File this one under “Obscure problems that could ruin your day.” TidBITS reader Randy Singer alerted us that due to an expired certificate, OS X installers downloaded prior to 14 February 2016 won’t work.
The Apple Worldwide Developer Relations Intermediate Certificate is required for all apps in the Mac App Store, including OS X installers. When used to sign an app, the certificate enables OS X to confirm that the app has not been corrupted or modified by an attacker. This certificate expired on 14 February 2016, causing error dialogs and preventing some apps from launching. Most affected apps have already been updated with the new certificate. But if you downloaded an OS X installer in case of trouble, you may be in for a surprise the next time you try to use it.
Happily, this is an easy problem to fix ahead of time:
- Delete any old OS X installers in the Applications folder or in other locations (be sure to look on external hard drives too; if the App Store detects an old installer, it won’t let you get a new one). These installers have names like Install OS X El Capitan and Install OS X Yosemite.
- Open the App Store app by choosing Apple menu > App Store.
Click the Purchased tab. Enter your App Store password if prompted.
Scroll down to the OS X installer you want and click Download.
The new installers are signed with a certificate that expires on 7 February 2023, so it will be quite a few years before Mac users are affected again.
Those who have created any bootable install disks for OS X will need to recreate them with the new installers. Dan Frakes wrote a guide to creating OS X 10.11 El Capitan install disks for Macworld.
There is one qualification to all this. Apple won’t allow a newer Mac to download versions of OS X that aren’t compatible with that Mac, so on a 27-inch iMac with Retina display, for instance, the App Store app refuses to let you download Mac OS X 10.7 Lion.
If you are in the middle of an OS X install and get tripped up by the expired certificate, Randy Singer offers a suggestion on how you can work around the problem quickly, without having to download a new installer:
- In the OS X Installer, choose Utilities > Terminal.
sudo date 0201010116, press Return, and enter your password.
- Quit Terminal and continue the install.
That Terminal command sets your system date to 1 February 2016 — before the certificate’s expiration — so the installer can continue. Once you have completed the installation, visit System Preferences > Date & Time to reset the system date. Thanks to Randy for the heads up on this issue and the workaround!
As noted, this expired certificate affects more than just OS X installers — a number of Mac App Store apps suffered from it as well. If downloading a new version of an affected installer isn’t an option for some reason, Rich Trouton noted in 2012 that there’s an
-allowUntrusted flag for the command line
installer utility that might help, as might Greg Neagle’s flatpkgfixer.py tool.
As indicated by those posts from 2012, this is only the latest in a series of expired certificate snafus that have rendered Mac App Store apps unusable — the last one hit in November 2015 (see “The Mac App Store Is Breaking Apps,” 12 November 2015). Put bluntly, Apple needs to do a better job in managing its Worldwide Developer Relations Intermediate Certificate and alerting both users and developers to the implications of any expiration or revocation. Having this sort of sporadic failure is decidedly a strike against “It just works.”