Certificate expiration breaks older OS X installers

InstallElCapitanReplacement developer certificates Apple issued to fix security issues have caused signed packages created using the older replaced certificates to no longer be verifiable. This results in OS X assuming corruption in these files, and will not process them by default. One unfortunate side-effect of this is that older installers you may have collected for past versions of OS X will likely have been signed using older certificates, and may no longer install.

The solution to this is to simply re-download newer versions of current OS X installers from the App Store; however, many versions of OS X that people still use in virtual machines or on older Mac hardware may not be available, or may not have been re-issued with the proper certificates.

If you are in this situation, there is a workaround available that will allow you to proceed with the installation. The replaced certificates expired on February 14th, 2016, which means that by setting your Mac’s date to to a value prior to this, you should be able to proceed with the installation. Since Apple does not provide any “Date & Time” system preferences with OS X installers, you will have to change the date manually using the Terminal:

  1. Click “Cancel” on any current installation warnings
  2. At the OS X tools window, choose Terminal from the Utilities menu
  3. Enter the following command:
    date 0101010116
  4. Quit the Terminal and resume installing OS X

The “date” command here will set the date to January 1st, 2016, 1:01am. To use a different date, the values are in ordered pairs, where the first two represent month, followed by day, hour, minute, and finally year.

After the installation finishes, OS X will use time servers to automatically adjust the time, or you can again manually adjust the time in the Date & Time system preferences.

Finally, this issue may largely affect those who deploy many older systems for organizations and businesses. Therefore, be sure you create an updated set of system images for restoration purposes, in order to avoid having to use this workaround with the OS X installer. You can do so a number of different ways; however, the most vanilla approach is to wipe a system and install OS X freshly on it, followed by creating a clone of it to an external hard drive. You can also put the system into Target Disk mode, and then use Apple’s system imaging utility or Disk Utility on another Mac to create a restorable or bootable image of the system.

5 thoughts on “Certificate expiration breaks older OS X installers

  1. B. Jefferson Le Blanc

    I’ve run into this problem occasionally with older Apple softwar installers and updates and there is usually an option to install anyway without the certificate. This may not be the case with a system install, as Topher notes, so his solution would be useful in these instances. I’ll save this article in case I run into the problem at some point.

  2. Jay

    If those installers were used to create AutoDMG images, netboot, netinstall or netrestore images, those will remain valid. I create AutoDMG images of all the latest installers for quick restores, it includes all updates and additional installer packages you want to include. It’s a good way to archive older systems and avoids messes like these down the road.

  3. Jonas Smithson

    Why is it necessary to use Terminal to set back the date? The ordinary Date & Time Preferences seems to have a calendar you can set back, although I haven’t actually tried to use it.

Comments are closed.