How to verify the authenticity of manually downloaded Apple Software Updates

Summary

Apple digitally signs its software updates to ensure the authenticity of update packages. The Software Update application automatically verifies a package’s signature prior to installing the update. If you manually download an update package, you may verify the signature yourself to confirm that that the package is authentic and complete.

Products Affected

Mac OS, Mac OS installation/setup (any version), Product Security

How to manually verify the authenticity of Apple Software Updates

Apple digitally signs its software updates to ensure the authenticity of update packages. The Software Update application automatically verifies a package’s signature prior to installing the update. If you manually download an update package, you may verify the signature yourself to confirm that that the package is authentic and complete.

Mac OS X: Updating your software describes how to use Software Update as an alternative to manually downloading and installing packages.

Note: Always download Apple software updates from the Software Update application or from Apple Support Downloads. Apple does not distribute software updates through third-party channels.

  1. Open the package file that you downloaded by double-clicking its icon (). Installer will open.
     
  2. For OS X v10.7 Lion, locate the lock icon () in the upper-right corner of the Installer window’s title bar.
    For Mac OS X v10.6 Snow Leopard, a certificate icon is shown instead ().



    Important: If no such icon is present, then the package is not signed, and the following steps do not apply. You should not install the package. Instead, obtain the update through Software Update.
     
  3. After clicking the lock or certificate icon, a standard Mac OS X certificate validation dialog appears. An official update package will be issued by "Apple Software Update Certificate Authority" and display a green checkmark.

    Important: If the certificate is issued by a different organization, or is not valid, do not install the update.

  4. Display details about the certificate by clicking the gray disclosure triangle to the left of the word "Details."
  5. Click the "Apple Software Update Certificate Authority" line.
  6. Scroll to the bottom and locate the "Fingerprints" section. Look for the SHA-1 fingerprint.

  7. Verify that the SHA-1 fingerprint displayed matches the following fingerprint of Apple’s certificate, which is:

    SHA1 9C 86 47 71 48 B3 D7 04 24 7A 3C 3F 56 EA 2D E5 94 4B 01 C2

    Important: If it does not match, the certificate is invalid and the package should not be installed.

  8. Continue installing the package normally. Files included in the package are verified prior to installation. If any file is problematic, the installation process will stop and an alert message will be presented. In the event of such an issue, no changes are made to your system.

 

Important: Information about products not manufactured by Apple is provided for information purposes only and does not constitute Apple’s recommendation or endorsement. Please contact the vendor for additional information.
Not helpful Somewhat helpful Helpful Very helpful Solved my problem
Ask other users about this article
in Apple Support Communities
See all questions on this article See all questions I have asked