Languages

How to verify the authenticity of manually downloaded Apple Software Updates

Apple digitally signs its software updates to ensure the authenticity of update packages. Software Update automatically verifies a package’s signature prior to installing the update. If you manually download an update package, you may verify the signature yourself to confirm that that the package is authentic and complete.

How to manually verify the authenticity of Apple Software Updates

Apple digitally signs its software updates to ensure the authenticity of update packages. Software Update automatically verifies a package’s signature prior to installing the update. If you manually download an update package, you may verify the signature yourself to confirm that that the package is authentic and complete.

Note: Always download Apple software updates using Software Update, the Mac App Store application, or from Apple Support Downloads. Apple does not distribute software updates through third-party channels.

  1. Open the package file that you downloaded by double-clicking its icon (). Installer will open.
     
  2. For OS X v10.7 Lion, locate the lock icon () in the upper-right corner of the Installer window’s title bar.
    For Mac OS X v10.6 Snow Leopard, a certificate icon is shown instead ().



    Important: If no such icon is present, then the package is not signed, and the following steps do not apply. You should not install the package. Instead, obtain the update through Software Update.
     
  3. After clicking the lock or certificate icon, a standard OS X certificate validation dialog appears. An official update package is issued by "Apple Software Update Certificate Authority" and display a green checkmark.

    Important: If the certificate is issued by a different organization, or is not valid, do not install the update.

  4. Display details about the certificate by clicking the gray disclosure triangle to the left of the word Details.
  5. Click the Apple Software Update Certificate Authority line.
  6. Scroll to the bottom and locate the Fingerprints section. Look for the SHA-1 fingerprint.

  7. Verify that the SHA-1 fingerprint displayed matches the following fingerprint of Apple’s certificate, which is:

    SHA1 9C 86 47 71 48 B3 D7 04 24 7A 3C 3F 56 EA 2D E5 94 4B 01 C2

    Important: If it does not match, the certificate is invalid and the package should not be installed.

  8. Continue installing the package normally. Files included in the package are verified prior to installation. If any file is problematic, the installation process will stop and an alert message is presented. In the event of such an issue, no changes are made to your system.

 

Important: Information about products not manufactured by Apple is provided for information purposes only and does not constitute Apple’s recommendation or endorsement. Please contact the vendor for additional information.
Last Modified: Mar 5, 2014
Helpful?
Yes
No
  • Last Modified: Mar 5, 2014
  • Article: HT5044
  • Views:

    3089
  • Rating:
    • 20.0

    (1 Responses)

Additional Product Support Information

Start a Discussion
in Apple Support Communities
See all questions on this article See all questions I have asked