Check installers for safety

3 November 2015, 04:22

Software is typically installed on a Mac in one of three ways:

1. Via the App Store;
2. Dragging and dropping the app onto the Applications list in Finder after downloading it manually;
3. Double-clicking an installation .pkg file you’ve downloaded that places files where they need to go and perhaps runs a few scripts (chains of commands) to ensure everything works right.

Focussing on #3 above, in our security conscious times wouldn’t it be useful to look inside a package before you installed it?

Suspicious Package lets you do this by adding a plugin to Quick Look.

In other words, all you have to do in future when you’re about to install a .pkg file is select it in Finder, then tap Space to Quick Look it. You’ll be shown the following useful and interesting details:

  • Who – if anybody – digitally signed the package (with a digital signature being a little like a real-life pen and ink signature – it proves the item came from who it says it does)
  • What kind of package it is
  • The scripts the package intends to run
  • The amount of space the installation of the package will take-up on your hard disk
  • The files inside the installation package, listed by the location they will be placed on your hard disk.

… all in a neat, concise and good-looking summary window. If you’re happy you can just click Open with Installer in the top right to carry on.

The best news: Suspicious Package is a free download. Somewhat ironically, Suspicious Package is distributed as an installer .pkg itself but there are instructions in the previous link showing how to manually install it.

(For what it’s worth, with #2 in the list of installation methods above, you can just right-click the app and select Show Package Contents to take a look inside.)

Leave a comment...