Apple - Software update on obsolete system: is it real?

This is real, yes. A lot of older software updates (but also newer ones e.g. some 10.14.6 Supplemental Update from September 2019!) are signed with a certificate which becomes/became invalid on Oct, 24 2019.

To keep them in the update game the intermediate certificate authority and its certficates have been replaced – the payload stays the same – and they have been republished/reissued.

Further readings (with pics I don't want to deep-link here ):

  1. Beware Apple security certificates after 24 October: they may have expired

  2. Certificate used to sign older Apple software expiring on October 24, 2019

To check the validity of software installer packages use:

pkgutil --check-signature /path/to/package.pkg

Example (the OSInstall.pkg inside the InstallESD.dmg of Install macOS d/led on Feb, 26 2019):

pkgutil --check-signature /Volumes/OS\ X\ Install\ ESD/Packages/OSInstall.pkg 
Package "OSInstall.pkg":
   Status: signed by a certificate that has since expired
   Certificate Chain:
    1. Software Update
       SHA1 fingerprint: 1E 34 E3 91 C6 44 37 DD 24 BE 57 B1 66 7B 2F DA 09 76 E1 FD
    2. Apple Software Update Certification Authority
       SHA1 fingerprint: FA 02 79 0F CE 9D 93 00 89 C8 C2 51 0B BC 50 B4 85 8E 6F BF
    3. Apple Root CA
       SHA1 fingerprint: 61 1E 5B 66 2C 59 3A 08 FF 58 D1 4A E2 24 52 D1 98 DF 6C 60

To check dmgs use:

spctl -a -t open --context context:primary-signature -v /path/to/dmg
spctl -a -v /path/to/dmg


codesign -dvvv /path/to/dmg

Not all dmgs are codesigned! The precise command is sometimes macOS-version-dependent, or requires a min macOS/OS X version. Please check man <command> (eg: man spctl).

According to Apple's support pages, Airport Utility 5.6.1 was released back in June 2012. Why your Mac never noticed this update (or any of the others since 5.2.2) till now is a mystery. But it is a valid update.