Install Old macOS
Background
For various reasons, installing an old version of macOS on an Apple computer is not an easy task. Because the download link on the Apple official website will guide you to the App Store, when it finds that the system version you want to download is older than the system you are currently using, it will not provide the download, only the updated version.
A few days ago, a friend of mine just graduated from high school and wanted to study computer science in college, so I recommended him to buy an Apple computer. But he had never used macOS before, so I planned to let him experience my 2014 MacBook Air. At that time, the system of this computer was High Sierra 10.13, I thought about making a USB boot disk to reinstall the system, and conveniently erase all the data on the disk, I didn’t expect that after this operation, I was stunned.
Certificate Expired
I found a High Sierra image online, because the Apple official website cannot download old versions of macOS. After the boot disk was made, everything went smoothly, until it gave me a surprise. (I found this picture online)
Checked some information, many said it was a problem with the expired certificate, because some of the certificates issued by Apple expired in 2019.
Solution
Download Latest Image (Recommended)
Whether an image can be used is not just a certificate issue, so the most reliable method is to download the latest installation package from the Apple official website.
But as mentioned earlier, the App Store does not provide downloads at all,
Fortunately, we can use the softwareupdate
command to download the system version supported by the current computer.
Because my other computer supports the oldest version is Mojave, not High Sierra, so in the end I installed 10.14.6.
Modify System Time
Open Utilities -> Terminal, use the date
command to modify the time.
Understand the reason
Although the problem has been solved, I want to verify whether it is really a problem with the expired certificate.
- High Sierra: Error, application is damaged
- Mojave: Successfully installed
These two installation packages are files (actually directories) with the suffix .app
,
unlike the above .pkg
files, you can directly see the certificate information when you open them, you need to use another method.
Certificate Information
We can use pkgutil
to view the certificate information of .app
.
You can see that the certificate information in this package contains 3 parts, but only parts 2 and 3 have expiration information, and none of them have expired.
What’s even more ridiculous is that I also checked the certificate information of Mojave, and it is exactly the same as High Sierra.
So what’s the problem? Later I found that you can use codesign
to view more detailed certificate information.
This command will generate 3 certificate files in the current directory.
Use the qlmanage
command to view the certificate information.
You can see that the expiration date of Software Signing is April 13, 2021,
which is exactly the missing information in the first part of pkgutil
.
When I thought the truth was revealed, the same command, the expiration date of Mojave is also April 13, 2021.
I don’t understand this, then both installation packages should not work, and then I asked ChatGPT again.
🤡: Why can the Software Signing certificate in the macos installation program still run normally after it expires
🤖: In macOS, the reason why the Software Signing certificate in the installation program can still run normally after it expires is because of the system’s design. When creating the installation program, as long as the certificate is valid at the time of signing, macOS will ignore the expiration date of the certificate, allowing the signed application to continue running. The following are the specific reasons:
- Validity at the time of signing: When creating the installation program, as long as the certificate is valid, the signing process will be successfully completed. This means that the installation program has been certified as safe at the time of creation, even if the certificate expires later, the system still recognizes the legality of the signing.
- System design: The design concept of macOS is to ensure the continuity of applications and the stability of user experience. In order to avoid the situation where users cannot use the installed applications due to the expiration of the certificate, macOS will ignore the expiration date of the signed application at runtime.
- Reduce the burden on users and developers: If the expiration of the certificate requires users to reinstall the application every time, or developers have to update the certificate frequently, this will bring great inconvenience to users and developers. Ignoring the expiration of the certificate can avoid this situation, ensuring that users can continue to use the applications they rely on.
- Fault tolerance in actual operation: Although the certificate has a validity period in theory, in actual operation, the fault tolerance design of macOS allows the signed application to continue running even if the certificate expires. This design is to ensure the flexibility and reliability of the system.
In summary, the reason why the Software Signing certificate in the installation program of macOS can still run normally after it expires is because the system verifies the validity at the time of signing, and ignores the expiration date of the certificate at runtime, ensuring the continuity of the application and the stability of the user experience.
So can I assume that the certificates of the two installation packages are not a problem?
Apple Installer Checksums
It seems that we can also verify the integrity of the installation package, Mac OSX Installers SHA1 Checksums.
But I tried it, the result is the same, which also does not represent anything.
What is the truth
It doesn’t work, but I don’t know why.
The situation has developed to this point, I really don’t know what caused the High Sierra installation package to report an error.
Reference
- https://eclecticlight.co/2019/10/18/beware-apple-security-certificates-after-24-october-they-may-have-expired/
- https://www.youtube.com/watch?v=E4Mu4tI8-iw
- https://github.com/notpeter/apple-installer-checksums