Apple just released an early developer preview version of the new and exciting macOS 10.12 “Sierra” to members of their $99 USD/year Developer Program. For some macOS enthusiasts — who believed themselves to be Mac OS enthusiasts up until Monday — it may be very tempting to download this update from sources other than Apple’s official channels.
I would strongly discourage anyone from downloading a copy of your operating system from any third-party source. However, I know some people will disregard such advice and just do it anyway. Here is how you can verify that you’ve downloaded a genuine copy of Apple software that hasn’t been maliciously modified.
The Apple Developer program isn’t all that expensive at $99 USD a year, however it can be a little too much money to ask for a one-month early access window to a piece of software that will be given away for free a few months later.
Whatever the reason, you may have grabbed a copy of macOS “Sierra” from one of the dark corners of the web or maybe perhaps BitTorrent. How would you know that this hasn’t been modified to side-load malware, viruses, cryptographic ransomware, and who knows what other nastiness which could have been bundled in with the new operating system update? You wouldn’t have any way to know if it wasn’t for cryptography.
Apple signs all their software and software updates with their own cryptographic keys. If the app bundle was modified or somehow corrupted, the cryptographic signature that Apple put on it would break. It would be impossible for anyone but Apple to resign a modified package with Apple’s signing keys.
To verify the signature of the Developer Preview installer (or any other app):
- Drag the Install 10.12 Developer Preview.app to your Downloads folder.
- Open the Terminal app, carefully type in the below command, and press Enter.
The command will output information about the installer’s digital signature.
- Look for and verify each of these points in turn:
- There is a line saying “Authority=Apple Root CA”.
- There is a line saying “Authority=Apple Mac OS Application Signing”.
- The last line says the number “0”.
Delete the downloaded application immediately if the command outputs “code object not signed at all”, the Apple Root CA isn’t one of the signing authorities, or the number on the last line is anything except zero.
Then, run the following command to verify that the signature isn’t broken:
If you’ve already opened and run the downloaded program that you’re trying to verify, then copy the installer onto a different Mac and repeat the steps there. Once you’ve run it, a malicious app could have installed itself as a root certificate authority maskarading as “Apple Root CA” and thus would have bypassed this test. It’s unlikely, but it’s within the realm of possibilities.
This has only verified the installer helper app itself. Unfortunately, the operating system package that you’re about to install is explicitly excluded from the code signing check. (Why, Apple!? Why?!) Luckily, the MD5 checksum of the installation package (InstallESD.dmg) is hard-coded into the installer executable (brtool) which was part of the package we just verified. The installer will refuse to begin the installation if the package has been modified in any way. As a nice bonus, you’ve now also verified that the download hasn’t been corrupted in any way.
There are no absolute guarantees in life, but at this stage you should be fairly cryptographically certain that you’ve downloaded the genuine Apple product. If it has in fact been maliciously modified in some way, then Apple and the software industry are in way more trouble than you are.
In any case, you will probably want to format your Mac, and install a fresh and genuinely distributed version of macOS as soon as Apple makes one available to the general public. It’s just good computer hygiene to clean out Developer Previews and Betas when public releases become available.
I wanted to share this after coming across an article suggesting to verify the checksum that was provided along with the Developer Preview Installer that was distributed by a third-party. This isn’t bad advice when the checksum comes from a trusted source, but you can’t trust a checksum provided by a third-party. They could have distributed a checksum that would match the modified code just as easily as the genuine checksum.
Stay safe out there! Don’t go around downloading everything you find from random places on the web. Have fun exploring the new macOS “Sierra”!