What to do if you’re worried about the legitimacy of a downloaded software installer

Apple developers get an extra layer of security that you can check.

macos generic software installer icon

Today's Best Tech Deals

Picked by Macworld's Editors

Top Deals On Great Products

Picked by Techconnect's Editors

You should almost always download installers for apps, drivers, or other software directly from the site operated by the software’s developer. However, sometimes developers rely on third-party sites to host their files. Or you might encounter a situation like mine: I was unable to reach a company’s site recently, as it was temporarily down, and I found a driver I needed on a third-party update site.

This might leave you a little concerned as to whether the installer was legitimate or at least provided by the developer. Some download sites have been known to package real software updates with adware that, when installed, serves up unwanted advertising or rewrites links on pages to redirect who receives credit for ads you see or click on.

For developers who are part of the Apple Developer Program, there’s a simple way to double check.

Launch the installer. If it warns you at launch that the software isn’t “signed,” it doesn’t mean it’s malware, but the developer has either opted not to be part of Apple’s program or didn’t run its software through the round-trip process in which Apple adds its digital signature.

In either case, you need to make doubly sure that the software only originated from the folks who programmed it—don’t continue unless you downloaded the software directly. You have to right-click and select Open to run the software, agreeing that you read a warning about proceeding. (And if you routinely install unsigned software, it’s a good idea to learn about file hashes that can help you verify what you downloaded.)

mac911 installer with no lock IDG

A perfectly fine but unsigned installer lacks the lock icon in its upper-right corner.

Check the installer certificate. If the installer has been signed, there’s a lock icon in the upper-right corner. You may never have noticed it or, having seen it, never clicked it. Now’s the time. When you click it, the installer shows information about the digital certificate with which the installer was signed, something you can view for an https-connected website in Safari, too.

If you click the expand triangle next to the Details heading, you can see the name of the developer, its Developer ID, and Apple’s name as the issuing certificate authority, a carefully audited role that ensures the certificate was legitimately issued. In this case, the Wacom driver I downloaded is, sure enough, created by Wacom.

mac911 check certificate installer IDG

For Apple-signed installers, you can check the certificate if you have any concerns.

Ask Mac 911

We’ve compiled a list of the questions we get asked most frequently along with answers and links to columns: read our super FAQ to see if your question is covered. If not, we’re always looking for new problems to solve! Email yours to mac911@macworld.com including screen captures as appropriate, and whether you want your full name used. Every question won’t be answered, we don’t reply to email, and we cannot provide direct troubleshooting advice.

Note: When you purchase something after clicking links in our articles, we may earn a small commission. Read our affiliate link policy for more details.
Shop Tech Products at Amazon