How to verify the authenticity of manually downloaded Apple Software Updates
If you manually download an update package, you can verify the signature yourself to confirm that the package is authentic and complete.
Apple digitally signs its software updates to ensure the authenticity of update packages. Software Update automatically verifies a package’s signature prior to installing the update. If you manually download an update package, you can verify the signature yourself to confirm that the package is authentic and complete.
If the fingerprint displayed does not match, the certificate is invalid. Do not install the package.
- Open the package file that you downloaded by double-clicking its icon (). Installer will open.
- For OS X Lion or later, locate the lock icon () in the upper-right corner of the Installer window’s title bar.
For Mac OS X Snow Leopard, a certificate icon is shown instead ().
Important: If no such icon is present, then the package is not signed, and the following steps do not apply. Do not install the package. Instead, get the update through Software Update.
- After you click the lock or certificate icon, you will see a standard OS X certificate validation dialog. An official update package is issued by "Apple Software Update Certificate Authority" and displays a green checkmark.
Important: If the certificate is issued by a different organization, or is not valid, do not install the package.
- Display details about the certificate by clicking the gray disclosure triangle to the left of the word Details.
- Click the Apple Software Update Certificate Authority line.
- Scroll to the bottom and locate the Fingerprints section. Look for the SHA-1 fingerprint.
- Verify that the SHA-1 fingerprint displayed matches the following fingerprint of Apple’s certificate, which is:
SHA1 FA 02 79 0F CE 9D 93 00 89 C8 C2 51 0B BC 50 B4 85 8E 6F BF
Note: Older installers could have this SHA-1 fingerprint:
SHA1 9C 86 47 71 48 B3 D7 04 24 7A 3C 3F 56 EA 2D E5 94 4B 01 C2
If the fingerprint displayed matches, continue installing the package normally. Files included in the package are verified prior to installation. If there is an issue with a file, installation will stop. You'll see an alert message and no changes will be made to your system.