Hello
We have a pkg installer whose signing certificate is expiring next month. It has a trusted timestamp on it.
As per https://developer.apple.com/support/certificates/ it states
Developer ID Installer Certificate (Mac applications) If your certificate expires, users can still install packages that were signed with this certificate as long as the package includes a trusted timestamp. Previously installed apps will continue to run. However, new installations won’t be possible until you have re-signed your installer package with a valid Developer ID Installer certificate. If your certificate is revoked, users will no longer be able to install applications that have been signed with this certificate.
Wanted to check on behavior for new installations post expiration date. Since the installer has a trusted timestamp we would not need to release a new installer with new cert ??
Any guidance here would be much appreciated.
That page seems pretty clear to me:
If your certificate expires, users can still install packages that were signed with this certificate as long as the package includes a trusted timestamp.
However, I encourage you to test this for yourself:
- Make sure your package has a notarisation ticket stapled to it.
- Set up a VM.
- Download your package to it in a way that sets quarantine.
- Disable networking on the VM. (This is why stapling the ticket is important.)
- Use System Settings to change the time to well after your package’s expiry date.
- Try installing it.
I expect to work, but I’d love to hear your experience either way.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"