Apple - Software update on obsolete system: is it real?
This is real, yes. A lot of older software updates (but also newer ones e.g. some 10.14.6 Supplemental Update from September 2019!) are signed with a certificate which becomes/became invalid on Oct, 24 2019.
To keep them in the update game the intermediate certificate authority and its certficates have been replaced – the payload stays the same – and they have been republished/reissued.
Further readings (with pics I don't want to deep-link here ):
Beware Apple security certificates after 24 October: they may have expired
Certificate used to sign older Apple software expiring on October 24, 2019
To check the validity of software installer packages use:
pkgutil --check-signature /path/to/package.pkg
Example (the OSInstall.pkg inside the InstallESD.dmg of Install macOS Sierra.app d/led on Feb, 26 2019):
pkgutil --check-signature /Volumes/OS\ X\ Install\ ESD/Packages/OSInstall.pkg
Package "OSInstall.pkg":
Status: signed by a certificate that has since expired
Certificate Chain:
1. Software Update
SHA1 fingerprint: 1E 34 E3 91 C6 44 37 DD 24 BE 57 B1 66 7B 2F DA 09 76 E1 FD
-----------------------------------------------------------------------------
2. Apple Software Update Certification Authority
SHA1 fingerprint: FA 02 79 0F CE 9D 93 00 89 C8 C2 51 0B BC 50 B4 85 8E 6F BF
-----------------------------------------------------------------------------
3. Apple Root CA
SHA1 fingerprint: 61 1E 5B 66 2C 59 3A 08 FF 58 D1 4A E2 24 52 D1 98 DF 6C 60
To check dmgs use:
spctl -a -t open --context context:primary-signature -v /path/to/dmg
spctl -a -v /path/to/dmg
or
codesign -dvvv /path/to/dmg
Not all dmgs are codesigned! The precise command is sometimes macOS-version-dependent, or requires a min macOS/OS X version. Please check man <command> (eg: man spctl).
According to Apple's support pages, Airport Utility 5.6.1 was released back in June 2012. Why your Mac never noticed this update (or any of the others since 5.2.2) till now is a mystery. But it is a valid update.