Archive for May, 2025
macOS: Verify signing of PKG files
by admin on May.01, 2025, under News
Verifying a pkg file signature is a critical step in ensuring the security and integrity of software. The digital signature confirms that the package was indeed created by the claimed publisher or developer. This helps ensure that you’re installing software from a trusted source. Verification checks that the file hasn’t been altered, corrupted, or tampered with since it was signed. A valid signature helps prevent the installation of malicious or unauthorized code. It adds a layer of defense by ensuring that the package hasn’t been compromised during distribution.
This is an example on how we’d verify a signature:
# pkgutil --check-signature Microsoft_Office_LTSC_2024_VL_Serializer.pkg
Package "Microsoft_Office_LTSC_2024_VL_Serializer.pkg":
Status: signed by a developer certificate issued by Apple for distribution
Notarization: trusted by the Apple notary service
Signed with a trusted timestamp on: 2024-08-07 11:49:52 +0000
Certificate Chain:
1. Developer ID Installer: Microsoft Corporation (UBF8T346G9)
Expires: 2027-02-01 22:12:15 +0000
SHA256 Fingerprint:
64 5D 86 D2 DF 76 9E D7 04 CF B1 FA 1B 38 7F 78 69 DC 87 12 AB 4E
0F BC EB BC 29 64 D3 E9 A9 48
------------------------------------------------------------------------
2. Developer ID Certification Authority
Expires: 2027-02-01 22:12:15 +0000
SHA256 Fingerprint:
7A FC 9D 01 A6 2F 03 A2 DE 96 37 93 6D 4A FE 68 09 0D 2D E1 8D 03
F2 9C 88 CF B0 B1 BA 63 58 7F
------------------------------------------------------------------------
3. Apple Root CA
Expires: 2035-02-09 21:40:36 +0000
SHA256 Fingerprint:
B0 B1 73 0E CB C7 FF 45 05 14 2C 49 F1 29 5E 6E DA 6B CA ED 7E 2C
68 C5 BE 91 B5 A1 10 01 F0 24
-
Welcome
This blog was designed to be filled with articles related to some of our more recent projects, macOS and linux guides (particularly Debian), coding and plenty of other topics.
Navigator:
