Languages

How to verify the authenticity of manually downloaded Apple Software Updates

If you manually download an update package, you can verify the signature yourself to confirm that the package is authentic and complete.

Apple digitally signs its software updates to ensure the authenticity of update packages. Software Update automatically verifies a package’s signature prior to installing the update. If you manually download an update package, you can verify the signature yourself to confirm that the package is authentic and complete.

Always download Apple software updates using Software Update, the Mac App Store application, or from Apple Support Downloads. Apple doesn't distribute software updates through other channels.

If the fingerprint displayed does not match, the certificate is invalid. Do not install the package.

  1. Open the package file that you downloaded by double-clicking its icon (). Installer will open.
     
  2. For OS X Lion or later, locate the lock icon () in the upper-right corner of the Installer window’s title bar.
    For Mac OS X Snow Leopard, a certificate icon is shown instead ().



    Important: If no such icon is present, then the package is not signed, and the following steps do not apply. Do not install the package. Instead, get the update through Software Update.
     
  3. After you click the lock or certificate icon, you will see a standard OS X certificate validation dialog. An official update package is issued by "Apple Software Update Certificate Authority" and displays a green checkmark.

    Important: If the certificate is issued by a different organization, or is not valid, do not install the package.

  4. Display details about the certificate by clicking the gray disclosure triangle to the left of the word Details.
     
  5. Click the Apple Software Update Certificate Authority line.
     
  6. Scroll to the bottom and locate the Fingerprints section. Look for the SHA-1 fingerprint.

    An installer window displaying related certificate information

  7. Verify that the SHA-1 fingerprint displayed matches the following fingerprint of Apple’s certificate, which is:

    SHA1 FA 02 79 0F CE 9D 93 00 89 C8 C2 51 0B BC 50 B4 85 8E 6F BF

    Note: Older installers could have this SHA-1 fingerprint:

    SHA1 9C 86 47 71 48 B3 D7 04 24 7A 3C 3F 56 EA 2D E5 94 4B 01 C2

  8. If the fingerprint displayed matches, continue installing the package normally. Files included in the package are verified prior to installation. If there is an issue with a file, installation will stop. You'll see an alert message and no changes will be made to your system.

Important: Information about products not manufactured by Apple is provided for information purposes only and does not constitute Apple’s recommendation or endorsement. Please contact the vendor for additional information.
Last Modified: Oct 14, 2014
Helpful?
Yes
No
  • Last Modified: Oct 14, 2014
  • Article: HT5044
  • Views:

    2630
  • Rating:
    • 20.0

    (1 Responses)

Additional Product Support Information

Start a Discussion
in Apple Support Communities
See all questions on this article See all questions I have asked