How can I open a .pkg file manually?
Some applications come in .pkg files, and ask for you administrator password, even if all they do is copy the binary to /Applications.
I like to have my applications in ~/Applications, and I do not like to give administrative permissions to anything that is not from the mothership.
Is there a way that I can manually open the .pkg file and pull out the application? There is PackageMaker in the Developer Tools, but that does not seem to do it (it did produce some output that makes me think that there really are no scripts or other pieces in the installer, just the application).
If you right click it, and click Show Package Contents you'll get a few files in a Contents folder. (Note: if you do not see Show Package Contents you will need to open Terminal.app and run pkgutil --expand mystubbornpackage.pkg path/to/expand
)
One is a BOM file (bill of materials) which gets turned into a receipt that you can use to uninstall the app. This file contains a manifest of everything the package will install and where to; to read this file, use the lsbom command.
Most packages (I'm using Office 2008 here) also have an Archive.pax.gz file, this contains everything that Installer will move into the various folders as instructed in the BOM file. Most apps seem to have the .app in this archive, although dragging that to /Applications might leave it without frameworks it needs to run; so you'll have to figure out which other files it needs and where it needs them to get it to work.
Additionally, all packages can log messages, if you hit Cmd-L (or choose the Installer Log option from the Window menu, you can view them as they're generated. This might give you an idea what extra things it's installing, at the very least it's some more information if you're untrusting of the package.
In addition to what Matthew Hall said, you can also hit Cmd-I in the Installer app to see what files the installer will install and where.
If you don't trust the installer enough to give administrative permissions to install, then why do you trust the binary in /Applications?
Pacifist will let you look in package files. This doesn't necessarily just let you "pull out the binary".