{"id":13815674,"url":"https://github.com/scriptingosx/pkgcheck","last_synced_at":"2025-06-17T06:34:27.176Z","repository":{"id":148495989,"uuid":"197400724","full_name":"scriptingosx/pkgcheck","owner":"scriptingosx","description":"Script to check installer pkgs for deprecated runtime calls","archived":false,"fork":false,"pushed_at":"2022-02-02T12:59:03.000Z","size":30,"stargazers_count":98,"open_issues_count":5,"forks_count":9,"subscribers_count":9,"default_branch":"master","last_synced_at":"2025-04-17T02:49:52.093Z","etag":null,"topics":["administration","macadmin","macos","package","pkg","zsh"],"latest_commit_sha":null,"homepage":"","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/scriptingosx.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2019-07-17T14:00:43.000Z","updated_at":"2025-01-04T17:27:05.000Z","dependencies_parsed_at":"2023-05-20T08:00:20.296Z","dependency_job_id":null,"html_url":"https://github.com/scriptingosx/pkgcheck","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/scriptingosx/pkgcheck","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/scriptingosx%2Fpkgcheck","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/scriptingosx%2Fpkgcheck/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/scriptingosx%2Fpkgcheck/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/scriptingosx%2Fpkgcheck/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/scriptingosx","download_url":"https://codeload.github.com/scriptingosx/pkgcheck/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/scriptingosx%2Fpkgcheck/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":260307742,"owners_count":22989802,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["administration","macadmin","macos","package","pkg","zsh"],"created_at":"2024-08-04T04:03:51.647Z","updated_at":"2025-06-17T06:34:27.094Z","avatar_url":"https://github.com/scriptingosx.png","language":"Shell","readme":"# Check Installer Pkgs for deprecated scripts\n\nmacOS 10.15 Catalina [deprecated the built-in `/bin/bash`](https://support.apple.com/en-us/HT208050). [I have talked about this at length](https://scriptingosx.com/2019/06/moving-to-zsh/).\n\nThe [release notes for Catalina](https://developer.apple.com/documentation/macos_release_notes/macos_catalina_10_15_beta_6_release_notes) also tell us that other built-in scripting runtimes, namely Python, Perl, and Ruby. Will not be included in future macOS releases (post-Catalina) any more.\n\n[Starting with macOS 12.3](https://developer.apple.com/documentation/macos-release-notes/macos-12_3-release-notes), the Python 2.7 binary `/usr/bin/python` will _not_ work anymore. Calls to `python` will fail.\n\nThis means, that if you want to use bash, Python, Perl, or Ruby on macOS, you will have to install, and maintain your own version in the future.\n\nHowever, scripts in installation packages, _cannot_ rely on any of these interpreters being available in future, post-Catalina versions of macOS. Installer pkgs can be run in all kinds of environments and at all times, and you would not want them to fail, because a dependency is missing.\n\nIf you are building installation scripts, you need to check if any of the installation scripts use one of these interpreters and fix them.\n\n\u003e I recommend to use `/bin/sh` for installation scripts, since that will run in _any_ macOS context, even the Recovery system and a 'future' macOS that may not have `/bin/bash` \n\nIf you are using third-party installer packages, you may also want to check them for these interpreters, and notify the developer that these packages will break in future versions of macOS.\n\nTo check a flat installer package, you would expand it with `pkgutil --expand` and then look at script files in the `Scripts` folder. This will work fine for a package or two, but gets tedious really quickly, especially with large distribution pkgs with many components (e.g. Office).\n\nSo... I wrote a script to do it. The script should handle normal component pkgs, distribution pkgs and the legacy bundle pkgs and mpkgs. It will also \n\n## What the script does\n\nOnce I had written the code to inspect all these types of pkgs, I realized I could grab all _other_ kinds of information, as well. The `pkgcheck.sh` script will check for:\n\n- Signature _and_ Notarization\n- Type of Package: Component, Distribution, legacy bundle or mpkg\n- Identifier and version (when present)\n- Install-location\n- for Distribution and mpkg types, shows the information for all components as well\n- for every script in a pkg or component, checks the first line of the script for shebangs of the deprecated interpreters (`/bin/bash`, `/usr/bin/python`, `/usr/bin/perl`, and `/usr/bin/ruby`, also using these binaries with `/usr/bin/env`) and print a warning when found\n- `/usr/bin/python` and `/usr/bin/env python` will show an error\n- if the script contains the string `python` (that is not in a comment line) it will also show an error, this might generate some false positives (for example, calls to `python3` will also trigger this, but they would probably be problematic, as well)\n\n## How to run pkgcheck.sh\n\nRun the script with the target pkg file as an argument:\n\n```\n% ./pkgcheck.sh sample.pkg\n```\n\nYou can give more than one file:\n\n```\n% ./pkgcheck.sh file1.pkg file2.pkg ...\n```\n\nWhen you pass a directory, `pkgcheck.sh` will _recursively_ search for all files or bundle directories with the `pkg` or `mpkg` extension in that directory:\n\n```\n% ./pkgcheck.sh SamplePkgs\n```\n\n## Features and Errors\n\nThere are a few more things that I think might be useful to check in this script. Most of all, I want to add an indicator whether a component is enabled by default or not. If you can think of any other valuable data to display, let me know. (Issue or Pull Request or just ping me on MacAdmins Slack)\n\nI have tested the script against many pkgs that I came across. However, there are likely edge cases that I haven't anticipated, which might break the script. If you run into any of those, let me know. (File an Issue or Pull Request.) Having the troublesome pkg would of course be a great help.\n\nNote: the script will create a `scratch` directory for temporary file extractions. The script doesn't actually expand the entire pkg file, only the `Scripts` sub-archive. The `scratch` folder will be cleaned out at the beginning of the next run, but not when the script ends, as you might want to do some further inspections.\n\n## Sample outputs\n\nThis is a sample pkg I build in my book, it has pre- and postinstall scripts using a `/bin/bash` shebang:\n\n```\n% ./pkgcheck.sh SourceCodePro-2.030d.pkg\nSourceCodePro-2.030d\nSamplePkgs/SourceCodePro-2.030d.pkg\nSignature:      None\nNotarized:      No\nType:           Flat Component PKG\nIdentifier:     com.example.SourceCodePro\nVersion:        2.030d\nLocation:       /\nContains 2 resource files\npostinstall has shebang #!/bin/bash\npreinstall has shebang #!/bin/bash\n```\n\nThis is the experimental _notarized_ pkg installer for [`desktoppr`](https://github.com/scriptingosx/desktoppr):\n\n```\n% ./pkgcheck.sh desktoppr-0.2.pkg\ndesktoppr-0.2\nSamplePkgs/desktoppr-0.2.pkg\nSignature:      Developer ID Installer: Armin Briegel (JME5BW3F3R)\nNotarized:      Yes\nType:           Flat Component PKG\nIdentifier:     com.scriptingosx.desktoppr\nVersion:        0.2\nContains 0 resource files\n```\n\nAnd finally, this is a big one, the Microsoft Office installer: (they have some work to do to clean up those scripts)\n\n```\n% ./pkgcheck.sh Microsoft\\ Office\\ 16.27.19071500_Installer.pkg\nMicrosoft Office 16.27.19071500_Installer\nSamplePkgs/Microsoft Office 16.27.19071500_Installer.pkg\nSignature:      Developer ID Installer: Microsoft Corporation (UBF8T346G9)\nNotarized:      No\nType:           Flat Distribution PKG\nContains 11 component pkgs\n\n    Microsoft_Word_Internal\n    Type:           Flat Component PKG\n    Identifier:     com.microsoft.package.Microsoft_Word.app\n    Version:        16.27.19071500\n    Location:       /Applications\n    Contains 3 resource files\n\n    Microsoft_Excel_Internal\n    Type:           Flat Component PKG\n    Identifier:     com.microsoft.package.Microsoft_Excel.app\n    Version:        16.27.19071500\n    Location:       /Applications\n    Contains 2 resource files\n\n    Microsoft_PowerPoint_Internal\n    Type:           Flat Component PKG\n    Identifier:     com.microsoft.package.Microsoft_PowerPoint.app\n    Version:        16.27.19071500\n    Location:       /Applications\n    Contains 2 resource files\n\n    Microsoft_OneNote_Internal\n    Type:           Flat Component PKG\n    Identifier:     com.microsoft.package.Microsoft_OneNote.app\n    Version:        16.27.19071500\n    Location:       /Applications\n    Contains 2 resource files\n\n    Microsoft_Outlook_Internal\n    Type:           Flat Component PKG\n    Identifier:     com.microsoft.package.Microsoft_Outlook.app\n    Version:        16.27.19071500\n    Location:       /Applications\n    Contains 2 resource files\n\n    OneDrive\n    Type:           Flat Component PKG\n    Identifier:     com.microsoft.OneDrive\n    Version:        19.70.410\n    Location:       /Applications\n    Contains 30 resource files\n    postinstall has shebang #!/bin/bash\n    od_logging has shebang #!/bin/bash\n    od_service has shebang #!/bin/bash\n    od_migration has shebang #!/bin/bash\n    preinstall has shebang #!/bin/bash\n\n    Office16_all_autoupdate\n    Type:           Flat Component PKG\n    Identifier:     com.microsoft.package.Microsoft_AutoUpdate.app\n    Version:        4.13.19071500\n    Location:       /Library/Application Support/Microsoft/MAU2.0\n    Contains 2 resource files\n    postinstall has shebang #!/bin/bash\n    preinstall has shebang #!/bin/bash\n\n    Office16_all_licensing\n    Type:           Flat Component PKG\n    Identifier:     com.microsoft.pkg.licensing\n    Version:        16.27.19071500\n    Location:       /\n    Contains 2 resource files\n    dockutil has shebang #!/usr/bin/python\n\n    Office_fonts\n    Type:           Flat Component PKG\n    Identifier:     com.microsoft.package.DFonts\n    Version:        0\n    Location:       /private/tmp/com.microsoft.package.DFonts\n    Contains 1 resource files\n    postinstall has shebang #!/bin/bash\n\n    Office_frameworks\n    Type:           Flat Component PKG\n    Identifier:     com.microsoft.package.Frameworks\n    Version:        0\n    Location:       /private/tmp/com.microsoft.package.Frameworks\n    Contains 1 resource files\n    postinstall has shebang #!/bin/bash\n\n    Office_proofing\n    Type:           Flat Component PKG\n    Identifier:     com.microsoft.package.Proofing_Tools\n    Version:        0\n    Location:       /private/tmp/com.microsoft.package.Proofing_Tools\n    Contains 1 resource files\n    postinstall has shebang #!/bin/bash\n\n```\n\n\n","funding_links":[],"categories":["Shell"],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fscriptingosx%2Fpkgcheck","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fscriptingosx%2Fpkgcheck","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fscriptingosx%2Fpkgcheck/lists"}