How to Open .pkg Files to View What Will Install on Mac with Suspicious Package

Aug 31, 2016 - 5 Comments

Suspicious Package Quick Look view to open PKG file

Many Mac applications and downloads arrive as a PKG package file, but have you ever wanted to open a PKG file to view exactly what is being installed and where it’s going from the source .pkg? Assuming you get a .pkg installer from a trusted source like Apple there is generally nothing to be concerned with about running a package installer file, but not all PKG installers are as trustworthy. Additionally, sometimes people are just curious about what exactly is going on behind the scenes, and what is going to be run by the package installer and where it intends to put files on a Mac.

This is where the amusingly named ‘Suspicious Package’ application comes in to play, it’s a free Mac app which allows the opening and inspection of PKG installer files before the installation is actually executed, giving you a look at what is going to happen when the PKG is run.

Using Suspicious Package to open and inspect .pkg files on a Mac is not particularly complicated though it’s obviously most appropriate for advanced users who will have a general idea of what they’re looking at and what to make of it. If any of this sounds interesting to you, you’ll want to download and install the application, which includes a Quick Look plugin:

Once Suspicious Package is installed, you can give it a try by dragging any PKG installer file into the application, or selecting a package installer in the Finder and hitting Command+Spacebar to activate Quick Look on the package in question.


Within Suspicious Package, you’ll see three primary tabs which detail all sorts of information about the package file. The first is “Package Info” which shows an overview including how many items will be installed, the size of the installation, the developer ID and if it is signed (if applicable) and valid or expired, how many installation scripts are run, and where and when it was downloaded:

First view PKG open

The “All Files” view shows you exactly what files are going to arrive from the package file and where they are going to go, including permissions for specific files:

Opening Package file seeing contents

The final tab shows the scripts that will be run, “post install” which are often cleanup bash scripts that adjust permissions or perform a cleanup duty:

Opening package pkg file Mac see what scripts will run

While all of this is informative to any and all users, it’s really intended for advanced users who encounter package files from dubious sources or that are otherwise questionable. If you’re downloading all of your apps, updates, and packages from or an equally trustworthy location, you may find Suspicious Package to be interesting but not particularly noteworthy since the source is trusted, though even packages from Apple can encounter weirdness like having a pkg get stuck on Verifying which can sometimes be troubleshooted through a utility like this. Where Suspicious Package really gets useful is in more advanced situations where higher Mac security is necessary and where users want to be sure a file is trusted and an installer isn’t doing anything sketchy when it’s run.

Longtime Mac users may recall that a package inspection feature used to exist in Mac OS X some time ago via the right-click menu, but that feature has since been removed. More advanced Mac users can still extract pkg files with pkgutil without actually installing them but it requires the use of the command line, and the Show Files method to see what files are going to be installed and where to is not always available or detailed enough.

Suspicious Package requires a relatively modern version of macOS or Mac OS X to use. Mac users with older system software can try Pacifist which performs a similar ability to dig around in PKG files if interested.


Related articles:

Posted by: Paul Horowitz in Mac OS, Security, Tips & Tricks


» Comments RSS Feed

  1. Super Mario says:

    Or if you are really advanced user you can use the pkgutil that is already there on every Mac:

    pkgutil –expand dir-path

    will extract the contents on the package to dir-path. You can create ramdisk for this purpose and then inspect the files there.

    You can further expand expand payload files (which are compressed cpio archives) with:

    gunzip payload
    cpio -iv < payload

    these payloads may themselves be further *.pkg files if this is a installer for a suite of software, rather than single app.

    This also allows you to modify the installer, skip OS version check etc before you run the installer.

  2. Jon says:

    Have had this installed for years now, along with Pacifist.

    It’s always a good idea to know exactly what you’re putting into you Mac.

  3. imacconvert says:

    Alway game for apps like this that are free and help, especially for someone like me still learning my way around the iMac way.
    Thanks, one of the best things I did was subscribe to these daily tips.

  4. junebeetle says:

    Looks promising, I’ll try it soon.

    Another easy way to inspect a package is through The Unarchiver. Right-click > Open with > The Unarchiver.

    A lot of the time, you can even extract the app and just run it from the folder (don’t do this unless you have a good reason).

  5. avenged110 says:

    Cool little app, thanks for the heads up.

Leave a Reply


Shop on and help support OSXDaily!

Subscribe to OSXDaily

Subscribe to RSS Subscribe to Twitter Feed Follow on Facebook Subscribe to eMail Updates

Tips & Tricks


iPhone / iPad



Shop on Amazon to help support this site