
Previously Downloaded OS X Installers No Longer Work - ingve
http://tidbits.com/article/16302
======
filsmick
I was bitten by this this week. Tried to reuse my installer to install OS X El
Capitan on a MBP without redownloading it over my super-fast 2Mbps internet
connection.

First, I try to install it by just copying the installer app - "can't be
verified".

Then I make a bootable USB stick using DiskMaker X - "can't be verified". I
run an integrity check on the installer - all good.

I then try running `/path/to/Install\ OS\ X\ El\
Capitan.app/Contents/Resources/createinstallmedia --volume /Volumes/USB-STICK
--applicationpath /path/to/Install\ OS\ X\ El\ Capitan.app --nointeraction` -
"can't be verified".

Finally I give up and the system is installed via the App Store. The download
fails once, it finally completes, and I am left clueless as to why I couldn't
reuse the old installer.

An "expired certificate" error message would have saved me many hours. It's
unfortunate for the user that Apple puts so little emphasis on letting them be
their own tech support.

~~~
mikeash
Apple is just awful about providing meaningful, useful errors. The worst is
AirPlay. When it fails to connect, which is about 33% of the time, there's
nothing. It doesn't even pop up a generic alert, it just silently (or not so
silently, if you're playing music) reverts to local playback.

Many other examples abound. Most errors at least provide a message, but one so
generic as to be useless.

~~~
x0x0
or TimeMachine

"sparsebundle already in use" is the FOAD of error messages. I do love how the
(now stale) tools to fix this are maintained by a volunteer on an external
site unrelated to apple.

I try not to be too grumpy about it, but I paid $3k for a laptop _not_ to have
to fucking deal with windows-style normal operation of the OS and related
tools is busted and you're gonna sink hours into debugging it. And least when
linux breaks it tends to leave error messages and details in syslog...

~~~
13thLetter
I switched from OSX Yosemite to Windows 8.1 a while back.

I have had _substantially_ fewer problems with Windows 8.1.

~~~
misterdata
Just yesterday I performed a clean install of Windows 10 on my desktop work
computer. After joining our domain (configured in the most standard way
possible), the start menu stopped working and edge couldn't start anymore. All
commands to fix this situation (through powershell) gave cryptic hexadecimal
error codes. After a few hours it turns out the Windows Firewall service was
disabled. How this causes the Start Menu to malfunction, I don't know...

Again this was a _clean_ installation. Windows 10 is a joke.

------
donatj
I had a handful of apps I use all the time stop working entirely about a week
ago. They were purchased from the App Store but are no longer in the App
Store. I am furious. I am willing to bet the expired certificate is the
culprit.

I've had to carefully maintain the .app's myself across a couple Mac's as
Apple stopped letting you download things that are no longer in the store. Now
they just don't work at all.

The older I get the more I think maybe Richard Stallman isn't crazy.

~~~
developer2
Let's not forget it's not exactly Apple's fault that some developers remove
their apps from the App Store. While it's annoying, and we can wish all we
want that Apple would make apps permanently available once downloaded, it's
really the developer of the app that has failed you, not Apple.

~~~
teacup50
No, I'm pretty sure it's Apple's DRM that got us into this mess.

~~~
danieldk
As far as I understand (but I have only distributed an OS X app outside the
App store), the DRM is opt-in.

App store guidelines require that packages are sandboxed and signed. If you
have a signed application, you can circumvent the signature check by disabling
gatekeeper, removing the quarantine attribute, or control-clicking and
choosing 'Open'.

The DRM mechanism is called 'receipt validation' and has to be enabled by the
app developer:

[https://developer.apple.com/library/mac/releasenotes/General...](https://developer.apple.com/library/mac/releasenotes/General/ValidateAppStoreReceipt/Introduction.html#//apple_ref/doc/uid/TP40010573)

I can sort of see why Apple provides this (to entice companies to publish in
the app store), but a developed can decide to be customer-friendly and not
check the receipt. So, I think it's fair to blame the developer, not Apple.

(Please correct me if I am wrong, as said, I never distributed an App Store
app.)

------
pilif
Under windows, when I sign a binary, I also have the option (well - it's more
like a strong recommendation) to time-stamp the signature.

That way, windows can check whether the signature was made during a time when
the certificate was valid. This means that when your certificate expires, you
won't be able to sign new binaries, but at least the existing ones continue to
work.

This is something Apple should really consider implementing - even just for
the sake of archival of old OS versions that people might still want to
install for nostalgias sake.

~~~
kevincox
How does this help? In order to provide any security you would need to limit
the time from signing, which would be very similar to just issuing the
certificate for that much longer. There is no way to verify that the binary
was actually signed at that time.

~~~
makomk
It uses trusted timestamping servers run by certificate authorities to sign
the timestamp information.

~~~
kevincox
Ok, I didn't realize that. But it still doesn't solve the problem of
compromising an old certificate and creating a fake signature with your own
time.

~~~
wangweij
Expired and compromised are two different things. If compromised, it will be
published in a CRL with a reason flag.

~~~
kevincox
The reason why certificates expire is because they will become easy to crack
as computers get faster. So this would effectively be removing the expiry
date. Now you can crack any old certificate and sign things claiming that you
did it before the certificate expired.

~~~
markild
As someone above has already said.

To do this, you'd need to compromise or convince a trusted timestamping
authority to sign your signing request with an old date.

------
xaduha
Not familiar with actual Macs, but I did install OS X plenty of times on PCs.
Can't you just change time on your machine, install it and then change it
back? I'm sure OS X can be installed offline.

~~~
LeoPanthera
The article mentions this as a solution, yes.

------
k33n
Apple has been getting sloppier and sloppier over the past 5 years or so. For
instance, even if you have selected "automatically set my timezone based on my
location", it won't update unless you actually open the date/time preferences
panel every time you change zones.

~~~
santaclaus
Really? I flew west coast to east coast yesterday and the time on my machine
updated with no manual intervention.

~~~
radicalbyte
Worked fine for me going from NL > UK yesterday. Yosemite.

~~~
jen20
Works for me probably 8-10 times per month going between time zones. Now
Flux... that never realises...

------
dcw303
> There is one caveat to all this. Apple won’t allow a newer Mac to download
> versions of OS X that aren’t compatible with that Mac, so on a 27-inch iMac
> with Retina display, for instance, the App Store app refuses to let you
> download Mac OS X 10.7 Lion.

It's an edge case, but it's still annoying that I can't do this. What if I'm
trying to get a non-functional older Mac running again? Stopping all users
from doing this does mitigate incompatibility support issues, but it hobbles
power users.

To allow this, I don't think they need to add a switch to preferences. I'd be
happy with a defaults invocation.

~~~
Synaesthesia
There's a reason: Lion didn't have drivers for the hardware in question. OS X
has all drivers, like for graphics etc. built in. That's why you're limited to
versions after you Mac was made.

~~~
dcw303
Sorry, I didn't explain myself well enough. What if I want to download a
specific image on a different Mac to the one I want to install the OS on?

~~~
Synaesthesia
Oh sorry. Hmm that's troublesome. I wonder how far back this goes. Apparently
just setting your clock back bypasses the check!

------
dingo_bat
All of this is just more evidence driving me away from using any kind of app
store. I download and install apks on my android phone, and executable/tar
installers on my computers. It's also the reason why I'll never buy an iOS
device, or even open the Windows 10 store.

~~~
kagamine
The best app stores are the ones beginning with apt-get, yum, slapt-get etc.
I'd very much like to see a real Linux/Unix phone with a battery that isn't a
joke being played on consumers. I'm tired of looking after an smartphone that
requires as much care and time as a small child.

~~~
pilif
_> The best app stores are the ones beginning with apt-get, yum, slapt-get
etc_

At least apt is as pissy about expired GPG keys as MacOS is about expired code
signing certificates.

------
escobar
The whole "old installer" and "bootable disk" has been a pain-point since 10.8
for me. I have done 4 or 5 clean installs for friends in the last 6 months,
and I tried to make a 10.10 or 10.11 bootable USB... no go - each time, a new
issue.

I have ended up every time using my older 10.8 (ML) install USB every time,
then just firing off the free App Store upgrade to 10.11.

~~~
X-Istence
In newer Mac's (2012 onward IIRC) you can just boot into a net installer, and
it goes and fetches the installer from the internet before re-installing.

~~~
escobar
The main reason I don't do this is because I'm often installing the OS to a
brand new (blank) drive that has absolutely no recovery on it.

~~~
X-Istence
It is part of the ROM. It can be done with a blank drive.

[http://www.macrumors.com/2011/07/20/internet-recovery-
lets-n...](http://www.macrumors.com/2011/07/20/internet-recovery-lets-new-
macs-install-os-x-from-blank-hard-drive/)

So the drive doesn't even have recovery on it.

------
johansch
It kinda seems like Apple has set out to prove that having a release schedule
that is date and feature driven at the same time is not a good idea.

~~~
garrettgrimsley
This is not related to their release schedule, it has to do with the
certificates used to validate software. You can view an explanation of
application level code signing here [0] and the concepts also apply to signing
OS images.

[0]
[https://developer.apple.com/library/mac/documentation/Securi...](https://developer.apple.com/library/mac/documentation/Security/Conceptual/CodeSigningGuide/AboutCS/AboutCS.html#//apple_ref/doc/uid/TP40005929-CH3-SW3)

~~~
mikeash
I believe they're saying that it is related to Apple's release schedule
because having a hard deadline every year _and_ a fixed feature set for that
hard deadline means that you run into problems with quality.

I would dearly love for Apple to take a year or two (or, hell, five, I'm happy
with the current feature set) and just fix bugs. No new features, just bugs.
Do another Snow Leopard release, or three.

~~~
x0x0
I have a cron script that hard kills finder hourly because it eats a gig of
ram and gets slower and slower until there is typing lag in it

My partner's itunes refuses to reliably see her iphone.

TimeMachine shits the bed on the regular.

SMB appears to be the future but TimeMachine still requires brittle afp.

On a 15-in late 2013 laptop with 10.10.current, about once out of every 20
times I open the lid the laptop doesn't wake up. Even when it does wake up
there is a black screen for a noticeable amount of time. This never used to
happen on 10.9.

Apps regularly lose the ability to create audio (spotify, chrome, vlc) if you
let them run too long. The solution is to sudo killall audiod.

etc etc etc

~~~
astrange
[http://bugreport.apple.com/](http://bugreport.apple.com/)

------
kaptain
The article noted that one workaround for people in the middle of an install
just to change the date. Is this a general workaround: change the date pre-
February 2016, run installer, change date back?

------
gargravarr
This is not a problem we ever had with installers on CDs...

Seriously Apple, stop making it so goddamned difficult to use your software!!

------
xufi
I should do this when I get a chance. Good to know. Glad I have a external Hd
to store it on

------
draw_down
Apple is really killing me with this shit. They're not making anything more
secure, they're just making bitrot worse and being a pain in the ass. People
need to install and run programs, please.

------
barbs
Completely by-the-by, but I couldn't help but notice the small advertisement
at the bottom for Smile PDFPen[0]. I'm using uBlock Origin, but this wasn't
blocked by it, presumably because it's unique to this site, and is
indistinguishable from the rest of the content. However, it's very
unobtrusive, doesn't track me at all and has no influence on the actual
content of the article, so I have no problems with it being here.

This makes me wonder if there could be a set of guidelines that could be
formulated for acceptable advertising on websites...?

[0][https://imgur.com/pQIFQFb](https://imgur.com/pQIFQFb)

~~~
adamengst
Adam Engst, publisher of TidBITS here... Thanks for noticing that Smile is
sponsoring TidBITS. As you note, the sponsorship is unique to our site, and
uses entirely internal systems for display, so there are no trackers or the
like. Smile chose to do their URL via a URL shortener, so I don't know what
could be determined if you click it, but it's not loading any code merely by
viewing it. The trackers the other commenter saw are due to the graphical ads
and affiliate link generators we also have on the page.

Two random facts to note. First, as far as I know, TidBITS did the first
sponsorship program for Internet content back in 1992. If that was in any way
responsible for what Internet advertising has become, I apologize. :-) Since
we believe in archival content, you can read that article at
[http://tidbits.com/article/2995](http://tidbits.com/article/2995)

Second, our primary source of revenue is voluntary memberships. We also make
about $5K per year from graphical ads, and in last year's membership drive, I
challenged the 90% of our readers who are not members to join, promising that
we'd drop the graphical ads and affiliate link generators if we could raise
another $5K. Alas, the challenge fell short.
[http://tidbits.com/article/16234](http://tidbits.com/article/16234)

