OS X Mavericks 10.9.5 file integrity

[f54da]

@startergo Ah createinstallmedia works on the assumption that the installesd can be mounted (as a proper dmg), since it relies on that to effectively create a chroot base volume for system libs which it uses to launch the actual installer as I remarked in https://forums.macrumors.com/threads/os-x-mavericks-10-9-5-file-integrity.2427955/post-33179251

So it would make sense that if after re-downloading mavericks (probably after apple repacked things to update certificates) you get a bundle with InstallESD not actually in uzdo format then when you try to do createinstallmedia and boot from it the kernel won't actually be able to mount it properly.

 

[f54da]

Yeah bingo
>attempt to attach this image without a helper process; fail if unsupported. Only UDRW, UDRO, UDZO, ULFO, and UDSP images are supported in-kernel.

Kernel boot flag is precisely what installer created using createinstallemdia & the recovery use.

Also note that I think this issue only affects recent downloads of mavericks from MAS. Createinstallmedia evidently use to work fine back when 10.9 was released, and likely up until 2016. And all of those had missing signature for the installesd as well. So I think it's actually yet another symptom of how the 10.9 installer is cursed, rather than a root cause.

 

[startergo]

Correct. The DMG itself is not signed as it is inside a XAR wrap. I will check the original APP.

Createinstallmedia evidently use to work fine back when 10.9 was released, and likely up until 2016

Correct. I don't know when Apple started repackaging like this.

 

[f54da]

> The DMG itself is not signed as it is inside a XAR wrap.

What about the packages inside the DMG?

> I will check the original APP.

Try a `codesign --verify --verbose`? We saw at least on the ones downloaded from IA that "a sealed resource is missing or invalid" was returned, with the dmg not part of the signed resources

 

[startergo]

Unfortunately I can't re-download Mavericks. It says installed (from within Mavericks):

 

[startergo]

Actually I realized I keep an untouched copy of Mavericks for reference.

pkgutil --check-signature /Applications/Install\ OS\ X\ Mavericks.app
Package "Install OS X Mavericks":
   Status: package is invalid (checksum did not verify)
shasum /Applications/Install\ OS\ X\ Mavericks.app/Contents/SharedSupport/InstallESD.dmg 


02210b3ffe8d1e7007f9a25d9f85165333d4cb05  /Applications/Install OS X Mavericks.app/Contents/SharedSupport/InstallESD.dmg
file /Applications/Install\ OS\ X\ Mavericks.app/Contents/SharedSupport/InstallESD.dmg


/Applications/Install OS X Mavericks.app/Contents/SharedSupport/InstallESD.dmg: xar archive compressed TOC: 11017, SHA-1 checksum
sudo codesign --verify --verbose /Applications/Install\ OS\ X\ Mavericks.app/Contents/SharedSupport/InstallESD.dmg

Password:

/Applications/Install OS X Mavericks.app/Contents/SharedSupport/InstallESD.dmg: code object is not signed at all

codesign -dv --verbose=4 /Applications/Install\ OS\ X\ Mavericks.app
Executable=/Applications/Install OS X Mavericks.app/Contents/MacOS/Install OS X Mavericks
Identifier=com.apple.InstallAssistant.Mavericks
Format=app bundle with Mach-O thin (x86_64)
CodeDirectory v=20200 size=303 flags=0x200(kill) hashes=7+3 location=embedded
Hash type=sha1 size=20
CandidateCDHash sha1=cd59e2a7acca04c95d7e4b27488122dd11aa5b68
CandidateCDHashFull sha1=cd59e2a7acca04c95d7e4b27488122dd11aa5b68
Hash choices=sha1
CMSDigest=32a7926f598b4e52c7b68f0c7e0719afc9f7d6c9b2fceadb8398a44507d10ed5
CMSDigestType=2
Page size=4096
CDHash=cd59e2a7acca04c95d7e4b27488122dd11aa5b68
Signature size=4169
Authority=Apple Mac OS Application Signing
Authority=Apple Worldwide Developer Relations Certification Authority
Authority=Apple Root CA
Info.plist entries=30
TeamIdentifier=APPLECOMPUTER
Sealed Resources version=2 rules=12 files=948
Internal requirements count=1 size=124

 

[f54da]

Thanks, that seems to match what we found where "InstallESD.dmg" is unsigned and the signature over the app bundle does not extend to InstallESD, which is really odd since it seems to mean that one could distribute a malicious version of "install osx mavericks.app" that e.g. replaced binaries in InstallESD with their own (e.g. hypothetically replace sudo with a backdoor version).

Moreover the individual mpkg installers in InstallESD.dmg also don't seem to be signed in any way. So I wonder what (if any) verification apple actually has here. Supposedly under the right conditions you get the error "This copy of the Install Mac OS X can't be verified. It may have been corrupted or tampered with during download" which seems to imply some sort of verification, but if InstallESD is unsigned then basically everything in it can be tampered in a way to defeat checks.

 

[startergo]

Supposedly under the right conditions you get the error "This copy of the Install Mac OS X can't be verified. It may have been corrupted or tampered with during download"

That is the actual message you will get even after repacking the InsallESD.dmg. From recovery you can continue installation with:

installer -pkg /Volumes/Mac\ OS\ X\ Install\ DVD/Packages/OSInstall.mpkg -target /Volumes/Macintosh\ HD

 

[Faloude]

@startergo which version of mavericks do you have there? I ask because I want to compare your SHA1 checksum against mine. I have 10.9.5 (latest) and the checksum is 73cdd9440fe5efa79763f5461ec4ad9a59cdd1df on InstallESD.dmg and I noticed yours is different.

 

[Faloude]

Thanks, that seems to match what we found where "InstallESD.dmg" is unsigned and the signature over the app bundle does not extend to InstallESD, which is really odd since it seems to mean that one could distribute a malicious version of "install osx mavericks.app" that e.g. replaced binaries in InstallESD with their own (e.g. hypothetically replace sudo with a backdoor version).

This is what is bothering me. And of course, the only OS X release that isn't signed properly is the one you can't download directly from Apple but only through dodgy uploaders.

 

[f54da]

Note that the checksum startergo shared after removing the xar wrapper on the dmg, 59124140B092E5A2C99F1484100BF8D404408681, matches what someone on https://discussions.apple.com/thread/7589598?sortBy=best posted on Jun 2016. Btw that poster also noticed the same thing " The Mavericks installer doesn't show verification, I was looking at Yosemite. So I'm back to needing md5 and sha1 checksums post-cert-change."

The author of that apple discussion thread indicated that he downloaded but saw a sha1 of 73cdd9440fe5efa79763f5461ec4ad9a59cdd1df which matches the usual checksum you see on lists.

The checksum of 02210b3ffe8d1e7007f9a25d9f85165333d4cb05 starergo shared most recently is the checksum of the xar-wrapped InstallESD which is apparently something apple started doing past 2016. Based on the dates this apparently does not coincide with the certificate updates.

I will dig up again my copy of install osx mavericks.app this weekend (which I had apparently downloaded from somewhere [probably MAS?] on nov 2016) and post the sha.

 

[f54da]

Also interesting https://github.com/notpeter/apple-installer-checksums/pull/112


Apparently there is also another claimed official sha1 checksum (ba6e...)

>perhaps it is indeed a legitimate older version from before Apple changed something around 2017.

>Note that while the file checksums are different, the container checksums (hdiutil checksum -type SHA1 InstallESD.dmg) are the same for both images: 03BACFDB04046EF058D89F8D3A064924436FB659. It seems there was only a change in the metadata or signature of the file.

 

[startergo]

@startergo which version of mavericks do you have there? I ask because I want to compare your SHA1 checksum against mine. I have 10.9.5 (latest) and the checksum is 73cdd9440fe5efa79763f5461ec4ad9a59cdd1df on InstallESD.dmg and I noticed yours is different.

When installed it says:

System Software Overview:

  System Version:    OS X 10.9.5 (13F34)
  Kernel Version:    Darwin 13.4.0
  Boot Volume:    Macintosh HD
  Boot Mode:    Normal
  Computer Name:    mavericksp’s Mac
  User Name:    mavericksp (mavericksp)
  Secure Virtual Memory:    Enabled
  Time since boot:    29 seconds

In the plist it says 13F32

 

[f54da]

the buildmachineosbuild is the machine that the installer app itself was built on. 13f32 is likely some internal apple build. I saw the same thing on my version.

The build version of anything downloaded post 2016 should be 13f34. So it's not clear why there are several different checksum for InstallESD even when downloaded from apple. I think maybe as that GH post mentions "container checksums" vs file checksums might explain it?

 

[startergo]

Even after unpacking the DMG I get:

codesign -dv --verbose=4 /Applications/Install\ OS\ X\ Mavericks.app                                             
Executable=/Applications/Install OS X Mavericks.app/Contents/MacOS/Install OS X Mavericks
Identifier=com.apple.InstallAssistant.Mavericks
Format=app bundle with Mach-O thin (x86_64)
CodeDirectory v=20200 size=303 flags=0x200(kill) hashes=7+3 location=embedded
Hash type=sha1 size=20
CandidateCDHash sha1=cd59e2a7acca04c95d7e4b27488122dd11aa5b68
CandidateCDHashFull sha1=cd59e2a7acca04c95d7e4b27488122dd11aa5b68
Hash choices=sha1
CMSDigest=32a7926f598b4e52c7b68f0c7e0719afc9f7d6c9b2fceadb8398a44507d10ed5
CMSDigestType=2
Page size=4096
CDHash=cd59e2a7acca04c95d7e4b27488122dd11aa5b68
Signature size=4169
Authority=Apple Mac OS Application Signing
Authority=Apple Worldwide Developer Relations Certification Authority
Authority=Apple Root CA
Info.plist entries=30
TeamIdentifier=APPLECOMPUTER
Sealed Resources version=2 rules=12 files=948
Internal requirements count=1 size=124

 

[f54da]

`codesign -dv --verbose=4` only shows the cert info though, the issue at hand is that the cert does not extend over all included resources (in particular InstallESD.dmg), so `codesign --verify --verbose` fails

 

[Melbourne Park]

I have been trying to install Mountain Lion onto an old MacBook Pro, so I can import old Firewire tape based digitised videos.

But I cannot create a USB install disk.

I have downloaded Mountain Lion installer from Apple's website (I could not find any download listings for my MacPro 5,1 in the apple store) and I thought the command for installing was :
sudo /Applications/Install\ OS\ X\ Mountain\ Lion.app/Contents/Resources/createinstallmedia --volume /Volumes/MyUSBDriveName --applicationpath /Applications/Install\ OS\ X\ Mountain\ Lion.app --nointeraction

My problem is the command cannot find createinstallmedia. And when I look into the App folder, and I do a right click on the Mountain Lion install app, and open the resources folder in that app, there is no createinstallmedia utility. There are these two:
InstallAssistant.icns
InstallAssistantTool
But no createinstallmedia
Help!!!

 

[Faloude]

@Melbourne Park your post is completely unrelated to the topic but I'll answer it.

OS X Lion doesn't have that createinstallmedia you're refering to as far as I know. You have to rightclick the os x lion installer app and go to /Contents/SharedSupport. There you will find InstallESD.dmg and that's your file of interest. You have to use disk utility to flash (restore) that dmg to a USB drive.

Here's a full tutorial: https://www.lifewire.com/create-bootable-flash-drive-os-x-lion-installer-2260350