
Some Apple signatures expiring on October 24, 2019 - sounds
https://derflounder.wordpress.com/2019/10/16/certificate-used-to-sign-older-apple-software-expiring-on-october-24-2019/
======
teovall
Why don't they just timestamp the signatures so they don't have to resign them
every few years?

~~~
robbya
I suppose it does give Apple more control. If they decide they don't want a
specific update to work any longer, they can let it expire and then folks
would need to use something else (like a newer/safer update that covers the
same patch).

For EFI (per the screenshot) I wonder if they are looking to protect against
the risk of an update that introduces an EFI vulnerability. Unless Apple is
checking a certificate revocation list (or similar) then an attacker could
apply that vulnerable update. Letting it expire sets a limit for how long it
can be exploited. Just a guess.

