OS X Mavericks 10.9.5 file integrity

[Faloude]

I've acquired OS X Mavericks (10.9.5 build 13F34) through archive.org and I'm facing a challenge verifying this file. There are 2 fishy things about it:

1. The .app file requires a bash command xattr -cr to become usable for reasons beyond me.
2. The command pkgutil --check-signatur on Install OS X Mavericks.app returns (package is invalid (checksum did not verify) both before and after executing above command (xattr -cr)

The SHA1 checksum does appear on this github page although I'm not sure if this should be a holy grail as anyone can simply post a checksum there and the author will include it. The SHA1 checksum I get for the archive.org download is 73cdd9440fe5efa79763f5461ec4ad9a59cdd1df

What I'm ultimately trying to achieve here is to have a version of 10.9.5 installer that is just pure and untouched.

 

[Grumpus]

Feeding that SHA1 into google results in a number of hits in addition to the github entry you found, including this one. In the absence of anything official from Apple, you just have to cross your fingers.

The file probably had the com.apple.quarantine attribute before you cleared the extended attributes. You can use

ls -l@ filename

to print the extended attributes for a file.

 

[Slix]

I believe this is where I downloaded Mavericks from a year or so ago for my older iMac 24". I've had no issues with it since setting it up.

 

[Faloude]

Feeding that SHA1 into google results in a number of hits in addition to the github entry you found, including this one. In the absence of anything official from Apple, you just have to cross your fingers.

I'm surprised I overlooked that someone posted the same checksum. However I don't understand why pkgutil --check-signature on Install OS X Mavericks.app file returns Status: package is invalid (checksum did not verify). So I'm assuming InstallESD.dmg is safe, but I'm still not sure about the installer package. Although I agree with the sentiment: since there is no official check, fingers crossed. I like to be a purist sometimes and I can't accept the fact that every single installer app I have from Sonoma down to OS X Lion signatures check out except for this one..

I believe this is where I downloaded Mavericks from a year or so ago for my older iMac 24". I've had no issues with it since setting it up.

There are many OS X Mavericks installers on archive.org!

 

[Faloude]

I had the crazy idea of installing mountain lion (10.8.5) on an old macbook and signing into the app store. Would that not give me access to OS X Mavericks 10.9.5?

 

[Grumpus]

I had the crazy idea of installing mountain lion (10.8.5) on an old macbook and signing into the app store. Would that not give me access to OS X Mavericks 10.9.5?

To the best of my knowledge, the answer is no unless you've 'purchased' Mavericks from the app store in the past. Also, I don't think you can count on the app store working in Mountain Lion these days.

 

[f54da]

>package is invalid (checksum did not verify

Possibly due to expired signing cert? Try a codesign -dvv to manually inspect the cert? (Or use pacifist)

 

[Faloude]

@f54da thanks for the suggestion, but not much interesting I can find there. See the dump below. I have older installers (Mountain Lion and Lion) which do pass the signature check.

Executable=/Users/xxx/Desktop/Install OS X Mavericks.app/Contents/MacOS/Install OS X Mavericks
Identifier=com.apple.InstallAssistant.Mavericks
Format=app bundle with Mach-O thin (x86_64)
CodeDirectory v=20200 size=303 flags=0x200(kill) hashes=7+3 location=embedded
Signature size=4169
Authority=Apple Mac OS Application Signing
Authority=Apple Worldwide Developer Relations Certification Authority
Authority=Apple Root CA
Info.plist entries=30
TeamIdentifier=APPLECOMPUTER
Sealed Resources version=2 rules=12 files=948
Internal requirements count=1 size=124

 

[f54da]

That signature chain looks fine to me, and at least should confirm that it from a legitimate app store download.


It's not obvious why pkgutil is rejecting it though, what about doing `codesign --verify --verbose`?
Also note that it's possible the older installers downloaded directly from apple use a newer signing cert, whereas Mavericks is for some reason not available for download from apple anymore.

 

[Faloude]

Yes Mavericks is definitely the odd duck out there. I believe it's also the first one that wasn't released on physical media back in the day when OS X was available on CD's and DVD's.

Anyway, I think we're getting somewhere. codesign --verify --verbose throws this:

/Users/xxx/Desktop/Install OS X Mavericks.app: a sealed resource is missing or invalid
file added: /Users/xxx/Desktop/Install OS X Mavericks.app/Contents/SharedSupport/InstallESD.dmg

 

[f54da]

I guess the signature on the app doesn't cover InstallESD.dmg... which is weird, but without a reference from an actual MAS download it's hard to say if this is unexpected or not.

I suppose if you are very paranoid you could try mounting InstallESD and then verifying signature for the packages contained within it.

 

[f54da]

You could also check md5 of the installesd.dmg against https://gist.github.com/rmoriz/20cd93b8d657ea86c10e937dfef42550

 

[Faloude]

My SHA1 checksum nor MD5 of InstallESD.dmg checks out with the ones listed in the gist you just shared.

I guess the signature on the app doesn't cover InstallESD.dmg...

Is that why it's saying "file added: ....InstallESD.dmg? Because that's strange.

Anyway I almost reached the point of throwing in the towel and simply ignoring it but then..

you could try mounting InstallESD and then verifying signature for the packages contained within it.

So the packages inside are actually not signed at all! Things like OSInstall.pkg and Essentials.pkg etc. I went over to another installer (High Sierra, installer app signature verified) and opened InstallESD.dmg and checked the packages there and those are signed just fine.

I've actually become more paranoid about this, rather than less

 

[f54da]

Hmmm... that's surprising. Anyone with a proper version downloaded from MAS (or have it downloadable & with free space to spare) want to download and see if the official version exhibits the same issue?


Have you tried other downloads of mavericks available on IA? E.g. https://archive.org/details/os-x-mavericks which claims to be original 10.9 (not 10.9.5) or https://archive.org/details/install-mac-os-x-10.9.0-mavericks (which claims to be 10.9.5 from MAS).

 

[f54da]

Also I have this link bookmarked: https://archive.org/details/Mac_OS_X_10_9_5 - I don't remember if I ever tried it, but I think I earmarked it because it seemed more trustworthy/claimed to be completely untouched.

 

[Faloude]

Alright so it's nice to have someone to go down this rabbit hole with.

Regarding the links, the first one claiming to be 10.9 doesn't check my box because I really want 10.9.5 and preferably as a full installer.app, but just for sake of trying I might check it later. The 2nd link I have already downloaded and tried it before. It's still sitting on my drive. It comes as a .dmg which has a sha1 checksum c6f20a08f0986a223b8db17fa000d6a324a8c4e2, not listed anywhere. The small ~20mb "Install OS X Mavericks.app" inside it does respond well to pkgutil --check-signature and returns Status: signed by untrusted certificate. I somewhat trust this but it's not perfect.

Now the third link you sent is quite interesting. I'm downloading it now and will report back.
Edit: 2 peers, no seeders. Yikes, let's see how this goes.

 

[Faloude]

Anyone with a proper version downloaded from MAS (or have it downloadable & with free space to spare) want to download and see if the official version exhibits the same issue?

You're really asking the golden question with this one by the way. It's really hard to get this file.. I've been at this for almost a week now.

 

[f54da]

>Edit: 2 peers, no seeders. Yikes, let's see how this goes.
You can download over http from IA servers, torrent is probably not going to help here. I recall that torrent files from IA include a web mirror though, so on a supported client (like transmission) it should be downloading over http anyway if it can't get any peers.

 

[f54da]

>It comes as a .dmg which has a sha1 checksum c6f20a08f0986a223b8db17fa000d6a324a8c4e2, not listed anywhere.
Fwiw unless the DMG file is explicitly read-only, even just opening a DMG file once will alter its checksum.

 

[f54da]

@Faloude so just for you, I dug through my hard drives which I remember having a bootable disk of 10.9.5 installer on.

I can confirm that at least in the copy I had, I saw the same where packages inside InstallESD had no signature, and the signature for install osx.app did not extend to installesd (sidenote: the format of OSX bootable install media is really clever. It took me a few minutes to understand what was going on, since in the root volume you don't have any /System partition, just the installer.app and yet the installer.app depends on cocoa libs so it seems at first glance like there's a chicken/egg issue. In fact the kernel supports an obscure flag to tell it to mount and pivot a given dmg as the root (chroot like) and this is what the osx bootable install media does, it actually mounts and uses the core system libs from InstallESD.)

However I cannot say for certain the provenance of how I created that bootable installer. I do have osx mavericks in my purchase history, and I can see from my downloads folder that I downloaded DiskMakerX at the same time the installer.app was dumped in /Applications. So with 80-90% probability I assume I downloaded the official MAS copy and then made a bootable installer (esp. since I don't see any other evidence of differing provenance like torrent files or whatnot).

(But I cannot guarantee the provenance since I did this back in 2016 and I don't remember exactly what I did...)

 

[Faloude]

@f54da very interesting stuff and in fact I think we now have 3 cases with results. I finished downloading Install OS X Mavericks.app from your third link and the properties seem to match the ones I had before and the one dusting in your old hard drive.

• pkgutil --check-signature on large installer app returns Status: package is invalid (checksum did not verify)
• shasum on InstallESD.dmg returns 73cdd9440fe5efa79763f5461ec4ad9a59cdd1df same as the one I had before (this checksum is seen on github page in my opening post but not on yours)
• pkgutil --check-signature on packages inside InstallESD.dmg return Status: no signature

If I may stretch your generosity in time and energy more, can I ask you to get and share the SHA1 of InstallESD.dmg? So simply shasum Install\ OS\ X\ Mavericks.app/Contents/SharedSupport/InstallESD.dmg.

 

[f54da]

Yes, I will do it this weekend since I'm a bit busy rest of the week.

I wonder if this actually finally solves a mystery of why Apple never posted a download for 10.9 like they did with 10.8 and 10.7 on https://support.apple.com/en-us/102662.

Could it be that they somehow messed up on creating the install media for 10.9, where they did not properly sign the InstallESD? And then perhaps in an apple way they decided that distributing an unsigned app might be too dangerous, so they decided against posting it...

 

[Faloude]

I love how this turned into a conspiracy theory. It's odd indeed that you can get both newer and older OS X releases directly from Apple but not Mavericks. I dove into the wikipedia page for OS X Mavericks to find anything special about it and it appears to be the first free upgrade since Puma. Furthermore, not stated on Wikipedia but as far as I know, it was also the first OS X to be released solely through digital channels (so no DVD version). Perhaps it was indeed mishap as it was a first child in a new approach. Interesting..

 

[startergo]

I can add to the confusion that Mavericks (and other legacy installers) downloaded from the Appstore from legacy systems (as you can't redownload them from newer macOS's) does not contain a valid InstallESD.dmg. I have elaborated here:

App Store links and mas-cli Id's for macOS Installers from Lion to Ventura

Yes best of all one should avoid the regular createinstallmedia on older macOS's due to various issues. Instead use the method below. This was in response to the error when reinstalling macOS Sierra from internet recovery: osishelperd[547]: mountDiskImageWithPath: /Volumes/Untitled/macOS...

forums.macrumors.com

 

[startergo]

So to check the signature of such an installer the above conversion needs to take place first. After the conversion I get:

sudo codesign --verify --verbose /Applications/Install\ OS\ X\ Mavericks.app/Contents/SharedSupport/InstallESD.dmg
Password:
/Applications/Install OS X Mavericks.app/Contents/SharedSupport/InstallESD.dmg: code object is not signed at all
shasum /Applications/Install\ OS\ X\ Mavericks.app/Contents/SharedSupport/InstallESD.dmg

59124140b092e5a2c99f1484100bf8d404408681  /Applications/Install OS X Mavericks.app/Contents/SharedSupport/InstallESD.dmg