Expiring Developer ID Installer certificate - do old installers still run?

I recently got an email from Apple again that my company’s Developer ID Installer certificate is expiring in a few weeks.

Of course, I will create a new one (don’t think you can “renew” it, right?), but I was wondering: what happens to the installers that were signed with that expiring certificate? Will they still run given Apple’s various protections from the last years. Recent installers were signed (with a timestamp IIRC) and notarized (still with altool though).

I ask here because many of you probably already did this before, and I am being confused by these two pieces of information:

  1. Apple’s docs say this:
    Developer ID Installer Certificate (Mac applications):
    If your certificate expires, users can no longer launch installer packages for your Mac applications that were signed with this certificate. Previously installed apps will continue to run however new installations won’t be possible until you have re-signed your installer package with a valid Developer ID Installer certificate. If your certificate is revoked, users will no longer be able to install applications that have been signed with this certificate.
    (source: Certificates - Support - Apple Developer )

  2. But then Quinn “The Eskimo” (Apple Developer Technical support) said the following 1 year ago:
    That article is definitely out of date. I’ve filed a bug to get it corrected (r. 90418064).
    I believe that this info was correct in the past. However, modern installer packages include a trusted timestamp.
    This trusted timestamp allows macOS to apply the same logic it does for Developer ID signed apps, that is: Was the Developer ID certificate valid at the time that the item was signed?
    (source: What happens when Developer ID Ins… | Apple Developer Forums )

What is your experience with this?
In the meantime, I’ll see if I can find an old installer from before this current certificate and see what happens on a current macOS system.

Well, when running a very old installer from 2013, macOS Monterey says “can’t be opened because Apple cannot check it for malicious software”. But if you then right-click + open instead of double-clicking the .pkg file, it happily does run the installer. Not sure if that is because that installer was not notarized yet, but in any case, it appears to still run…
And the same happens on macOS Ventura apparently.
So, should be fine then I guess.

I say trust the Eskimo.

1 Like