The Robservatory

Robservations on everything…


Peer into package installers before installation

Recently, I went looking for a new accounting package for Many Tricks. I found a few demos that I wanted to try, including Cognito's MoneyWorks line.

When I downloaded the demo, though, I was a bit surprised to see it was a package installer (.pkg extension). Typically, a package installer is used for system extensions, or other complex installs that have bits that go into many different places.

Being the curious sort, I wanted to see what the package would install before I installed it. You can do this the hard way, by drilling into the package in Finder (Right-click and Show Package Contents), but there's an app for that.

In the past, I've used CharleSoft's Pacifist to peer into packages. However, it's a $20 application, and somewhere along the line, I lost my registration information (or maybe I hadn't ever registered). In any event, I wondered if there were any less-expensive alternatives that did the same thing, as I only use an app like this maybe a few times a year.

A bit of web searching led me to the free Suspicious Package, so I gave it a try (hard to beat free). What I found is a very nicely done app that has replaced Pacifist for my occasional forays into packages.

Like Pacifist, the most useful feature (to me, anyway) of Suspicious Package is that it includes a Quick Look plug-in, which is installed by default. (Pacifist's Quick Look plug-in is a prompt-to-install on first launch.) With the plug-in, there's no need to open Suspicious Package to see what the installer is going to do; just select the .pkg file in Finder and press the Space Bar:

This first screen gives a good picture of the package: I can see that it's signed, how/when it was downloaded, how many install scripts it runs, and where the files will be installed. Most of the time, that's all I really want to see before installing a package. But if I want more detail, I can easily launch Suspicious Package directly from Quick Look…or even explore further within the Quick Look window.

For example, clicking on the "Runs 5 install scripts" takes me to another page that shows the scripts. Select one on that page, and you can see the content of the script:

This script, for instance, reveals why the demo is a package installer: MoneyWorks has a command line component that's installed via script—the script creates a link to the command line tool in the user's /usr/local/bin folder (creating that folder if necessary). It then links to man pages for the component. This is the kind of information I like to know before I run an installer, and I was able to get it all from a Quick Look window.

If you launch the Suspicious Package app, there's tons of detail available. Its window contains three main tabs: Package Info is similar to the Quick Look window, All Files lets you drill into the files in the package, and All Scripts lets you browse the scripts the installer will run.

You can also open new tabs, search for files, and do many other things—99% of which I'll never use. For me, the Quick Look capabilities alone make this app worth the drive space. And now that I know what MoneyWorks installs and why, I'm off to look at the demo.


  1. Thanks for this. Can you also see if there is a way to safely and automatically remove everything it installs?

  2. I love Suspicious Package. I stumbled on it last year. I run into a fair number of package installers, including MS and Adobe junk, so it's nice to see what they're doing even though we have to run it regardless. In a few cases I've been able to extract the good bits without the phone-home parts, but that's uncommon.

    For completely removing apps Little Flocker could be a great help, though I'm only starting to get the hang of it for regular use. It does for the file system what Little Snitch does for network access. If you kept a copy of the LF log as you install something (don't forget to include first launch and first quit, when some scripts run), it should be easier to go back and remove everything later. It's probably worth requesting installation monitoring as a feature for the nextn version. [There used to be an uninstaller that basically did this, but it's been defunct long enough now that I can't even remember the name.]

  3. Thanks for the pointer to Suspicious Package - I have typically used Pacifist but really only needed it occasionally, and then even more seldom needed it to actually extract and edit package components. And its nag screen deterred me from using it more regularly for casual .pkg inspection, so Suspicious Package fits the bill perfectly!

Comments are closed.

The Robservatory © 2021 • Privacy Policy Built from the Frontier theme