[sneak]

This is all pointless handwaving; the update package itself is signed and will not install if tampered with, regardless of TLS certs used to download it.

TLS is not used to authenticate the update.

[ecmendenhall]

Ah, right. That makes sense. If only it was mentioned on the download page!

[QSIITurbo]

Meh, just admit you didn't realise how packages are signed and move on. TLS shouldn't and cannot be used to sign installation packages. After all, TLS stands for _Transport Layer_ Security...

[fletchowns]

He followed some pretty logical steps and made a fair enough point, there's no reason for you to be a douche about it.

[QSIITurbo]

Well you have the right to feel offended, but he really didn't "follow logical steps and make a fair enough point" as his idea was completely wrong when it comes to signing installation packages.

[pilif]

Well. In a way it's mentioned here: http://support.apple.com/kb/ht5290

Yes. That's the marketing page explaining how Gatekeeper works, but yes, in the end it's a feature of Gatekeeper that makes it harder for you to open unsigned packages and impossible to open packages with a broken signature.

So even when you don't know about pkgutil (most people don't), Gatekeeper will still help you.