Suspicious Package

Release History

The table below summarizes the released versions of Suspicious Package, and what fixes and enhancements were made to each version. You can determine the version you have installed from Suspicious Package > About, or from the Welcome to Suspicious Package window.

Release History for Suspicious Package
Version Changes
4.0 (826) Released on August 28, 2021
  • Refreshed the UI to better fit the aesthetic of the Central Coast era of macOS.
  • Compatibility updates for macOS 12 (Monterey), including:
    • Added support for the new “large payload” feature of macOS Installer packages. This feature, enabled by the ‑‑large‑payload option of pkgbuild(1) or productbuild(1), is required if the package delivers any single file that exceeds 8 GB in size. Suspicious Package will now properly analyze and export from such packages, even when running on macOS 11 or earlier (although only the macOS 12 Installer will properly install the package).
    • Fixed a crash that would occur — at least on some beta versions of Monterey — when a matching receipt is found for the opened package.
  • Added information about the package format to the Package Info tab: this identifies the structure of the package (such as “Distribution Archive” or “Component Package”) and may be relevant if you are using certain mass deployment mechanisms. However, if you are just going to double-click the package to open the Installer, this is probably not something you need to be concerned with.
  • Added the ability to search the installed files based on the POSIX mode of the file or folder. For example, you can use a rule like file mode sets any bit in mask 0022, which will show any files or folders that are installed as writable to group or everyone. See this FAQ entry for detailed instructions and examples.
  • Added the ability to search the installed files based on the component package that installs it. This was possible before using a package ID rule, but required re-entering the component package identifier; the new component package rule type has a pop-up to make selection easier, and shows package names as well as identifiers.
  • Added an option in Suspicious Package > Preferences > General to Show PackageInfo files on All Scripts tab. Turn this on to see the original PackageInfo XML file from each component package, grouped with the scripts on the All Scripts tab. Suspicious Package already interprets these files, and presents the information in them in what we hope is a more useful way. But if you need to see the underlying file, this makes it more convenient.
  • Attempted to improve the handling of the review issue flagging that “one or more scripts in this package may be run when the macOS Installer opens...” Specifically, the Show Scripts That Run on Open button wouldn't actually show the Distribution file, which is often necessary for understanding what exactly will run. Also, Suspicious Package will now give you the option of turning on the preference that controls showing the Distribution.
  • Fixed a bug that could cause the count of installed items on the Package Info tab to be incorrect, usually by a small number. This was a longstanding discrepancy related to the way that package Bom files get read and merged.
  • Fixed display of some unusual and archaic item names, such as “Icon^M”.
3.7 (773) Released on March 7, 2021
  • Runs natively on Apple Silicon Macs.
  • Improved compatibility with macOS 11 (Big Sur), including:
    • Adopted the new “unified” style for the toolbar, and updated the icons to fit in better with the general Big Sur “design language” — especially when the toolbar is configured for Icon Only mode.
    • Updated to a new iOS-style Big Sur-style app icon. We're still not fans, but since our app icons were all circles before, we can't get too snotty about them all being “squircles” now. Having every icon on the system be the same shape seems a dubious improvement to macOS, but our icons aren't going to change anything.
    • Fixed other display and icon issues throughout the app.
  • Added information about the supported processor architectures to the Package Info tab. This is relevant when running on an Apple Silicon Mac, where a package that doesn't explicit declare its support will wind up running the macOS Installer under Rosetta 2.
  • Made the Quick Look preview more usable from the Finder's preview pane, i.e. View > Show Preview. Since the preview pane is typically much smaller, and since some information is shown directly by the Finder at the bottom of that pane, Suspicious Package now uses a more compact format here. When using View > as Gallery, or the classic separate window of File > Quick Look Item, Suspicious Package still creates a larger and more complete preview. Unfortunately, Apple provides no proper way for us to detect what context we're being shown in, so there's a bit of guesswork involved here, but we think it at least works better than it did.
  • Fixed some bugs in the handling of the toolbar, including the fact that changes made via View > Customize Toolbar did not get saved, and that items pushed into the trailing “overflow” section of the toolbar did not get enabled properly.
  • Fixed a bug where the Terminal might be chosen as a logical default app for opening a non-text install script, such as a Mach-O binary: this never should've been suggested as a default, since it would run the binary and would be unsafe. Instead, Suspicious Package now chooses to show the item in the Finder if there's no more logical default.
  • Fixed a bug in handling the unusual situation in which a package contains a folder whose name ends with a space character. Suspicious Package would show two versions of the folder, and could produce spurious Review messages about sizes being incorrect.
3.6 (736) Released on October 15, 2020
  • Updated for general compatibility with macOS 11 (Big Sur) — albeit with some caveats.
  • Added French localization — thanks to Olivier Prompt for making this possible!
  • For macOS 10.15 (Catalina) and later, Quick Look previews are now generated by a Quick Look Preview Extension: this changes the information available in the preview. The old-style Quick Look generators were deprecated by Apple.
  • Added File > Show as Property List for inline viewing (and searching) of “All Openable Items” that are recognized as some sort of property list — such as Info.plist files.
  • Better handle packages with no component packages, especially where these run code on opening the macOS Installer.
  • If a package is corrupted in some way and can't be opened at all, gives better feedback, especially from the Welcome to Suspicious Package window, which used to just quietly do nothing in this case.
  • Improved inferencing of file types in the All Scripts tab, especially for interpreted scripts with more complex #! incantations.
  • Better handling of compiled AppleScript (scpt) files in the All Scripts tab, no longer mistaking them for plain text, nor causing Quick Look previews to fail as a result.
  • Removed support for macOS 10.13 (High Sierra).
3.5.3 (586) Released on April 12, 2020
  • The Receipts tab (added in version 3.5) is now visible automatically. Previously, it would be added only when you clicked on the Previously Installed line in the Package Info tab or used Window > Receipts, but this proved difficult to discover. If you find this annoying and want to go back to the previous behavior, turn off Preferences > General > Show Receipts tab.
  • Added File > Show Package in Finder (Cmd-Option-R)
  • Added Edit > Copy Path for Package (Cmd-Option-C)
  • When exporting a file or folder, you can now prevent Suspicious Package from stripping off any access control lists that were defined by the package. Normally, we strip these by default, because the ACLs might prevent the exported item from being removed again, which can be confusing. But if you know what you're doing, you might want to inhibit this. You can either:
    • Use File > Export Item, and uncheck Remove any access controls from exported items before clicking Save.
    • Use the AppleScript export command, adding without access controls removed
  • Added AppleScript support for specifying the target macOS version, i.e. for proper interpretation of packages that use a writable startup volume folder. You can use something like open file "X.pkg" for installing to macOS 10.15
3.5.2 (577) Released on November 3, 2019
  • Ongoing attempts to improve behavior on macOS 10.15 (Catalina):
    • The “Welcome to Suspicious Package” window provides a way to bring back finding packages in Catalina's newly protected folders (Desktop, Downloads and Documents). You can choose Fix and pick which folders you'd like Suspicious Package to search, and it will ask macOS for the appropriate permissions. Read more info here.
    • Opening the Preferences window ought to no longer trigger the “Suspicious Package would like to access files in your Downloads folder” dialog, after upgrading to Catalina. You will still be prompted the first time you use the File > Export Item to Default Folder command, but it should make more sense why that is happening.
  • Fixed a crash that might occur when the installer scripts contain empty property list or strings files (such as inside an app bundled along with the scripts).
  • Improved the handling of XML-format property lists and text-format strings files inside the installer scripts: these are more reliably displayed directly by Suspicious Package, instead of requiring that you open them in another app.
3.5.1 (568) Released on September 2, 2019
  • Updated for general compatibility with macOS 10.15 (Catalina). We fixed a number of problems, but there are some areas where usability has been unavoidably degraded by new restrictions imposed by macOS — most notably, folder access permission dialogs and elimination of “open in app” buttons from the Quick Look preview.
  • Added support for packages that install into an alternate folder on Catalina-format startup disks: see more info.
  • More sensible behavior for the Copy Path for Item command, when pasting into a text context other than the Terminal: instead of producing just the name of the item, it now produces the full path as expected.
  • Fixed other minor bugs.
3.5 (525) Released on June 2, 2019
  • Added Receipts tab, showing information about component packages and any matching receipts found on the startup disk. To access the Receipts info:
    • Use Window > Receipts (Command-6)
    • In the Package Info tab, click on “Previously installed on...” line
    • From the spkg tool, use the new --reveal-receipt option (see usage)
    • From AppleScript, use the new component package element (see Scripting Dictionary)
  • If macOS reports that the package is notarized, Suspicious Package shows this on the Package Info tab, and in the Quick Look preview. This is only when running on macOS 10.14 (Mojave). The notarization status will also be shown by spkg --show-signature, and is available from AppleScript via the new notarized property on the installer package element.
  • Restored individual certificate validity information to the signature detail section of the Quick Look preview.
  • Fixed various minor bugs, including some performance, scripting and accessibility issues.
  • Removed support for macOS 10.12 (Sierra) and OS X 10.11 (El Capitan).
3.4.1 (395) Released on December 10, 2018
  • Improved the “Welcome to Suspicious Package” window to behave better when Spotlight finds non-local packages — such as packages in iCloud Drive or some other download-on-demand cloud provider. (Well, we think it performs better, but we're not in a position to test every cloud provider, and haven't received any actionable information. If you see problems with this and care to help us debug it, please contact us.)
  • Added an Internet Access Policy to Suspicious Package: this is a mechanism defined by Objective Development, the makers of Little Snitch. If you use Little Snitch, you'll get more useful information about Suspicious Package's network connection attempts — which are for one purpose only: the periodic checking for an updated version of the app.
  • Fixed a bug that could cause items to be omitted when exporting a folder from certain unusually constructed packages. (These items were always shown in the All Files tab; this bug affected only the completeness of the export.)
  • Fixed a handful of minor bugs.
3.4 (381) Released on September 17, 2018
  • Enhanced for Dark Mode appearance and accent color preferences on macOS 10.14 (Mojave).
  • Added “Welcome to Suspicious Package” window, giving quick access to recently downloaded packages, and guidance for new users. [Read More]
  • Added ability to open InstallESD.dmg without changing the file extension first. [Read More]
  • Updated for general compatibility with macOS 10.14 (Mojave).
  • This version still works back to OS X 10.11 (El Capitan), but will likely be the last significant update that does.
  • Removed the “Move Old Plug-in to Trash” feature, since the standalone version of the Quick Look plug-in is long gone.
  • Uses TLS (a.k.a. HTTPS) for update checking and for linking to the User Guide and FAQ. (These have been redirecting since July 2018, but we now use HTTPS directly.)
  • Uses the “hardened runtime” and is “notarized” by Apple — these are security features added to macOS 10.14 (Mojave).
  • Fixed a few crashes and a handful of minor bugs.
3.3.2 (300) Released on May 29, 2018
  • Fixed a bug where exporting certain high-level folders would fail, remaining stuck forever as “Waiting for other exports.”
  • A secondary click (i.e. a control-click or a right-click) on an item in the All Files tab will now offer a context menu, similar to the Action menu on the toolbar: this can be used to quickly export or open a particular item that is already under the mouse pointer. This also works for items in the scripts browser.
  • In the Info pane, if you click on the Kind, Owner, Group or Permissions to change the view of that metadata attribute, Suspicious Package will now keep that choice for future windows or tabs (so that you don't have to keep changing it every time). Of course, you can the attribute again at any point; the last view you selected for a given attribute will always be the new default.
3.3.1 (296) Released on January 18, 2018
  • Added the “spkg” command-line tool, which can be used to quickly open a package in Suspicious Package. This can also be used to retrieve information about the package signature from the Terminal (or from a shell script). For more information about the “spkg” tool — and how to install it — see the User Guide.
  • Fixed a bug where the Scripts Browser would sometimes show scripts in an apparently arbitrary order, when using macOS 10.13 (High Sierra) and the Apple File System (APFS).
  • Fixed a bug where the Export Item and Open With commands were incorrectly enabled for receipts, which don't have the actual installed files for exporting or opening. (Of course, those files might actually be installed on the system, depending on what has happened since the install that created the receipt.)
  • Fixed a bug where setting Suspicious Package as the default application for installer packages — via Finder's File > Get Info > Open With > Change All — would cause a generic document icon to be used for packages in the Finder (more info).
3.3 (276) Released on September 15, 2017
  • Added support for macOS 10.13 (High Sierra). This included fixing a crash that might occur when closing windows, and correcting the way that revoked certificates are displayed (they had been shown as generically untrusted rather than as explicitly revoked).
  • If a package has a verified signing time, Suspicious Package now shows that information when you use Window > Signature Details (Command-5). This is particularly interesting when the certificate would be otherwise considered expired.
  • Fixed a problem where a prior install was (sometimes) not noted on the Package Info tab.
  • The Suspicious Package app now tries harder to activate its Quick Look plug-in, especially after the app has been moved or updated, or after macOS has been updated (more info).
  • Removed support for OS X 10.10 (Yosemite) and OS X 10.9 (Mavericks).
  • Updated the license agreement to be a bit more explicit, although it is still quite minimalist. Use Help > License Agreement to access it from within the app.
3.2 (241) Released on September 10, 2016
  • Added support for macOS 10.12 (Sierra).
  • Fixed compatibility problems with Sierra's automatic window tabs feature, including the broken Window > Show Previous Tab and Window > Show Next Tab commands. Read more about window tabs in Suspicious Package.
  • In the Quick Look preview, added Show in Suspicious Package buttons, which open the app directly to a specific file, folder or installer script. From the file browser, hold down the Command key to reveal the Show in Suspicious Package buttons; from the scripts browser, select the script and the button will be shown next to the script name.
  • Especially on Sierra, be sure to download the disk image, not the XIP archive (more info).
3.1 (217) Released on May 30, 2016
  • Added support for exporting a selected file or folder, allowing its content to be inspected:
    • Use File > Export Item — or drag the item into the Finder — to start an export.
    • Click the Exports toolbar button Exports toolbar button to see and manage running and completed exports.
    • From AppleScript, use the new export command to start an export.
  • Added support for opening certain installed files in another application. This includes plain text files and property lists that are reasonably small. Use File > Open Item With.
  • Added a way to reveal an installer script in the Finder, so it can be easily manipulated even if no apps are available to directly open it. Use File > Open Item With > Finder.
  • Searching from the Help menu now finds information from the User Guide and FAQ.
  • Fixed a problem where temporary items (such as installer scripts that had been opened in another application) would not always get deleted when the Suspicious Package window was closed. (OS X would eventually delete these, but Suspicious Package now does a better job of cleaning them up in a timely manner.)
3.0 (152) Released on February 29, 2016
  • Initial app version of Suspicious Package (which now bundles the Quick Look plug-in).
  • Finder-like browsing of installed files, with additional metadata.
  • Viewing of installer scripts in proper editor UI, with clipboard and find support.
  • Ability to open installer scripts in external applications.
  • Support for searching and filtering across files or scripts, and for saving searches.
  • Tracking of browsing history to provide Back and Forward navigation.
  • Tab-based UI, with ability to open multiple tabs for files or scripts.
  • Performs analysis of package and flags potential issues for user review.
  • Scriptability via AppleScript.
  • Support for OS X 10.11 (El Capitan), OS X 10.10 (Yosemite) or OS X 10.9 (Mavericks). Removed support for OS X 10.8 (Mountain Lion).
2.0.2 (49) Released on November 11, 2015
  • Fixed a problem where, for certain untrusted package signatures, the individual certificates may have been shown as valid (when the certificate details were disclosed). The overall package signature status was always shown correctly — as untrusted — but the per-certificate status might have been inconsistent with that top-level untrustworthiness.
  • Fixed a problem where a package with a damaged Bom file would not be reported as an error.
  • Fixed a problem where certain packages that could be installed into the user's home directory (such as Suspicious Package's own package!) would not be designated as such.
  • Fixed a problem with the icons on folders with omitted contents (in packages with an exceptionally large number of files). On OS X 10.11 (El Capitan), these were being shown with a generic document icon, instead of a “private” folder icon.
2.0.1 (45) Released on February 3, 2015
  • Fixed problem introduced by the OS X 10.10.2 update (reported to Apple as Quick Look bug 19664886), where Suspicious Package would show only a mess of un-styled text instead of a proper Quick Look preview.
2.0 (40) Released on September 3, 2014
  • Improved display of files to be installed. Automatically expands to show top-level bundles, frameworks and Unix directories. Option-click on a closed folder to show everything inside it.
  • Shows version information for bundles, where available. Click on the version number to cycle through other available information, such as the bundle identifier.
  • Enhanced and more complete display of package scripts. Click “Runs X install scripts” to see all the scripts in the package, including those invoked by other scripts in a flat-style package. Shows additional information about how scripts are invoked, with what arguments.
  • Shows scripts that may be run immediately upon opening the package, e.g. to check system requirements. These are what trigger the confounding “this package will run a program” warning in the OS X Installer.
  • Shows status of the package signature, if present. Allows examination of the certificate chain used to sign the package [details].
  • Indicates if the package contains plug-ins that customize the Installer UI. These also contain code that may run immediately upon opening the package (and also trigger the “this package will run a program” warning).
  • Added proper support for Macs with Retina displays.
  • Added periodic (monthly) check for future updates to Suspicious Package. When an update is available, a button will appear at the bottom of the Suspicious Package preview window [details].
  • Support for OS X 10.10 (Yosemite), OS X 10.9 (Mavericks) and OS X 10.8 (Mountain Lion). Removed support for OS X 10.7 (Lion) and OS X 10.6 (Snow Leopard).
1.3 (10) Released on January 24, 2012
  • Fixed compatibility problems on Mac OS X 10.7.3 (Lion).
  • No longer supports Mac OS X 10.5 (Leopard) or PowerPC.
1.2 (8) Released on July 19, 2009
  • Upgraded to work on Mac OS X 10.6 (Snow Leopard).
  • Fixed various bugs that caused incorrect previews or a generic preview for specific packages.
1.1 (4) Released on March 1, 2008
  • Added support for metapackages.
  • Fixed problem where the actual installation location was not shown for some packages.
  • Added indication when a package requires authentication with an administrator password.
  • Added indication when a package requires a system restart (or shut down, or log out) after installation.
  • Added indication when a package has install scripts, and an option to view the actual scripts [details].
  • Added support for installer receipts and .bom files.
1.0.1 (2) Released on January 27, 2008
  • Fixed a bug where Suspicious Package would crash — thereby failing to create a Quick Look preview — if there was a non-ASCII character in the path to the package.
1.0 (1) Released on January 18, 2008
  • Initial release of Suspicious Package.