search

notpeter / apple-installer-checksums

Checksums of Mac OSX installer DMGs
846 stars 107 forks source link

macOS Monterey checksum differs (12.1, 21C52) #145

Closed mattkoehne closed 2 years ago

mattkoehne commented 2 years ago

Hi!

Why my SHA1 checksum of SharedSupport.dmg differs?

I extracted the pkg-file with pkgutil on macOS Catalina and with 7z on Linux. Same results.

Thanks!

markmentovai commented 2 years ago

Hi!

Why my SHA1 checksum of SharedSupport.dmg differs?

  • my sha1 checksum of SharedSupport.dmg: 32466290087a23da7d1e08042e49ce55a3b50e5d

This is the SHA1 hash of the SharedSupport.dmg that’s inside SharedSupport.dmg, but that is not the SharedSupport.dmg that appears at “Install macOS Monterey.app/Contents/SharedSupport” once InstallAssistant.pkg is installed. The SharedSupport.dmg inside InstallAssistant.pkg never actually appears anywhere, except when InstallAssistant.pkg is extracted manually, and is the basis for the SharedSupport.dmg that actually matters, but is incomplete. The SharedSupport.dmg that actually appears when InstallAssistant.pkg is installed, and the one whose hash we record, is actually a copy of (or hard link to) InstallAssistant.pkg. InstallAssistant.pkg is a polyglot file, simultaneously both a .pkg and a .dmg. (There’s a little bit of cute file format trickery happening here.)

If you’re poking the .pkg manually, you can see how this works by looking at postinstall_actions/link_shared_support.bash from within the (extracted) Scripts.

  • my sha256 checksum of InstallAssistant.pkg: 8a14293807d4868c5ce945291df8755e336bc411da28200b2e071ba95e203f0b

This is correct, and matches what we have recorded. However, to keep the table manageable, we don’t currently display the SHA-256. It’s safely tucked away in a comment, though. See https://raw.githubusercontent.com/notpeter/apple-installer-checksums/master/readme.md. This is enough to satisfy that we do not actually have a hash mismatch.

  • my source of InstallAssistant.pkg: http://swcdn.apple.com/content/downloads/06/34/002-42435-A_MA7OBDUK86/6xzypeod1xebasc92qkw2iv44e1j9pv09f/InstallAssistant.pkg (Link from Mr. Macintosh)

I extracted the pkg-file with pkgutil on macOS Catalina and with 7z on Linux. Same results.

That’s the problem, you extracted the .pkg but didn’t install it.

mattkoehne commented 2 years ago

Thank you so much for your great explanation! :)

I wasn't aware of this. Now, I can confirm the checksum, too. The SHA1 checksum of my InstallAssistant.pkg (== SharedSupport.dmg) is 94cdcf9e007ebf297f3a3369b4d38ad49ccce2e6.

Also thanks for the hint to view the README file in raw mode. 👍