beta.blog

Verifying a pkg file signature is a critical step in ensuring the security and integrity of software. The digital signature confirms that the package was indeed created by the claimed publisher or developer. This helps ensure that you’re installing software from a trusted source. Verification checks that the file hasn’t been altered, corrupted, or tampered with since it was signed. A valid signature helps prevent the installation of malicious or unauthorized code. It adds a layer of defense by ensuring that the package hasn’t been compromised during distribution.

This is an example on how we’d verify a signature:

# pkgutil --check-signature Microsoft_Office_LTSC_2024_VL_Serializer.pkg


Package "Microsoft_Office_LTSC_2024_VL_Serializer.pkg":
   Status: signed by a developer certificate issued by Apple for distribution
   Notarization: trusted by the Apple notary service
   Signed with a trusted timestamp on: 2024-08-07 11:49:52 +0000
   Certificate Chain:
    1. Developer ID Installer: Microsoft Corporation (UBF8T346G9)
       Expires: 2027-02-01 22:12:15 +0000
       SHA256 Fingerprint:
           64 5D 86 D2 DF 76 9E D7 04 CF B1 FA 1B 38 7F 78 69 DC 87 12 AB 4E 
           0F BC EB BC 29 64 D3 E9 A9 48
       ------------------------------------------------------------------------
    2. Developer ID Certification Authority
       Expires: 2027-02-01 22:12:15 +0000
       SHA256 Fingerprint:
           7A FC 9D 01 A6 2F 03 A2 DE 96 37 93 6D 4A FE 68 09 0D 2D E1 8D 03 
           F2 9C 88 CF B0 B1 BA 63 58 7F
       ------------------------------------------------------------------------
    3. Apple Root CA
       Expires: 2035-02-09 21:40:36 +0000
       SHA256 Fingerprint:
           B0 B1 73 0E CB C7 FF 45 05 14 2C 49 F1 29 5E 6E DA 6B CA ED 7E 2C 
           68 C5 BE 91 B5 A1 10 01 F0 24