Mac applications can arrive in a number of different formats, including packaged as PKG files.
In the interests of keeping your Mac secure, you should never download any file that you’re suspicious about. However if you have downloaded a PKG and are starting to have second thoughts about the place you downloaded this file from, then you should take a closer look at the PKG’s contents before executing it, to make sure you don’t wind up installing any malicious software on your Mac.
If you’ve been a Mac fan for a while now, then you may remember a time when macOS featured a built-in package inspector. Although this feature is no longer included in recent releases of macOS, there’s a number of third party apps that promise to fill this gap, including Suspicious Package.
You can use the Suspicious Package app to examine the contents of a PKG file, right down to the individual files and scripts that’ll be installed on your Mac in the event that you do decide to install this package.
Suspicious Package can also come in handy if you’ve installed a PKG and are now wondering whether that might have been a mistake. As long as you still have the original PKG on your machine, you can use Suspicious Package to examine its contents, which can help you determine whether your Mac has been infected with malicious software.
Scrutinise your PKGs with Suspicious Package
You can download the Suspicious Package app for free from the developer’s website.
Once Suspicious Package is installed on your machine, you can inspect the contents of any PKG, either by dragging it onto the Suspicious Package app or by Control-clicking the PKG file and then selecting ‘Open with > Suspicious Package.’
Suspicious Package will then launch a new window containing detailed information about your PKG.
Although the contents of this window will vary depending on the PKG you’re examining, it usually consists of the following tabs:
This tab displays an overview of the PKG’s contents, including the files it’s going to install, the scripts it’s going to run, and how much space the installed program will take up on your Mac.
Assuming the package is signed, this tab will also display one of the following labels:
- Apple Inc. The package was signed with a valid Apple certificate.
- Developer ID. The package was signed with a valid Developer ID certificate.
- Valid. The package was signed with a certificate issued by a certificate authority that macOS generally trusts, but that isn’t an Apple or Developer ID certificate.
- Not Trusted. The package was signed with a certificate that isn’t trusted by macOS.
- Expired. The package was signed with a certificate that has expired or been revoked by the certificate authority. Since all certificates expire after a certain amount of time, this doesn’t automatically mean that the PKG is untrustworthy.
- Revoked. A certificate is usually marked as revoked when it’s been lost or stolen.
- Marked as trusted. The package was signed with a certificate that wouldn’t normally be trusted by macOS, but your Mac has marked it as trustworthy. You’ll usually only encounter this label if you’ve opened your Mac’s ‘Keychain Access’ app and manually changed the Trust Settings for this particular certificate.
Suspicious Package may also occasionally identify potential issues with a PKG. If it does identify one or more of these issues, then it’ll display a ‘Found X item(s) for review’ message in the ‘Package Info’ tab. If you do spot this message, then you should always investigate. Click the issue’s accompanying arrow icon, to open a ‘Review’ tab containing more information.
This tab lists all the files that are going to be installed on your Mac when you run the PKG, along with information about where these files are going to be installed and any permissions associated with each file.
While there’s many legitimate reasons why a package might need to install scripts, malicious packages can also use scripts to damage your Mac. Suspicious Package’s ‘Scripts’ tab lets you see exactly what scripts this PKG will run if you do choose to execute it.
While you’ll get more value out of this tab if you have some experience with the scripting language this particular PKG is using, Suspicious Package does provide you with some basic information about each script, including where the script will be installed and when it’ll be run.