Marc Wäckerlin
Für eine libertäre Schweiz

Extract Mac-OSX dmg and pkg Installer

August 15, 2018

SwissSign Group AG delivers SuisseID 2.0, a hardware PKCS#12 token with personal certificates for digital signature and web login. In order to support this on all operating systems (Linux, Windows, Mac), I wrote initialization software and create packages for Debian, RPM, Windows, Mac OS-X.

For Mac, I create a dmg image file, that contains pkg packages, that contain the app applications. To analyze the structure, I download the current Mac OS-X installation file.

Extract dmg

The dmg file can be extracted using 7z:

7z x suisseid-mac-3.7.dmg

This creates a directory SuisseID, that contains: changelog.txt, '[HFS+ Private Data]', Install_SuisseID.pkg and

Alternatively a dmg file can be converted to a Linux image file using dmg2img. Then the image file can be loop-mounted.

Extract pkg

The interesting part is in Install_SuisseID.pkg. This file is a xar archive:

$ file Install_SuisseID.pkg
Install_SuisseID.pkg: xar archive version 1, SHA-1 checksum

You can either use Google xar or simply run ark to extract it from the GUI:

cd SuisseID
ark Install_SuisseID.pkg

This creates a new directory Install_SuisseID, that contains: cryptovision.pkg, modutil.pkg, SuisseID-Assistant.pkg, Distribution and Resources.

These are:

$ file *
cryptovision.pkg:       directory
Distribution:           XML 1.0 document, ASCII text
modutil.pkg:            directory
Resources:              directory
SuisseID-Assistant.pkg: directory

So, this time, *.pkg is something different: a directory, that contains:

$ file *
Bom:         Mac OS X bill of materials (BOM) file
PackageInfo: XML 1.0 document, ASCII text
Payload:     gzip compressed data, from Unix
Scripts:     gzip compressed data, from Unix

Applying gunzip on Payload and Scripts shows, that these are compressed cpio archives. So extract them using:

gunzip -c Payload | cpio -i
gunzip -c Scripts | cpio -i

That’s all, now everything is extracted and I can start the analysis of the package structure.