Validate signature on Apple updates
Solution 1:
You can verify the signature of the package:
Mount the dmg file (assuming it's downloaded to your Downloads folder):
hdiutil attach ~/Downloads/macosupdcombo10.12.5.dmg
Verify the pkg:
pkgutil --check-signature /Volumes/macOS\ Sierra\ Update/macOSUpdCombo10.12.5.pkg
which should yield the following result:
Package "macOSUpdCombo10.12.5.pkg":
Status: signed Apple Software
Certificate Chain:
1. Software Update
SHA1 fingerprint: 1E 34 E3 91 C6 44 37 DD 24 BE 57 B1 66 7B 2F DA 09 76 E1 FD
-----------------------------------------------------------------------------
2. Apple Software Update Certification Authority
SHA1 fingerprint: FA 02 79 0F CE 9D 93 00 89 C8 C2 51 0B BC 50 B4 85 8E 6F BF
-----------------------------------------------------------------------------
3. Apple Root CA
SHA1 fingerprint: 61 1E 5B 66 2C 59 3A 08 FF 58 D1 4A E2 24 52 D1 98 DF 6C 60
Compare the SHA1 fingerprint of the Apple Software Update Certification Authority with one of the two valid Apple fingerprints:
SHA1 FA 02 79 0F CE 9D 93 00 89 C8 C2 51 0B BC 50 B4 85 8E 6F BF
SHA1 9C 86 47 71 48 B3 D7 04 24 7A 3C 3F 56 EA 2D E5 94 4B 01 C2