is the Terminal command to set the date back to the real time.
This is the problem I have with posters on various forums. They give the command on how to do something but fail to give the command to undo what you just did.
The reason for the Terminal command is that once you're in the installer, you can't get to the Date & Time preference pane to change the date, but you can get to Terminal. That's meant as a "oh, drat!" workaround that prevents an hour-long download just as you were starting to install. The proper solution is to get a new version of the installer.
Regardless, you don't need to set the date back using Terminal after the installation, because you can easily use the Date & Time preference pane to do so instead. It may not even be necessary, depending on your settings, because the Date & Time preference pane may automatically fix the date and time by consulting a remote time server.
I'll clarify this in the article.
Don't be scared of Terminal in this case. The command you are running can only affect the time, as long as you don't type anything other than the "date" command, you are at exactly zero risk of unintentionally performing other operations that could harm your system.
Thanks Adam, but my question remains: Can you set the date and time via system preferences prior to doing the install and have it work
Probably (assuming automatic time setting is turned off), but if you're in a position where you can set up your installation environment in advance, you should just get a new installer so it's not an issue.
If you're thinking that far ahead, you'd be better off downloading the newer installer with the current certificate.
If the Mac still has a working OSX installation, then yes, you can use System Preferences. But say you're booting from a USB drive because your Mac won't start up or you've put in a new hard drive, then Terminal is your only option.
Yes, I understand the best practice is to re-download the new installers.
Give your readers a heads up and save them some time.
If you have previously downloaded and saved the installer on a different partition or external hard drive, unmount them before downloading. If you don't, the download does not appear in Applications because somehow it knows you have it stored elsewhere. Just lost 2 hours as a result of this. 1st one failed, unmounted the partitions and externals, 2nd attempt successful.
Indeed - that's why we recommend deleting all old installers before starting. Besides, you might need the disk space for the new ones!
I should read *all* the comments before replying…..
Yes, just to follow up on what Marv noted, my links in the App Store Purchased list finally went from DOWNLOADED to DOWNLOAD when I ejected an external drive that also had copies of the installers on it.
I've tweaked the article to note that external drives might have copies. Again, those should be deleted - just ejected the drive is a start, but you don't want those old versions sitting around confusing things in the future.
Having previously downloaded OS X installers on mounted external disks didn't cause any problems for me at all. I was still able to re-download the El Capitan, Yosemite and Mavericks installers. Instead of ending up in the Applications folder, the newly-downloaded installers simply replaced the older ones stored on my external drive—saving me the trouble of copying the new installers to the external drive after download.
I like to keep different version installers – 10.9.3, 10.9.4, 10.9.5, etc – because you never know when such a version might be needed, as it was yesterday when this bug bit me in the behind.
For my scenario, redownloading won't work, will it? You only get the last version of the OS installer.
Unfortunately, I think you're right - you can only get the latest version from Apple, so there's no way to get a previous minor version installer as far as I know.
You might look into the command line installer tool, as mentioned in the article. I don't know if that can be used for OS X as a whole, but it might be worth some research.
I hate it when those who pirate software have it easier then those of us who bought the software legitimately. I feel certain that this problem that breaks older software purchased via the Apple App store doesn't affect pirates.
My 2009 Mac Pro, running OS X 10.10.5 now, in App Store, I only see, under Purchased, the El Capitan, Yosemite and Mavericks installers to re-download. If I wanted to avoid the Date trick in Terminal and get updated Lion and Mountain Lion installers, I don't see how. The Purchased list only goes back to Jan 7, 2011.
That's how far back mine goes too, but I have Lion and Mountain Lion after those dates (Lion in July 2011, and Mountain Lion in July 2012).
I've got installer flash drives with all the OS versions made already. Can I just replace the Installer with the new version, or do I have to reformat and install via Terminal again?
I'm guessing you can just replace the installer, but a test to make sure it works would be prudent, so you're certain it will work in an emergency situation.
So wouldn't you think Apple would put a different version number on the installers with the upgraded certificate so people would know? I just re-downloaded the 4 available OS Installers from the App Store for my flash installers. Interestingly, two of the new ones had the same version number as the installer on my flash drives but the new Yosemite was version 1.6._43_... and I had 1.6._7_ from 2014 on my flash installer! The 'new' installer had an older version number! Yeesh, Apple, if this is certificate issue is a real problem.
Thanks for the heads up. This is a problem that certainly could have caused me no end of trouble. Time to update my USB installers that I keep handy for providing support for friends and family.
FWIW I JUST USED AN OLD LION INSTALLER ON USB TO INSTALL WITHOUT TROUBLE ON A CLEAN ERASED OLDER 17" MACBOOK PRO
I just checked "Purchased" at the MAS and both Mac OS 10.10 and 10.11 have "Download" next to them even though I downloaded both last year.
Installed 10.11.3 just yesterday from an installer downloaded shortly after the installer became available - sometimes odd stuff like wrong language appears (and was not able to install when abroad before changing the clock manually in terminal) when installing, but no problems with certificates - maybe not applicable to the 10.11.3 installer then ... .
Is this a joke? I was all paranoid as I went to do a wipe and install for a client today. My old flash drive with Yosemite on it worked fine.
No, it's not a joke, as the screenshot at the top shows. Why your Yosemite drive didn't fail (same with the guy with Lion above) is an interesting question, and not one I know the answer to.
Thanks for the heads up. You saved us all hours of grief.
Spent last nite downloading.-Ran into 1 inexplicable error where Lion would fail error 1004 (on a machine that came with Snow Leopard (go figure).
Thankfully was able to via my laptop, but how many folks have 3 Macs.
Will now copy all to a (to a reformatted) USB stick - hope that works as many count on me for system upgrades.
My husband needs the latest BaseCamp for his new GPS and it's not available unless at least OSX10.10 is installed (thanks, Garmin.) Since 10.10 is not available anymore (thanks, Apple) and we're on 10.8.5, I took it from my son's computer last November (he lives very far away from me) and successfully installed it on our laptop. I procrastinated about installing it elsewhere because I'm working with Adobe CS4 and don't want it to break because I need it. When I finally got up the courage to install 10.10 on my computer, I got a message that it is corrupted.
Thank you Adam Engst for this latest Tidbits that told me what is wrong with the installer. I was able to change the date in terminal (once I figured out I needed to add sudo to the date string), and install 10.10.5. So far my CS4 is working. I'll give it a few days and then upgrade my husband's computer.
I am so incredibly grateful for this fix, that I have finally become a paid subscriber.
Thanks for the tip about sudo - I'll add that to the article.
Wish I had seen this article yesterday. I was replacing the hard drive in my wife's laptop and upgrading her to El Capitan with a copy I had downloaded in 2015. I got the "…corrupted…" message, leading to a very long download of a fresh copy. Sigh! Come on, Apple … this shouldn't happen!
I read this article when it came out but procrastinated doing anything about it because I didn't need to use any of my archived installers at the time. Then, a few days ago I did. Instead of looking this up, I wasted a lot of time talking to Apple tech support, which apparently knows nothing about the problem. According to them, older versions of OS X are no longer available from the App Store. It didn't occur to me at the time to disconnect the drive partitions that had OS X installers on them. Such a simple solution.
I'm currently in the process of downloading everything again, beginning with El Capitan. The only one not listed is Lion. I'll probably have to use my old Mac Pro to get that.
Thanks Adam for one more brilliant article. Keep up the good work.
P.S: Lion doesn't show up in the App Store even on my Mac Pro. So I'll just have to hope I don't need it again.