This is How You Open PKG Files to Investigate What Will Be Installed on Your Mac

Two simple ways to open PKG files to investigate what will be installed on your Mac.

Not all Mac apps come from the Mac App Store. And many third party Mac apps come as .pkg files. Some .pkg files come from trusted sources ( like Apple ), others don’t.

PKG files have multiple uses, and Mac OS X Installer Package is one of them.

An installer package contains everything needed to install a program on a Mac. You start the installation by double-clicking on the file.

These files can only be run on a Mac, not on a Windows PC.

Which raises the question…. how do I know what this .pkg file will install on my Mac and where it will install the files?

Luckily there’s an easy way to investigate what’s inside a .pkg file.

To illustrate how can you open a .pkg file to investigate it, I’ll use the official iTunes package downloded from Apple.

It comes as a .dmg file but once mounted it you’ll get the actual installer wich is a .pkg file.

OPTION 1 – Open a PKG file using the command line

1. Open Terminal

2. Copy the .pkg file from the mounted .dmg file to your Desktop

3. Run pkgutil --expand /path/to/pkg /path/to/expanded/pkg ( replace /path/to/pkg with the location of your .pkg file and /path/to/expanded/pkg with the location where you want to “open” the .pkg file )

 

3. 1 Alternatively cd into path first ( in this example cd Desktop/ ) and simply run pkgutil --expand Install\ iTunes.pkg iTunes

4. The .pkg file will be expanded into a folder in your path. In this case iTunes

 

5. Inside the folder, you’ll notice a bunch of other .pkg files. Do you need to run the same command for all of them? No, just simply right click on them and select Show Package Contents

 

OPTION 2 – Open a PKG file usingSuspicious Packages

As you might’ve guessed already, this is a third party app for macOS. Ironically, Suspicious Package is not open-source. The dev offers an explanation of why that is, and I think it’s bullshit. But it’s his right to release the software this way and we can choose to use it or not.

1. Download Suspicious Package from the link above or install it via Homebrew with brew cask install suspicious-package

 

2. Once installed, right-click on the .pkg and choose to open it with Suspicious Package


When you open Suspicious Package for the first time, macOS will show you the usual promp. Just click “open”.  You can also enable the “open apps from anywhere” option.


3. Now you can navigate to get info via tabs. Like the Package Info tab which shows an overview of the package like how many items will be installed and size of the installation ( iTunes installed 7,181 items !!!! ), dev ID and package signature, how many scripts will run and so on.

 

The All Files tab shows you shows you the files that will be installed from the package, where will the files be installed and files permissions.

The All Scripts tab will show you all the scripts that will run and what they will run.

 

4. Suspicious Package will also give you more info when using quick look on a .pkg file ( click on the .pkg file to select it and press the space key ).


If Suspicious Package automatically finds potential warning with the .pkg files it will alert you upon opening the file.

In this case, since it’s an old package, the warning is about depracated scripts.

Suspicious Package is also a stand alone app. You can open it just like you open any other app.

It will scan your Mac for any .pkg files and provide you a list of all the files it found. However, you’ll might want to allow it to scan your Desktop, Downloads and Documents folders.

There you go! Two simple and efficient ways to open PKG files to invistage what will be installed on your Mac.

Definitely recommended to do so for security reason. You should at least check if Suspicious Package displays any warnings.



SUPPORT FSM

Monero (XMR) 43GnqUNJrTi9QyL7kEH8vM8pgWGCE6bjv1FSRipeNMM4TTeNnUVsRBb6MfMpQYxtLE7ReonxVVSXz2rFCEdW5H11LC3x73b
Bitcoin (BTC) 3PvaJPytg4pApTP5yCGpr62pRtudMgyfMQ
Ethereum (ETH) 0xd3c8677A4CfD9e8b4dFBb7720be2adb490Bd36b2