Validate signature on Apple updates

security software-update

Solution 1:

You can verify the signature of the package:

Mount the dmg file (assuming it's downloaded to your Downloads folder):

hdiutil attach ~/Downloads/macosupdcombo10.12.5.dmg

Verify the pkg:

pkgutil --check-signature /Volumes/macOS\ Sierra\ Update/macOSUpdCombo10.12.5.pkg

which should yield the following result:

Package "macOSUpdCombo10.12.5.pkg":
   Status: signed Apple Software
   Certificate Chain:
    1. Software Update
       SHA1 fingerprint: 1E 34 E3 91 C6 44 37 DD 24 BE 57 B1 66 7B 2F DA 09 76 E1 FD
       -----------------------------------------------------------------------------
    2. Apple Software Update Certification Authority
       SHA1 fingerprint: FA 02 79 0F CE 9D 93 00 89 C8 C2 51 0B BC 50 B4 85 8E 6F BF
       -----------------------------------------------------------------------------
    3. Apple Root CA
       SHA1 fingerprint: 61 1E 5B 66 2C 59 3A 08 FF 58 D1 4A E2 24 52 D1 98 DF 6C 60

Compare the SHA1 fingerprint of the Apple Software Update Certification Authority with one of the two valid Apple fingerprints:

SHA1 FA 02 79 0F CE 9D 93 00 89 C8 C2 51 0B BC 50 B4 85 8E 6F BF
SHA1 9C 86 47 71 48 B3 D7 04 24 7A 3C 3F 56 EA 2D E5 94 4B 01 C2

Related

How to import Apple Mail archive files in Outlook 2013?
How can I Create a Recovery Partition on a Newly Installed SSD?
Run AppleScript for Specific Monitor
Quickly Access Safari 6 Bookmark & History Address Bar Suggestions with the Keyboard?
How to get previous shutdown cause?
How to run sshd on port 500 in High Sierra?
Cannot Connect to the App Store
iPhone ring notification on the computer
Macports cccc terminates when run - how to solve
Error copying large file to usb 16GB Thumbdrive
Bootcamp Not enough space but nothing helps!
AppleScript to Make New Calendar in Specific Account