Mothers Ruin Software

Frequently Asked Questions


Using Suspicious Package

Understanding Suspicious Package

How do I install Suspicious Package?

Quick Look will search for plugins in the Library/QuickLook folder of your home directory. (On Lion, hold down Option and choose Go : Library to get to your Library folder.) Create the QuickLook folder if necessary, and then drag Suspicious Package.qlgenerator from the disk image into the folder.

You may have to log out and back in again to get Quick Look to recognize the new plugin (we've seen inconsistent behavior on this front).

Alternatively, if you want Suspicious Package to be available to other users on your machine — and if you have administrator access — you can drag the plugin to the /Library/QuickLook folder at the top level of your hard disk.

Why doesn't Suspicious Package come as an installer package?

Because it wouldn't Quick Look very well. Or more seriously, we wanted Suspicious Package to be as transparent as possible, particularly given the cautions about installer packages that we note below.

What is an install script and why should I care?

In addition to the files that a package will install, a package can define one or more install operations, which are scripts to be run before or after the actual installation. There are many valid reasons for such scripts — checking for compatibility, cleaning up old versions, starting daemons and so on — but a malicious package could do anything in such a script. And even a well-intentioned but poorly designed installer script can do damage. This can be particularly concerning for a package that requires an administrator password, since its scripts will be run as the root user.

Unfortunately, Suspicious Package can't tell you if a package has malicious or problematic scripts. All it can do is tell you which scripts are there, and let you examine them. When a package contains scripts, Suspicious Package will indicate it like this:

indication of scripts in a package

This tells you the number of standard install scripts found inside the package. If an admin password is required (as in this example), those scripts will be run as the root user. To see the scripts themselves, click the disclosure button, as shown above. Of course, you'll need some expertise in the scripting language being used in order to understand what the scripts do, so this is no panacea. You should also take note of the limitations described below.

For some background on install operations, see the ADC Software Delivery Guide. We have not been able to find any other authoritative documentation on these scripts, or even general guidelines for dealing with packages that contain them. Perhaps the best advice is still to be wary of installer packages from unknown sources.

How can I tell which files a Custom Install will install?

Some installer packages contain multiple sub-packages, and allow you to deselect one or more of these through the Customize dialog. The current version of Suspicious Package does not track which files come from which sub-package, and so cannot show the effect of turning off any particular package.

Suspicious Package assumes that all sub-packages would be installed. This applies to both the file listing and the various install properties — e.g. administrator and restart requirements.

Why does Suspicious Package not work on installer X?

If Suspicious Package doesn't recognize the structure of an installer package, it won't produce a Quick Look preview, and Quick Look will fall back on its default one. Even for normal-appearing .pkg installers, this can happen for a number of reasons, as there is a surprising variety in installer structures — especially in those that don't come from Apple.

If you find an installer package that Suspicious Package doesn't work on, feel free to contact us with the details, although we can't promise we can get it working.

Are there other ways to preview the contents of an installer?

Absolutely. Suspicious Package is designed only to make previewing an installer package more convenient than it would otherwise be. The Apple Installer has always had a command to list the files to be installed, which you can use before starting the actual installation. This is found under File : Show Files. (However, this method will not always show you where the package files will be installed.)

There are other ways of interrogating installer packages, including the mechanisms that Suspicious Package itself uses, as described below.

Will Suspicious Package tell me if an installer is malicious?

No, not with any certainty. We hope that the rather tongue-in-cheek name we gave to Suspicious Package will not deceive anyone into believing that it provides (much) security. The list of files that a package will install is only one aspect of what an installer might do. As noted above, packages can run a number of scripts before and/or after the install, for any number of very valid reasons. But a malicious package could run scripts for nefarious reasons, which is particularly concerning where you must grant administrator access!

As of version 1.1, Suspicious Package does allow you see the actual scripts (subject to some limitations). But seeing the scripts is a small part of the challenge — actually auditing them for safety is more challenging, and not something that Suspicious Package can help.

The bottom line is that you should be careful about installing any package, particularly if you don't know the source. And if you don't know the source, please don't come to any conclusions on the basis of Suspicious Package alone.

What are the limitations of Suspicious Package's handling of install scripts?

Suspicious Package looks for the standard Apple-defined install scripts, which have names like preflight and postinstall. These are the only top-level scripts that the Apple Installer will run, but any of those scripts can invoke other scripts, which might live anywhere in the package and have any name. The only way to determine this is to audit the top-level scripts. To examine any lower-level scripts, you'll have to resort to the same mechanisms that Suspicious Package itself uses.

Note that install scripts can really be in any executable format. Suspicious Package will display files that appear to be text-based scripts (namely, anything that starts with the standard #! interpreter directive). Otherwise, Suspicious Package will show only that the installation operation exists, and note that it is a binary executable.

Also note that Suspicious Package will display all of the Apple-defined scripts in the package, without regard to which ones would actually be run. (For example, some run only on a clean install, and others only on an upgrade.) You may also see several versions of the same-named script, if the package contains multiple sub-packages, each with their own version. Making sense of install scripts is not trivial!

How does Suspicious Package determine installer contents?

There is no magic in Suspicious Package, and it uses no private Apple APIs. (There are no public Apple APIs for dealing with installer packages.) It uses a couple of tools that come standard on Mac OS X 10.5 or later, and which can you run yourself from the Terminal.

Classic installer packages — which are supported on all versions of Mac OS X — are bundles which contain an file, which can be read by the lsbom tool to determine the list of files to be installed. (There is some variation in how the .bom file is named, but Suspicious Package only understands this common form.)

For 10.5, Apple introduced a new package format. This format, which doesn't work in 10.4 or earlier, is a single flat file. However, this flat file uses a public archive format, xar. Accordingly, you can use the command-line xar tool to list or extract files from a flat package. (Suspicious Package actually uses the API provided by libxar, rather than the command-line tool, but the effect is the same.) Within the flat package is a BOM file, which Suspicious Package also reads with lsbom.

Suspicious Package also reads the Info.plist and .dist files from the installer package, in order to get the installation locations and various other data (such as administrator password and restart requirements). These files exist, in various forms, in both styles of package, and have well-known syntax (standard Mac OS X property lists, and XML). However, the semantics are mostly not documented, and Suspicious Package has to do some interpretation. This is the area where Suspicious Package is most likely to get things wrong.

Mothers Ruin Software