An application for inspecting macOS Installer packages.
Free from Mothers Ruin Software, since 2008.
@rosyna Right. And it only exploded (at runtime, anyway) because my -setPlaceholderStrings: calls -setPlaceholderString:, which now calls -setPlaceholderStrings:.
Still, this is the only time I've been bit by such a clash in over a decade. Not bad odds, that!
By the way, please do let me know if you run into other significant problems with Suspicious Package on Tahoe. I may or may not find them myself!
Suspicious Package 4.5 is basically unusable on the first macOS 26 Tahoe beta. Selecting any file or folder on the All Files tab will cause it to crash.
It's obviously early days for Tahoe, but if you're trying to live on it, (a) you have my sympathies, and (b) you might be interested in this preview version of Suspicious Package 4.5.1, which ought to fix the crash:
https://www.mothersruin.com/software/SuspiciousPackage/preview.html
Suspicious Package 4.5 is available now. It shows minimum macOS version requirements declared by installed apps or executables, and also any install-time requirement.
It also fixes a crash that might only manifest on Sequoia, or maybe just on development versions of the kernel -- it's not clear, since I'm not able to reproduce it.
I believe this version works fine on current macOS 15 betas. But if anyone has run into Sequoia-specific problems, please me know!
https://www.mothersruin.com/software/SuspiciousPackage/update.html
@da4 Gotcha. I’ll add it to the list for a future update.
In the meantime, be aware that you can see the raw Distribution file in Suspicious Package. Go to Preferences > General and check “Distribution file on All Scripts tab”. Then there will be an entry for it with the other scripts.
Not as nice as having the version info extracted but easier than pkgutil, maybe.
@da4 Probably. Do you actually see this mechanism being used in modern packages?
When I was at Apple, I did much of the work on these "requirements” clauses in the distribution/productbuild, but have never encountered them in the wild. So surfacing them in Suspicious Package has always felt like good work after bad.😆
Suspicious Package 4.4 is out now. It's mostly a collection of bug fixes and minor improvements, including new visibility into the code signing identities and launch constraints of installed items.
Also, Suspicious Package is now localized into Swedish, thanks to Frank Winterpil, who volunteered to translate its thousands of strings (and you know how wordy I am)!
Note this version drops support for macOS 11 (Big Sur).
https://www.mothersruin.com/software/SuspiciousPackage/update.html
I'm not planning a Suspicious Package release to coincide with Sonoma this year, since I didn't find any significant issues with version 4.3.3 on the macOS 14 Release Candidate -- a pleasant change, that.
I did debug and write about some strange macOS behavior around App Management and App Data protections here: https://www.mothersruin.com/software/SuspiciousPackage/faq.html#appbundles-notif
That said, if you've run into other issues with Suspicious Package on Sonoma, let me know...
Version 1.6 is out now. It adds a new "Launch Information" inspector that gives visibility into launchd job definitions and the new-to-Sonoma launch constraint mechanism. There are also smaller usability improvements and a fix to prevent the Quick Look preview extension from behaving badly in the background.
More info at https://www.mothersruin.com/software/Apparency/update.html
Someone pointed out to me that the Suspicious Package 4.3.3 disk image is flagged as malicious by 1 of 59 vendors on VirusTotal.
I've examined the product dmg carefully for any sign of compromise, and found nothing. I also checked all of the Mach-O binaries in VirusTotal, and they all show up clean.
So I believe this to be a false positive from this one engine. But if anyone has any reason to believe otherwise, let me know!
Version 4.3.3 fixes a single bug, but one that could cause the Quick Look Preview extension to churn through CPU in the background indefinitely, which seemed obnoxious enough to fix right away. Sorry about that!
https://www.mothersruin.com/software/SuspiciousPackage/update.html
@zoocoup Why this required restricting the Open With menu, instead of only disabling the default app binding, isn't obvious. Maybe because of the "Always Open With" (Option modifier) behavior?
Anyway, if you haven't already, grab Suspicious Package 4.3.2 to get that new "Open With Suspicious Package" service menu item!
So this explains the change with 13.3's “Open With” behavior #MacAdmins https://jhftss.github.io/CVE-2023-23525-Get-Root-via-A-Fake-Installer/
Version 1.5.1 is out, and gives you the minimum macOS version requirement at a glance.
More info at https://www.mothersruin.com/software/Apparency/update.html
Version 4.3.2 is out now, and adds an "Open With Suspicious Package" service -- available from the Finder context menu, even on macOS 13.3, where the standard Open With submenu has been restricted to the Installer.
There are also a few other improvements and fixes. More info at https://www.mothersruin.com/software/SuspiciousPackage/update.html
@kevinmcox Thanks. I'm leaning toward an "Open With Suspicious Package" Service, because this seems intentional and therefore unlikely to change.
@gummibando You've accurately described my thought process here. 😆 I'd like to know the reason for the change, but I'm unlikely to get that through Feedback Assistant...
@ctietze I'm leaning toward an "Open with Suspicious Package" Service, which at least appears in the same context menu (as well as in the Finder's Services menu).
I admit to mostly ignoring Quick Actions: is there any reason that would be preferable to a Service?
If you've updated to macOS 13.3, and are wondering why you can't use the Finder's context menu to Open With > Suspicious Package, it's not just you:
https://www.mothersruin.com/software/SuspiciousPackage/faq.html#finder-open-with
This looks intentional, so we're working on alternatives...
From the "We built it for ourselves but maybe someone else will want it?" department at Mothers Ruin Software, a new debugging app for macOS:
Archaeology makes it easier -- or just possible -- to inspect different kinds of binary files that are common on macOS ... and to follow the trail of one binary format that wraps another one.
