Closed ElyseGiroux closed 1 year ago
If you have the .PKG file open and can navigate to it in Terminal. You can run this command pkgutil --check-signature Snap\ Camera\ 1.21.0.pkg
If the package name is the same as mine. But the MD5 is 82dca7f1b14e32ff81d382347074947f for the 1.21.0, and make sure it's the pkg file you're checking and not a zip.
jaku@Little-Mac % pkgutil --check-signature Snap\ Camera\ 1.21.0.pkg
Package "Snap Camera 1.21.0.pkg":
Status: signed by a developer certificate issued by Apple for distribution
Notarization: trusted by the Apple notary service
Signed with a trusted timestamp on: 2022-12-20 22:47:34 +0000
Certificate Chain:
1. Developer ID Installer: Snap, Inc. (424M5254LK)
Expires: 2023-10-25 18:38:24 +0000
SHA256 Fingerprint:
DF F9 5C 8E 6F DB 3B B9 7D 02 9F B9 14 D7 C4 2E 67 91 18 73 A7 7A
B3 2E 2A 1A A2 5E B4 DD CE E3
------------------------------------------------------------------------
2. Developer ID Certification Authority
Expires: 2027-02-01 22:12:15 +0000
SHA256 Fingerprint:
7A FC 9D 01 A6 2F 03 A2 DE 96 37 93 6D 4A FE 68 09 0D 2D E1 8D 03
F2 9C 88 CF B0 B1 BA 63 58 7F
------------------------------------------------------------------------
3. Apple Root CA
Expires: 2035-02-09 21:40:36 +0000
SHA256 Fingerprint:
B0 B1 73 0E CB C7 FF 45 05 14 2C 49 F1 29 5E 6E DA 6B CA ED 7E 2C
68 C5 BE 91 B5 A1 10 01 F0 24
I deleted a comment about not using MD5 for file validation.
I get it, MD5 and SHA1 is "broken" when trying to verify files. There really isn't any risk here with using MD5. Show me a MAC PKG file that is signed that matches the given MD5 and isn't signed by Snap Inc and I'll admit I was wrong.
The fact is these files are signed and you can't modify the file after they are signed to try and get a matching MD5. No attacker is going to spend that much effort nor is it even slightly possible before the heat death of the universe.
It worked! Thank you very much, I was able to find a pkg with the proper signature
Do you have the proper hash for the pkg file for mac?
Thank you