Apple uses certificates to digitally sign their installer packages (which are embedded inside their OS installers).

A few Mac admins noted that the primary certificate, and the intermediate certificate, used to sign many of their packages, was going to expire on October 24, 2019 (which happens to be today).

In the last couple of weeks, Mac admins have noticed that Apple has been replacing packages with new ones, which are signed with certificates that do not expire until 2029. Anyone still running an Apple Software Update Server, or Reposado, or netSUS, has seen the many gigabytes of newly-updated, but older, packages being published daily.

Well… Apple didn’t get them all replaced. As of this moment, the macOS 10.14.6 updaters presently on support.apple.com, and on Apple’s CDNs used by the software update mechanism, will expire in less than an hour.

I have made Apple aware of this issue, and they are attempting to get both the 10.14.6 issues fixed, as well as determine what other packages may yet need to be updated.

UPDATE: 10/24/2019 4:00 PM EDT: Apple has pulled and reissued the 10.14.6 Delta and Combo updaters, as well as several other update packages, in order to address this issue. It may still take time for the updated packages to replicate, and, if you have a Caching Server, or Software Update Server/Reposado/netSUS, for those to update as well. It appears that Security Update 2019-005 for both macOS High Sierra and macOS Sierra were also deprecated, and replaced, likely due to the cert expiry.

List of updated packages released on October 24, just before, and in some cases after, the originals expired

Keep in mind that any OS installers (older than macOS Catalina, which has used the new expires-in-2029 signing certificate, and is thus unaffected) that you may have laying around, will stop working after 1:29 pm EDT on 10/24/2019.

Symptoms of expired installers or packages would include dialogs about “This copy of Install macOS <version>.app is damaged”, or /private/var/log/install.log showing errors about “Failed to open <package name> because the installer is not trusted”

This is an example of an error message that you may see from an OS installer with an expired certificate.

You can use Suspicious Package from Mothers Ruin software to inspect any existing installer packages for the expiry problem:

https://mothersruin.com/software/SuspiciousPackage/

You can use SUS Inspector, written by Hannes Juutilainen, to review which packages are available on Apple’s update servers, and search, or sort by date:

https://github.com/hjuutilainen/sus-inspector

You may want to check the installer packages on your Jamf or Munki distribution points, as well as any OS installers or USB drives with OS installers on them (created by createinstallmedia or similar tools). They will all need to be replaced with the updated versions of packages where the certificate is not expired.

Munki users at leasts have the option of using the allow_untrusted key:

https://github.com/munki/munki/wiki/Allowing-Untrusted-Packages

Command-line method to check a package (pkgutil can’t handle wildcards):

/usr/sbin/pkgutil --check-signature /Path/To/package.pkg | grep Status

It should show:

Status: signed by a certificate that has since expired

for anything Apple affected by the Packagepocalypse 2019.

Download links for older OS installers:

Sierra: https://support.apple.com/en-us/HT208202

High Sierra: https://support.apple.com/en-us/HT208969

Mojave: https://support.apple.com/HT210190

Others: https://support.apple.com/downloads

You may also want to check/flush the data from/temporarily disable any Caching Servers on your network, to be sure you are getting the most recent packages. To do so, follow the instructions here:

https://support.apple.com/guide/mac-help/set-up-content-caching-on-mac-mchl3b6c3720/mac

Delete all cached content

On your Mac, choose Apple menu -> System Preferences, click Sharing, then select Content Caching. Click Options. Click Reset, then click Reset again to verify the request.

Three notes: