📅 July 20, 2020     🕐 3 minutes read

HOW TO: Open .pkg Files to Investigate What Will Be Installed on Your Mac

See what’s inside a .pkg installers

Not all Mac apps come from the Mac App Store. And many third party Mac apps come as .pkg files. Some .pkg files come from trusted sources ( like Apple ), others don’t.

Which raises the question…. how do I know what will this .pkg file install on my Mac and where it will install the files? Luckily there’s an easy way ( or two ) to investigate what’s inside a .pkg file.

For both options I will use the official iTunes package downloded from Apple. It comes as a .dmg file but once mounted it you’ll get the actual installer wich is a .pkg file.

OPTION 1 – using the command line

1. Open Terminal

2. Copy the .pkg file from the mounted .dmg file to your Desktop

3. Run pkgutil --expand /path/to/pkg /path/to/expanded/pkg


3. 1 Alternatively cd into path first ( in this example cd Desktop/ ) and simply run pkgutil --expand Install\ iTunes.pkg iTunes

4. The .pkg file will be expanded into a folder in your path. In this case iTunes


5. Inside the folder, you’ll notice a bunch of other .pkg files. Do you need to run the same command for all of them? No, just simply right click on them and select Show Package Contents


OPTION 2 – Suspicious Packages

As you might’ve guessed already, this is a third party app for macOS. Ironically, Suspicious Package is not open-source. The dev offers an explanation of why that is, and I think it’s bullshit. But it’s his right to release the software this way and we can choose to use it or not.

1. Download Suspicious Package from the link above or install it via Homebrew with brew cask install suspicious-package

2. Once installed, right-click on the .pkg and choose to open it with Suspicious Package

3. Now you can navigate to get info via tabs. Like the Package Info tab which shows an overview of the package like how many items will be installed and size of the installation ( iTunes installed 7,192 items !!!! ),  dev ID and package signature, how many scripts will run and so on.

The All Files tab shows you shows you the files that will be installed from the package, where will the files be installed and files permissions.

The All Scripts tab will show you all the scripts that will run and what they will run.


4. Alternatively, for a quick look over a .pkg file, once Suspicious Package is installed you can use quick look on a .pkg file ( click on the .pkg file to select it and press the space key ).


FSM has no ads or affiliate links. Your support would simply pay for our servers, domain and maintanance. If there's any leftover change, we'll get some coffee and a slice of pizza.

Monero (XMR) 43GnqUNJrTi9QyL7kEH8vM8pgWGCE6bjv1FSRipeNMM4TTeNnUVsRBb6MfMpQYxtLE7ReonxVVSXz2rFCEdW5H11LC3x73b
Bitcoin (BTC) 1Hfuq77gKKFJeNcq4EP4dQK3yDRWrFEwJR
Bitcoin Cash (BCH) qzmdm6e6q5wf2p6sxz2mst7cenz60newwc5m4e9js8
Ether (ETH) 0x5f02869278C24A6579d3820f52AD15936D6F9d69
More content?