Apple uses a certificate on their install and update packages, and apparently this certificate expired on 3/23/12.

This means if you had previously saved and stored Apple install/update packages for future use, you’ll get a message like “XYZ was signed with a certificate that has expired […] Do you want to continue with the installation anyway?” when manually running the package.

Apple reposted dozens of replacement install/update packages with new certificates between 3/18/12-3/20/12, downloadable at http://support.apple.com/downloads/ If you had previously saved and stored ones with outdated certificates, it would be best to replace them.

You can still manually use these outdated install/update packages if you click the Continue button when warned that the certificate has expired, however they will not work if the package is pushed out using an automated system such as Apple Remote Desktop, DeployStudio, Apple’s System Image Utility, InstaDMG, Reposado, or a Mac Server running Software Update service (any system that makes use of the command-line installer tool).

This means if you utilize one of these automated systems for pushing out packages, you need to find replacements for your outdated Apple install/update packages… the only problem is these replacements don’t always exist.

For example, some installers on retail Apple DVDs have expired certificates, including iLife ’11. The only replacement for an installer like this would be from the Mac App Store, and not all iLife ’11 apps from the DVD have App Store equivalents (plus good luck with that).

The situation is even worse if you run your own Software Update Server. All the updates you’ve previously approved with expired certificates will no longer work, and Apple is only reposting updates that are current at the time of expiration. This means updates like 10.6.7 or 10.7.2 won’t be posted by Apple, so your SUS won’t pick them up, and the copies you may have previously approved won’t run.

Again, these issues only effects those utilizing an automated systems for pushing out Apple install/update packages, but it’s so bad that many people in the Apple Community have dubbed it the “Package Apocalypse”, and a few are talking class action lawsuit.

Apple has a lot of the details regarding this certificate expiration posted at http://support.apple.com/kb/HT5198. It’s worth a read if you’re trying to get your head around all of this.

In response to the uproar, Apple released the “Apple Software Installer Update 1.0”. This update is specifically for Snow Leopard, and allows you to push out install/update packages with outdated certificates to OS X 10.6.8 (basically it tells the OS to ignore the certificate expiration date when using the command-line installer). Apple has not however released a similar workaround for the other versions of OS X, and it doesn’t look like they are planning on doing so.

And when there is no other option, there is also a use-at-your-own-risk script for fixing Apple install/update packages with outdated certificates called flatpkgfixer, posted by Greg Neagle at the Managing OS X blog… http://managingosx.wordpress.com/