How to verify the authenticity of manually downloaded Apple Software Updates

If you manually download an update package, you can verify the signature yourself to confirm that the package is authentic and complete.

Apple digitally signs its software updates to ensure the authenticity of update packages. Software Update automatically verifies a package’s signature prior to installing the update. If you manually download an update package, you can verify the signature yourself to confirm that the package is authentic and complete.

Always download Apple software updates using Software Update, the Mac App Store application, or from Apple Support Downloads. Apple doesn't distribute software updates through other channels.

If the fingerprint displayed does not match, the certificate is invalid. Do not install the package.

  1. Open the package file that you downloaded by double-clicking its icon (). Installer will open.
  2. For OS X Lion or later, locate the lock icon () in the upper-right corner of the Installer window’s title bar.

    For Mac OS X Snow Leopard, a certificate icon is shown instead.

    Important: If no such icon is present, then the package is not signed, and the following steps do not apply. Do not install the package. Instead, get the update through Software Update.
  3. After you click the lock or certificate icon, you will see a standard OS X certificate validation dialog. An official update package is issued by "Apple Software Update Certificate Authority" and displays a green checkmark.

    Important: If the certificate is issued by a different organization, or is not valid, do not install the package.

  4. Display details about the certificate by clicking the gray disclosure triangle to the left of the word Details.
  5. Click the Apple Software Update Certificate Authority line.
  6. Scroll to the bottom and locate the Fingerprints section. Look for the SHA-1 fingerprint.

    An installer window displaying related certificate information

  7. Verify that the SHA-1 fingerprint displayed matches the following fingerprint of Apple’s certificate, which is:

    SHA1 FA 02 79 0F CE 9D 93 00 89 C8 C2 51 0B BC 50 B4 85 8E 6F BF

    Note: Older installers could have this SHA-1 fingerprint:

    SHA1 9C 86 47 71 48 B3 D7 04 24 7A 3C 3F 56 EA 2D E5 94 4B 01 C2

  8. If the fingerprint displayed matches, continue installing the package normally. Files included in the package are verified prior to installation. If there is an issue with a file, installation will stop. You'll see an alert message and no changes will be made to your system.

Information about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance, or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. Risks are inherent in the use of the Internet. Contact the vendor for additional information.

Last Modified:
70% of people found this helpful.

Additional Product Support Information

Start a Discussion

in Apple Support Communities
See all questions on this article See all questions I have asked
United States (English)