The table below summarizes the released versions of Suspicious Package, and what
fixes and enhancements were made to each version. You can determine the
version you have installed from Suspicious Package > About Suspicious Package,
or from the Welcome to Suspicious Package window.
Release History for Suspicious Package
Released on July 27, 2023
Fixed a bug that could cause the Quick Look Preview extension — shown as
“Suspicious Package (Finder)” in Activity Monitor — to burn up CPU long after
a preview has been generated. This was triggered when spctl(8) took too long
to return notarization status, and Suspicious Package didn't clean up properly — combined
with some unfortunate behavior in macOS (reported to Apple as FB12757911, for what that's worth).
This could also happen in the app, but it might not manifest as an issue there, especially if you're
in the habit of quitting apps after using them.
Released on April 4, 2023
Added a new “Open With Suspicious Package” service, available from the Finder when
a package is selected. This takes the place of the Finder's Open With
context menu, which as of macOS 13.3, no longer shows anything except the official macOS Installer.
Added preference to set the fixed-width font for viewing scripts on the All Scripts
tab, in place of 11 point Menlo. Go to
Suspicious Package > Preferences > General > Plain text font
and click Select to choose from the standard font panel.
Added support for using Araxis Merge
for the File > Compare Packages command. This can be configured via
Suspicious Package > Preferences > Compare > Compare Packages Using.
Improved Quick Look previews for certain types of scripts from the All Files tab.
Specifically, where a script installed by the package doesn't have an explicit
extension, but Suspicious Package can tell it's a script by virute of the #!
directive, it will now preview as the source text, instead of a generic executable
file (which even if you had Apparency installed, was unlikely to be interesting,
since scripts are not going to be code-signed in the package payload).
Added File > Open Package With Archaeology, for when you need
a lower-level view of the package signature details.
Provided a way to change where Suspicious Package writes the various temporary files
that are required to analyze a package and export items from it. This is a “power user”
feature and comes with a number of caveats, as discussed in great detail here.
Released on December 14, 2022
Fixed a crash that could occur when using File > Compare Packages Using BBEdit.
The comparison actually would start correctly, but Suspicious Package would get impatient waiting for
the bbdiff tool to exit, and would crash in the background after a couple of minutes. Now it will properly
wait until the BBEdit window is closed, and proceed to clean up the temporary files it created.
When choosing Copy Path to Item (from the toolbar Action menu or the context menu),
hold down the Option key to put a strictly plain text path on the clipboard. This can avoid problems pasting
into apps that would otherwise try to read and interpret the referenced file. See more information
When viewing scripts on the All Scripts tab, Suspicious Package will now respect any fixed-width font
size preference: read more about that here.
Released on October 22, 2022
Compatibility updates for macOS 13 (Ventura), including:
Recognize new bundled launchd plists (for the new
as being of kind “Launchd job configuration.”
Stubbornly refuse to let our Preferences menu item
be renamed to “Settings.” Sure, it's very generous of Apple to
to automatically change this one string for us, but the menu item is referenced in
dozens of other places in our alerts and documentation, and we just don't
see the value in changing every one of those and having them be wrong for users on
Monterey and Big Sur...
Added the File > Export as Diffable Manifest command.
A “diffable manifest” is a
folder that contains metadata about the installed files, scripts and other package
attributes, in a way that can be archived and compared. For example, you might store
the manifest in a Git repository, and then use git diff[tool]
to compare different versions...
Or, if you have two versions of a package that you want to compare directly, you
can ask Suspicious Package to create both diffable manifests and dispatch them
to a comparison tool of your choice. Open both packages, and use
File > Compare Packages. Rather than reinventing the
wheel of file and folder comparison, we opted to leverage
existing tools, such as Kaleidoscope and BBEdit.
Go to Suspicious Package > Preferences > Compare to choose
the comparison tool (and configure other options related to diffable manifests).
Allow for Quick Look previews of items on the All Scripts tab, via any of
the usual methods — including just hitting the spacebar. Depending on what
Quick Look preview extensions you have installed, this can be useful to get,
for example, a syntax-colored view of a complicated script. Or if a script
is some binary format, such as a Mach-O executable, an app like our own
Apparency can provide a more useful preview.
(Of course, Suspicious Package has always supported opening scripts in another
application, e.g. via Shift-Cmd-O, but this provides an non-context-switching alternative.)
When requesting Quick Look previews (either from the All Files tab or now from
the All Scripts tab), Suspicious Package tries to “convince” macOS to choose a
better preview extension for some files, by making a temporary copy with an
adjusted file name. For example, on the All Scripts tab, a script named postinstall
might be uselessly previewed as a Unix Executable File, but if Suspicious Package knows
it's a Python script (from the #! directive), we will ask Quick Look to preview
it as postinstall.py instead -- thus showing the actual source text of the script.
Likewise, on the All Files tab, a file named rules.dict might be previewed as
a generic Document, but if Suspicious Package finds that the content is a macOS property
list, we'll ask Quick Look to preview it as rules.dict.plist, showing the
property list in XML form. When this trick is used, Suspicious Package will show a pencil icon next
to the file name at the top of the preview: click this for details about the
file kinds that Suspicious Package inferred and how it renamed the temporary copy.
Fix (we hope) a problem where a Quick Look preview would sometimes show a
“broken app” icon — that is, the regular app icon with the circle-slash over it.
There is some strange macOS bug here, which would resolve itself if the same item
was previewed again, but Suspicious Package now tries harder to prevent it from
happening in the first place.
Fix a problem where the Quick Look preview for a macOS Full Installer package
might fail to show the macOS version information, saying “Can't get the macOS version in this
full installer package.” This seemed to happen only if the package was quarantined.
On the All Files tab, show the Date Modified for folders and other directories.
Suspicious Package has historically not shown these, because the package metadata
(i.e. the Bom file) didn't capture them. But with the enhancements in version 4.2 to read
more info from the payload (CPIO), it is possible to get directory timestamps.
These modification times usually do get preserved by the macOS Installer, with
some exceptions, such as for bundles that get registered with LaunchServices,
and directories that already existed prior to the installation.
When using File > Show Destination Folder in Finder or
Edit > Copy from the All Files tab (or their equivalents from
the toolbar action menu), Suspicious Package will now check to see if the package was
previously installed in your home directory (per an existing receipt), and if so, will
qualify the path accordingly. Suspicious Package doesn't generally try to predict
where the package might be installed, but in this case, the receipt provides a decent
clue where it already has been installed.
Mitigated potential vulnerabilities related to
and the macOS “Saved Application State” feature. This is the mechanism that
reopens app windows in the same state after a restart
(if Reopen windows when logging back in is checked on the confirmation alert)
or after quitting and reopening the app
(with Close windows when quitting an appunchecked in
System Preferences > General). While we were working in this area,
we improved the performance and efficiency of this state-saving, particularly where
Close windows when quitting an app is unchecked.
In the (probably) rare case where a package contains a “simplified” Bom (one
that lists file paths but has no other metadata), Suspicious Package will now
highlight this with a critical review warning. It will still show the info that it
did find in the Bom, a bit less confusingly than before.
Fix the (probably) rare cases in which Suspicious Package would report that a Scripts
archive “is compressed and can't be streamed.” Some xar-format packages are, for
some unknown reason, built such that the usual encoding attributes are missing
from the TOC. Since the macOS Installer is not bothered by this, Suspicious
Package should not complain about it either.
Enhancements to the spkg command line tool:
The new --manifest option exports a diffable manifest for a package without
having to open it in the app. This uses the same options as set in the app via
Suspicious Package > Preferences > Compare.
The new --difftool option compares two packages without having to open them
in the app. As with File > Compare Packages, the diffable manifests are created
in a temporary location and deleted again when the diff tool exits. This uses
the same comparison app (and the same diffable manifest options) as set in the app via
Suspicious Package > Preferences > Compare.
Run spkg without arguments to see usage details for these.
Enhancements to the AppleScript support:
The File > Export as Diffable Manifest command can
be used via a new AppleScript command, e.g. export diffable manifest to folder
Consult the Suspicious Package scripting dictionary for details and examples.
Removed support for macOS 10.15 (Catalina).
Released on April 10, 2022
The Review tab no longer warns that Bash installer scripts are using a
“deprecated runtime” — read more about that here.
Installer scripts using the built-in Python, Perl or Ruby runtimes will
still trigger this warning, however.
Fixed a crash that could occur when opening any package, triggered by a certain
configuration of macOS language preferences. (Specifically, where the AppleLanguages key
is not defined in the per-user global defaults, which happens for some users for mysterious reasons.)
Show a less confusing error on the Package Info tab in the case where a
component package is missing or corrupted. Previously,
this would say that the package “couldn't be opened,” but it wasn't clear that this was
referring to the component package. Also, this scenario no longer causes an incorrect
package format suggesting there are external components.
Some updated French translations that didn't make it into version 4.2.
Released on March 14, 2022
Extracts more information from the actual payload which would be installed by a package:
Shows the Executable architectures for apps, bundles and
standalone executables, in the info pane of the All Files tab.
Shows the Entitlements requested by apps and other executables,
via button in the info pane of the All Files tab, or by using
File > Show Entitlements for Item (Cmd-Control-E).
This entitlements inspector also
provides direct links to Apple documentation for specific entitlement keys, where available.
Improves accuracy of the Kind for certain items on the All Files
tab, especially Mach-O executables, scripts and variations on property list files.
Shows the Identifier and Version, on the
info pane of the All Files tab, even for bundles that aren't fully declared by the
Provides access to the code signing identity — also known as a “designated requirement”
— for apps or other executables, via Copy Code Signing Identity for Item
from the toolbar Action button or from the (Control-click) context menu.
Adds new filters for rule-based searching from the All Files tab:
contains code to find all apps, bundles
(with code) and standalone executables in the package
executable architecture that supports or
doesn't support a specific processor architecture — such as
Apple Silicon — to find where required support may be missing
is entitled code to find all apps or other executables
that request any entitlements
entitlement key to find apps or other executables that
request a specific entitlement
code signing identity to find apps or other executables
by their designated requirement string (or a portion thereof)
For a package with a large payload, it may take some time for Suspicious Package to
finish analyzing that payload and make all of the above information available. On the All Files tab,
the progress for “Analyzing payload” will appear in the status bar. Once this completes,
the info pane and any rule-based search will update accordingly.
More information about processor support on the Package Info tab: instead of
just telling you what the package metadata declares (and if the macOS Installer
will run under Rosetta 2), Package Info summarizes the state of all executable items in the package,
so you can see at a glance if, say, “all executable items support Apple Silicon and Intel processors.”
The Package Info tab summarizes the entitlements requested across all executable items in the package:
click on this line — or use File > Show Entitlements for All Executables
(Cmd-Control-A) — to show a single “merged” view of all entitlements. You can
also select an entitlement and copy the identifying information for all apps and other executables that
request it, in a form that can be pasted directly into a PPPC Profile.
The Package Info tab shows if a notarized package has also been “stapled.” If it
has been, you can click on this line to show details from the
notarization ticket, including the digests that it contains and how they correspond to apps
and other executables inside the package.
The Review tab shows warnings for any discrepancies between the bundle identifier or version
as declared by the package and that found in the payload.
When using File > Show Item as Property List (Cmd-Option-O) on an
Info.plist file, the property list inspector provides direct links to Apple documentation
for specific plist keys, where available.
The Review tab warns about any installer scripts that are using built-in runtimes which Apple has
declared as “deprecated” (and which they are already starting to remove). This can alert
you if the package might not work correctly in newer versions of macOS.
A new filter on the All Scripts tab for script uses deprecated runtime also
lets you see all scripts which might be problematic.
Improves accuracy of the Kind of some items on the All Scripts tab, especially
where there is an explicit extension that doesn't quite match the #! directive.
Recognizes packages with TestFlight signatures as Apple-signed things, akin to App Store-signed packages.
Enhancements to AppleScript terminology to support the above improvements:
New supported architectures property on installed item to retrieve
architectures contained in an app or other executable item
New supports command to test if an item will run on a specified processor, to avoid having to
match multiple related architecture types (e.g. an arm64e processor can run arm64e or arm64 code,
so supports processor arm64e will match either).
New entitlement elements on installed items, which can be retrieved
en masse or for a specific entitlement key.
New requests command to test a possibly complex entitlement for the
presence of a specific value.
New content type for the find command, to more efficiently loop over the results of
find code and use the supports or requests command, without
having to iterate every file in the package.
New entitlement property list data property on installed item to retrieve the
entire set of entitlements as an XML-serialized property list, for writing to disk and/or passing off to some
New code signing identity property on installed item to retrieve the designated
New code signing digests property to retrieve the cdhashes associated with an
installed item (there is one per architecture, so having multiple is not uncommon).
Use Help > Open Scripting Dictionary for more information and new sample code.
Fixed problems where the AppleScript export command would sometimes not actually perform
the export, especially if the installed items were not previously accessed by the script,
and/or if the document is closed immediately after the export command.
Shows the version and build of macOS that would be installed.
Shows the additional package size occupied by system file payload.
Provides quick access to mount the embedded disk image.
Also available from Quick Look Preview (on macOS 11 or later).
The attributes on the info pane are more universally selectable and copyable.
Added a new Review warning for packages that install files into temporary
locations such as /tmp, which are probably being moved
elsewhere during a postinstall script. While this might “work”
in the simplest case, it can be troublesome. Especially if you are using any kind
of automated deployment mechanism, you may be interested in knowing when packages do this.
Added support for new compression styles in macOS installer package payloads, possible
with the new (to macOS 12) ‑‑compression
option on pkgbuild(1). It's undocumented exactly which styles of
compression might actually be enabled by this flag — we suspect only
LZMA block-based compression, which Suspicious Package already supported —
but we now support everything that the standard compression_tool(1) does.
Fixed some longstanding bugs with the handling of the Action and
Path toolbar buttons when they are pushed into overflow section or
used in Text Only mode.
Removed support for macOS 10.14 (Mojave).
Removed legacy Quick Look preview generator, which we weren't testing or
supporting on anything beyond Mojave. These old style of Quick Look
generators have been deprecated by Apple for some years now.
Released on August 28, 2021
Refreshed the UI to better fit the aesthetic of the Central Coast era of macOS.
Compatibility updates for macOS 12 (Monterey), including:
Added support for the new “large payload” feature of macOS Installer packages.
This feature, enabled by the ‑‑large‑payload option of
pkgbuild(1) or productbuild(1), is required if the package
delivers any single file that exceeds 8 GB in size. Suspicious Package will now properly
analyze and export from such packages, even when running on macOS 11 or earlier
(although only the macOS 12 Installer will properly install the package).
Fixed a crash that would occur — at least on some beta versions of Monterey —
when a matching receipt is found for the opened package.
Added information about the package format to the Package Info
tab: this identifies the structure of the package (such as “Distribution Archive” or
“Component Package”) and may be relevant if you are using certain mass deployment
mechanisms. However, if you are just going to double-click the package to open the Installer, this is probably
not something you need to be concerned with.
Added the ability to search the installed files based on the POSIX mode of the file or folder.
For example, you can use a rule like
file modesets any bit in mask0022,
which will show any files or folders that are installed as writable to group or everyone.
See this FAQ entry for detailed instructions and examples.
Added the ability to search the installed files based on the component package
that installs it. This was possible before using a package ID rule, but required
re-entering the component package identifier; the new component package rule type
has a pop-up to make selection easier, and shows package names as well as identifiers.
Added an option in Suspicious Package > Preferences > General to
Show PackageInfo files on All Scripts tab. Turn this on to see the original
PackageInfo XML file from each component package, grouped with the scripts on the All Scripts tab.
Suspicious Package already interprets these files, and presents the information in them in what we
hope is a more useful way. But if you need to see the underlying file, this makes it more convenient.
Attempted to improve the handling of the review issue flagging that “one or more
scripts in this package may be run when the macOS Installer opens...” Specifically,
the Show Scripts That Run on Open button wouldn't actually show the
Distribution file, which is often necessary for understanding what exactly will run. Also,
Suspicious Package will now give you the option of turning on the preference that
controls showing the Distribution.
Fixed a bug that could cause the count of installed items on the Package Info tab
to be incorrect, usually by a small number. This was a longstanding discrepancy
related to the way that package Bom files get read and merged.
Fixed display of some unusual and archaic item names, such as “Icon^M”.
Released on March 7, 2021
Runs natively on Apple Silicon Macs.
Improved compatibility with macOS 11 (Big Sur), including:
Adopted the new “unified” style for the toolbar, and updated the icons
to fit in better with the general Big Sur “design language” —
especially when the toolbar is configured for Icon Only mode.
Updated to a new iOS-style
Big Sur-style app icon. We're still not fans, but since our app icons were all
circles before, we can't get too snotty about them all being “squircles”
now. Having every icon on the system be the same shape seems a dubious improvement
to macOS, but our icons aren't going to change anything.
Fixed other display and icon issues throughout the app.
Added information about the supported processor architectures to the Package Info
tab. This is relevant when running on an Apple Silicon Mac, where
a package that doesn't explicit declare its support will wind up running the
macOS Installer under Rosetta 2.
Made the Quick Look preview more usable from the Finder's preview pane, i.e.
View > Show Preview. Since the preview pane is typically much smaller,
and since some information is shown directly by the Finder at the bottom of that
pane, Suspicious Package now uses a more compact format here. When using View > as Gallery,
or the classic separate window of File > Quick Look Item,
Suspicious Package still creates a larger and more complete preview. Unfortunately,
Apple provides no proper way for us to detect what context we're being shown in, so
there's a bit of guesswork involved here, but we think it at least works better than it did.
Fixed some bugs in the handling of the toolbar, including the fact that changes made via
View > Customize Toolbar did not get saved, and that items
pushed into the trailing “overflow” section of the toolbar did not get enabled properly.
Fixed a bug where the Terminal might be chosen as a logical default app for opening
a non-text install script, such as a Mach-O binary: this never should've been
suggested as a default, since it would run the binary and would be unsafe.
Instead, Suspicious Package now chooses to show the item in the Finder if there's no more logical default.
Fixed a bug in handling the unusual situation in which a package contains a
folder whose name ends with a space character. Suspicious Package would show
two versions of the folder, and could produce spurious Review messages about
sizes being incorrect.
Released on October 15, 2020
Updated for general compatibility with macOS 11 (Big Sur) — albeit with some caveats.
Added French localization — thanks to Olivier Prompt for making this possible!
For macOS 10.15 (Catalina) and later, Quick Look previews are now generated by a
Quick Look Preview Extension: this changes the information
available in the preview. The old-style Quick Look generators were deprecated by Apple.
Added File > Show as Property List for inline viewing (and searching) of
“All Openable Items” that are recognized as some sort of property list —
such as Info.plist files.
Better handle packages with no component packages, especially where these run code on opening the macOS Installer.
If a package is corrupted in some way and can't be opened at all, gives better
feedback, especially from the Welcome to Suspicious Package window, which used to
just quietly do nothing in this case.
Improved inferencing of file types in the All Scripts tab, especially
for interpreted scripts with more complex #! incantations.
Better handling of compiled AppleScript (scpt) files in the All Scripts tab,
no longer mistaking them for plain text, nor causing Quick Look previews to fail
as a result.
Removed support for macOS 10.13 (High Sierra).
Released on April 12, 2020
The Receipts tab (added in version 3.5) is now visible automatically. Previously, it would be added
only when you clicked on the Previously Installed line
in the Package Info tab or used Window > Receipts, but this
proved difficult to discover. If you find this annoying and want to go back to the previous
behavior, turn off Preferences > General > Show Receipts tab.
Added File > Show Package in Finder (Cmd-Option-R)
Added Edit > Copy Path for Package (Cmd-Option-C)
When exporting a file or folder, you can now prevent Suspicious Package from
stripping off any access control lists that were defined by the package.
Normally, we strip these by default, because the ACLs might prevent the exported
item from being removed again, which can be confusing. But if you know
what you're doing, you might want to inhibit this. You can either:
Use File > Export Item, and uncheck Remove any access controls from exported items
before clicking Save.
Use the AppleScript export command, adding without access controls removed
Added AppleScript support for specifying the target macOS version, i.e. for
proper interpretation of packages that use a writable startup volume folder.
You can use something like open file "X.pkg" for installing to macOS 10.15
Released on November 3, 2019
Ongoing attempts to improve behavior on macOS 10.15 (Catalina):
The “Welcome to Suspicious Package” window provides a way
to bring back finding packages in Catalina's newly protected folders
(Desktop, Downloads and Documents). You can choose Fix
and pick which folders you'd like Suspicious Package to search, and it will ask
macOS for the appropriate permissions. Read
more info here.
Opening the Preferences window ought to no longer trigger the “Suspicious Package would like to
access files in your Downloads folder” dialog, after upgrading to Catalina.
You will still be prompted the first time you use the File > Export Item to Default Folder
command, but it should make more sense why that is happening.
Fixed a crash that might occur when the installer scripts contain empty property
list or strings files (such as inside an app bundled along with the scripts).
Improved the handling of XML-format property lists and text-format strings
files inside the installer scripts: these are more reliably displayed directly by
Suspicious Package, instead of requiring that you open them in another app.
Released on September 2, 2019
Updated for general compatibility with macOS 10.15 (Catalina). We fixed a number of
problems, but there are some areas where usability has been unavoidably degraded by new
restrictions imposed by macOS — most notably,
folder access permission dialogs
and elimination of “open in app” buttons from the Quick Look preview.
Added support for packages that install into an alternate folder on
Catalina-format startup disks: see more info.
More sensible behavior for the Copy Path for Item command,
when pasting into a text context other than the Terminal: instead of producing just
the name of the item, it now produces the full path as expected.
Fixed other minor bugs.
Released on June 2, 2019
Added Receipts tab, showing information about component packages and any
matching receipts found on the startup disk. To access the Receipts info:
Use Window > Receipts (Command-6)
In the Package Info tab, click on “Previously installed on...” line
From the spkg tool, use the new --reveal-receipt option (see usage)
From AppleScript, use the new component package element (see Scripting Dictionary)
If macOS reports that the package is notarized, Suspicious Package
shows this on the Package Info tab, and in the Quick Look preview. This is only when running on macOS 10.14 (Mojave).
The notarization status will also be shown by spkg --show-signature, and is available from
AppleScript via the new notarized property on the installer package element.
Restored individual certificate validity information to the signature detail
section of the Quick Look preview.
Fixed various minor bugs, including some performance, scripting and accessibility issues.
Removed support for macOS 10.12 (Sierra) and OS X 10.11 (El Capitan).
Released on December 10, 2018
Improved the “Welcome to Suspicious Package” window to behave
better when Spotlight finds non-local packages — such as packages
in iCloud Drive or some other download-on-demand cloud provider. (Well, we think
it performs better, but we're not in a position to test every cloud provider, and
haven't received any actionable information. If you see problems with this and care to help
us debug it, please contact us.)
Fixed a bug that could cause items to be omitted when exporting a folder from
certain unusually constructed packages. (These items were always shown in the All
Files tab; this bug affected only the completeness of the export.)
Fixed a handful of minor bugs.
Released on September 17, 2018
Enhanced for Dark Mode appearance and accent color preferences on macOS 10.14 (Mojave).
Added “Welcome to Suspicious Package” window, giving
quick access to recently downloaded packages, and guidance for new users.
Added ability to open InstallESD.dmg without changing the file
extension first. [Read More]
Updated for general compatibility with macOS 10.14 (Mojave).
This version still works back to OS X 10.11 (El Capitan), but will likely
be the last significant update that does.
Removed the “Move Old Plug-in to Trash” feature, since the
standalone version of the Quick Look plug-in is long gone.
Uses TLS (a.k.a. HTTPS) for update checking and for linking to the
User Guide and FAQ. (These have been redirecting since July 2018, but we now use HTTPS directly.)
Fixed a bug where exporting certain high-level folders would fail, remaining stuck forever
as “Waiting for other exports.”
A secondary click (i.e. a control-click or a right-click) on an item in the All Files
tab will now offer a context menu, similar to the Action menu on the toolbar: this can be
used to quickly export or open a particular item that is already under the mouse pointer.
This also works for items in the scripts browser.
In the Info pane, if you click on the Kind, Owner, Group or Permissions to change the view of that metadata
attribute, Suspicious Package will now keep that choice for future windows or tabs (so that you don't
have to keep changing it every time). Of course, you can the attribute again at any point; the last view you
selected for a given attribute will always be the new default.
Released on January 18, 2018
Added the “spkg” command-line tool, which can be used to quickly open a package in
Suspicious Package. This can also be used to retrieve information about the package signature from
the Terminal (or from a shell script). For more information about the “spkg” tool —
and how to install it — see the User Guide.
Fixed a bug where the Scripts Browser would sometimes show scripts in an apparently arbitrary order, when
using macOS 10.13 (High Sierra) and the Apple File System (APFS).
Fixed a bug where the Export Item and Open With commands were
incorrectly enabled for receipts, which don't have the actual installed files
for exporting or opening. (Of course, those files might actually be installed on the system, depending on what has
happened since the install that created the receipt.)
Fixed a bug where setting Suspicious Package as the default application for installer packages —
via Finder's File > Get Info > Open With > Change All — would cause a generic
document icon to be used for packages in the Finder (more info).
Released on September 15, 2017
Added support for macOS 10.13 (High Sierra). This included fixing a crash that might occur
when closing windows, and correcting the way that revoked certificates are displayed (they had been
shown as generically untrusted rather than as explicitly revoked).
If a package has a verified signing time, Suspicious
Package now shows that information when you use Window > Signature Details
(Command-5). This is particularly interesting when the certificate would be otherwise considered expired.
Fixed a problem where a prior install was (sometimes) not noted on the Package Info tab.
The Suspicious Package app now tries harder to activate its Quick Look plug-in, especially after
the app has been moved or updated, or after macOS has been updated
Removed support for OS X 10.10 (Yosemite) and OS X 10.9 (Mavericks).
Updated the license agreement to be a bit more explicit, although it is still
quite minimalist. Use Help > License Agreement to access it from within the app.
Released on September 10, 2016
Added support for macOS 10.12 (Sierra).
Fixed compatibility problems with Sierra's automatic window tabs feature, including the broken
Window > Show Previous Tab and Window > Show Next Tab
commands. Read more about window tabs in Suspicious Package.
In the Quick Look preview, added Show in Suspicious Package buttons, which
open the app directly to a specific file, folder or installer script. From the file browser, hold down
the Command key to reveal the Show in Suspicious Package buttons; from the
scripts browser, select the script and the button will be shown next to the script name.
Added support for exporting a selected file or folder, allowing its content to be inspected:
Use File > Export Item — or drag the item into the Finder — to start an export.
Click the Exports toolbar button
to see and manage running and completed exports.
From AppleScript, use the new export command to start an export.
Added support for opening certain installed files in another application. This includes plain text files
and property lists that are reasonably small. Use File > Open Item With.
Added a way to reveal an installer script in the Finder, so it can be easily manipulated even if no
apps are available to directly open it. Use File > Open Item With > Finder.
Searching from the Help menu now finds information from the
User Guide and FAQ.
Fixed a problem where temporary items (such as installer scripts that had been opened in
another application) would not always get deleted when the Suspicious Package
window was closed. (OS X would eventually delete these, but Suspicious Package
now does a better job of cleaning them up in a timely manner.)
Released on February 29, 2016
Initial app version of Suspicious Package (which now bundles the Quick Look plug-in).
Finder-like browsing of installed files, with additional metadata.
Viewing of installer scripts in proper editor UI, with clipboard and find support.
Ability to open installer scripts in external applications.
Support for searching and filtering across files or scripts, and for saving searches.
Tracking of browsing history to provide Back and Forward navigation.
Tab-based UI, with ability to open multiple tabs for files or scripts.
Performs analysis of package and flags potential issues for user review.
Scriptability via AppleScript.
Support for OS X 10.11 (El Capitan), OS X 10.10 (Yosemite) or OS X 10.9 (Mavericks).
Removed support for OS X 10.8 (Mountain Lion).
Released on November 11, 2015
Fixed a problem where, for certain untrusted package signatures, the individual
certificates may have been shown as valid (when the certificate details were disclosed).
The overall package signature status was always shown correctly — as untrusted —
but the per-certificate status might have been inconsistent with that top-level untrustworthiness.
Fixed a problem where a package with a damaged Bom file would not be reported as
Fixed a problem where certain packages that could be installed into the user's home
directory (such as Suspicious Package's own package!) would not be designated as such.
Fixed a problem with the icons on folders with omitted contents (in packages with an
exceptionally large number of files). On OS X 10.11 (El Capitan), these were being
shown with a generic document icon, instead of a “private” folder icon.
Released on February 3, 2015
Fixed problem introduced by the OS X 10.10.2 update (reported to Apple as Quick Look bug
where Suspicious Package would show only a mess of un-styled text instead of a proper
Quick Look preview.
Released on September 3, 2014
Improved display of files to be installed. Automatically expands to
show top-level bundles, frameworks and Unix directories. Option-click
on a closed folder to show everything inside it.
Shows version information for bundles, where available. Click on the version number
to cycle through other available information, such as the bundle identifier.
Enhanced and more complete display of package scripts. Click “Runs X
install scripts” to see all the scripts in the package, including those
invoked by other scripts in a flat-style package. Shows additional
information about how scripts are invoked, with what arguments.
Shows scripts that may be run immediately upon opening the package, e.g.
to check system requirements. These are what trigger the confounding
“this package will run a program” warning in the OS X Installer.
Shows status of the package signature, if present. Allows examination of
the certificate chain used to sign the package
Indicates if the package contains plug-ins that customize the Installer
UI. These also contain code that may run immediately upon opening the package
(and also trigger the “this package will run a program” warning).
Added proper support for Macs with Retina displays.
Added periodic (monthly) check for future updates to Suspicious Package.
When an update is available, a button will appear at the bottom of the
Suspicious Package preview window
Support for OS X 10.10 (Yosemite), OS X 10.9 (Mavericks) and OS X 10.8 (Mountain Lion).
Removed support for OS X 10.7 (Lion) and OS X 10.6 (Snow Leopard).
Released on January 24, 2012
Fixed compatibility problems on Mac OS X 10.7.3 (Lion).
No longer supports Mac OS X 10.5 (Leopard) or PowerPC.
Released on July 19, 2009
Upgraded to work on Mac OS X 10.6 (Snow Leopard).
Fixed various bugs that caused incorrect previews or a generic preview for specific packages.
Released on March 1, 2008
Added support for metapackages.
Fixed problem where the actual installation location was not
shown for some packages.
Added indication when a package requires authentication with
an administrator password.
Added indication when a package requires a system restart
(or shut down, or log out) after installation.
Added indication when a package has install scripts, and an
option to view the actual scripts [details].
Added support for installer receipts and .bom files.
Released on January 27, 2008
Fixed a bug where Suspicious Package would crash — thereby failing
to create a Quick Look preview — if there was a
non-ASCII character in the path to the package.