How to Open .pkg Files to View What Will Install on Mac with Suspicious Package

Many Mac applications and downloads arrive as a PKG package file, but have you ever wanted to open a PKG file to view exactly what is being installed and where it’s going from the source .pkg? Assuming you get a .pkg installer from a trusted source like Apple there is generally nothing to be concerned with about running a package installer file, but not all PKG installers are as trustworthy. Additionally, sometimes people are just curious about what exactly is going on behind the scenes, and what is going to be run by the package installer and where it intends to put files on a Mac.

This is where the amusingly named ‘Suspicious Package’ application comes in to play, it’s a free Mac app which allows the opening and inspection of PKG installer files before the installation is actually executed, giving you a look at what is going to happen when the PKG is run.

Using Suspicious Package to open and inspect .pkg files on a Mac is not particularly complicated though it’s obviously most appropriate for advanced users who will have a general idea of what they’re looking at and what to make of it. If any of this sounds interesting to you, you’ll want to download and install the application, which includes a Quick Look plugin:

• Get Suspicious Package free from the developer (for macOS and Mac OS X)

Once Suspicious Package is installed, you can give it a try by dragging any PKG installer file into the application, or selecting a package installer in the Finder and hitting Command+Spacebar to activate Quick Look on the package in question.

Within Suspicious Package, you’ll see three primary tabs which detail all sorts of information about the package file. The first is “Package Info” which shows an overview including how many items will be installed, the size of the installation, the developer ID and if it is signed (if applicable) and valid or expired, how many installation scripts are run, and where and when it was downloaded:

The “All Files” view shows you exactly what files are going to arrive from the package file and where they are going to go, including permissions for specific files:

The final tab shows the scripts that will be run, “post install” which are often cleanup bash scripts that adjust permissions or perform a cleanup duty:

While all of this is informative to any and all users, it’s really intended for advanced users who encounter package files from dubious sources or that are otherwise questionable. If you’re downloading all of your apps, updates, and packages from Apple.com or an equally trustworthy location, you may find Suspicious Package to be interesting but not particularly noteworthy since the source is trusted, though even packages from Apple can encounter weirdness like having a pkg get stuck on Verifying which can sometimes be troubleshooted through a utility like this. Where Suspicious Package really gets useful is in more advanced situations where higher Mac security is necessary and where users want to be sure a file is trusted and an installer isn’t doing anything sketchy when it’s run.

Longtime Mac users may recall that a package inspection feature used to exist in Mac OS X some time ago via the right-click menu, but that feature has since been removed. More advanced Mac users can still extract pkg files with pkgutil without actually installing them but it requires the use of the command line, and the Show Files method to see what files are going to be installed and where to is not always available or detailed enough.

Suspicious Package requires a relatively modern version of macOS or Mac OS X to use. Mac users with older system software can try Pacifist which performs a similar ability to dig around in PKG files if interested.