How to obtain a secure copy of macOS?
I need to install macOS on a VM. I don't want to download a macOS from torrent or hackintosh websites. Is there a way I can verify a macOS image's signature so I know it came from apple?
Solution 1:
The only reliable (and legal) source of macOS is the Mac App Store.
There are python scripts to download from Apple as well. Apple code signs the installers, so you are taking on risk to re-implement or bypass those checks.
Solution 2:
Apple distributes macOS as an installer app, so there is no such thing as a "macOS image". More specifically, you can certainly create an ISO image out of the installer app, but there is no official checksum to verify.
The installer app, which is itself a so-called bundle (a directory with a specific extension and structure) and not an executable, is only available from the Mac App Store or via Software Update (for example, this is the Mac App Store link for macOS 10.15 "Catalina", see this KB article for more information), which only run on a Mac.
Although this may seem a limitation, it is not: Apple explicitely states that macOS must run on Apple hardware, even when virtualized (see section 2.B.iii of the Software License Agreement for macOS Catalina. Similar restrictions apply to other versions of macOS).
So if you don't want to download macOS from a dubious source, you will need access to a supported Mac.
Solution 3:
Apple has a support page on how to get valid installer boot media directly from them: https://support.apple.com/en-us/HT201372
El Capitan (version 10.11) was the last version to come as a DVD image for burning to an install disk, Apple has a support page on finding that file: https://support.apple.com/en-us/HT206886