Become a MacRumors Supporter for $25/year with no ads, private forums, and more!

Apple Responds to Developers Regarding Expired Mac App Store Security Certificates

MacRumors

macrumors bot
Original poster
Apr 12, 2001
50,521
11,906



Last week some users and developers experienced an issue that displayed a "damaged" error when attempting to open select apps from the Mac App Store, including popular apps like 1Password, Tweetbot and Byword. Today, Apple has sent an email to developers explaining what happened and how to fix their apps.


In the email, which developer Donald Southard Jr. shared on Twitter, Apple explains that the company issued a new security certificate for the Mac App Store in September in anticipation of the expiration of the old certificate. The new certificate used a stronger SHA-2 hashing algorithm instead of the old SHA-1 algorithm. Hashing algorithms are used by certificate authorities to sign security certificates.

However, two issues caused users to experience errors when starting up apps. The first issue, according to Apple, is that there was a caching issue with the Mac App Store that required users to restart their computers and re-authenticate with the Mac App Store to clear out the old cache. Apple says it's working on a fix for this in an upcoming OS X update. The other issue is that some apps were running an older version of OpenSSL that didn't support SHA-2. Apple says it replaced the SHA-2 certificate with a new SHA-1 certificate last Thursday night.

Finally, Apple says that "most of the issues are now resolved", but that some apps might still experience problems if the apps make "incorrect assumptions" about the Mac App Store's security certificates. Apple asks developers to make sure their code adheres to the Receipt Validation Programming Guide and to resubmit apps for expedited review if necessary. The AppleCare support team has also been briefed with the latest troubleshooting information for users.

Article Link: Apple Responds to Developers Regarding Expired Mac App Store Security Certificates
 

applerocks

macrumors regular
Jun 7, 2005
158
68
Did someone at Apple win a prize for drafting a note with the most use of "issues" in the first paragraph? How did this letter get by Apple PR?

If Apple normally does one thing well, it's strong apologies once they've completed an investigation into a problem. This letter is not that.
 

gijoeinla

macrumors 6502a
Sep 19, 2011
684
489
Los Angeles, CA
Did someone at Apple win a prize for drafting a note with the most use of "issues" in the first paragraph? How did this letter get by Apple PR?

If Apple normally does one thing well, it's strong apologies once they've completed an investigation into a problem. This letter is not that.

Yes let's tear apart the letter for next 30 posts shall we. Let's question Apples integrity over it.

Oh my god. Get over it!
 

Gutwrench

Contributor
Jan 2, 2011
4,603
10,513
Did someone at Apple win a prize for drafting a note with the most use of "issues" in the first paragraph? How did this letter get by Apple PR?

If Apple normally does one thing well, it's strong apologies once they've completed an investigation into a problem. This letter is not that.

I agree. It is a poorly written letter.
 

Kaibelf

Suspended
Apr 29, 2009
2,445
7,437
Silicon Valley, CA
Did someone at Apple win a prize for drafting a note with the most use of "issues" in the first paragraph? How did this letter get by Apple PR?

If Apple normally does one thing well, it's strong apologies once they've completed an investigation into a problem. This letter is not that.

With all the ills in the world, you have time to be this bothered about this. Consider that for a moment.
 

sw1tcher

macrumors 68000
Jan 6, 2004
1,847
2,634
Software is like that. It's always just about to fall down around our ears, except usually someone is there trying to stop that from happening. Sometimes there are screw ups.

Software purchased through the MAS is like that. From what I read, people who purchased the same software directly from the developer or through other means didn't have to deal with this nonsense.

In the good ol' days, prior to the existence of the MAS, online activation, and subscription services, I'd install a program and it would just work™ until it got replaced or the computer died.
 

petsounds

macrumors 65816
Jun 30, 2007
1,483
497
Why is this coming from the anonymous "Apple Developer Relations", and why are customers not receiving an apology? Also, instead of fixing the SHA-2 issue, they decided to revert to a more insecure certificate? What? This letter should be coming straight from Eddy Cue. The guy needs to take responsibility for how badly he's running the software products under him.
 

OldSchoolMacGuy

Suspended
Jul 10, 2008
4,197
9,049
Why is this coming from the anonymous "Apple Developer Relations", and why are customers not receiving an apology? Also, instead of fixing the SHA-2 issue, they decided to revert to a more insecure certificate? What? This letter should be coming straight from Eddy Cue. The guy needs to take responsibility for how badly he's running the software products under him.

I don't even know where to begin with how delusional your statements are.

This is an issue that impacted a small number of users and a simple restart was all it took to resolve it. Stop acting like this was the largest problem to face humanity this week.
 

Ankou_Sabat

macrumors regular
Nov 17, 2015
101
146
Actually this response does nothing about a much larger issue on the App Store.

Take the Tweetbot issue which I had hit me. They had released a new version, Tweetbot 2.1.1, right before this issue happened on Oct 15. This updated version is incompatible with Mac OS Mavericks (10.09) so those running Mavericks were stuck with the previous version. This means that for all those running an OS older than 10.10, you're only able to run Tweetbot 1.6.2. If you go to the App Store and try to update it, or even re-download on such an older OS it explicitly tells you of the incompatibility and says that it will download the "old" version for compatibility.

That would be fine, except the old versions are still signed with the EXPIRED CERTIFICATE! So even if you follow the directions to "re-download the damaged app" it will refuse to run because the certificate signed is expired. So the only "fix" is to upgrade your OS to 10.10. Sure it can be argued to upgrade to the latest version, but there are quite a few instances where this is impossible to do and as such, Apple has just put an expiration date on older software preventing you from running it by linking it to this certificate and not providing developers a way to re-sign those submissions with an updated cert. Neither does the App Store itself provide such a facility.

So if by the current expiration date which I believe now is 2 years from now, if your computer is unable to be upgraded to current OS and the current version is unsupported on your system, then you are completely out of luck and stuck with no app that you paid for. This makes the "download old version" feature in the App Store completely flawed if they provide no way to back sign older provided version on the store front.
 
Last edited:

vpndev

macrumors 6502
May 11, 2009
288
97
So, some good, some bad. The good is that Apple was on top of the certificate-expiry event and had the new one out in good time. The bad is that no-one anticipated and/or warned developers that they'd have to re-fetch the new cert.

As for the comment about "the anonymous 'Apple Developer Relations'" - I guess that you have never dealt with Apple. That's the way it works and I've never had a problem with it.
 
  • Like
Reactions: Brewer_Dude

Jonas Wepeel

macrumors newbie
Nov 17, 2015
2
4
If you go to the App Store and try to update it, or even re-download on such an older OS it explicitly tells you of the incompatibility and says that it will download the "old" version for compatibility.

That would be fine, except the old versions are still signed with the EXPIRED CERTIFICATE! So even if you follow the directions to "re-download the damaged app" it will refuse to run because the certificate signed is expired.

The receipt is separate from the app. The receipt can be updated even for older apps. So, if the certificate expires the app store just downloads a new receipt. It's up to developers to make sure their receipt verification code can work even if the certificate expires and/or changes.
 
  • Like
Reactions: Brewer_Dude

Ankou_Sabat

macrumors regular
Nov 17, 2015
101
146
The receipt is separate from the app. The receipt can be updated even for older apps. So, if the certificate expires the app store just downloads a new receipt. It's up to developers to make sure their receipt verification code can work even if the certificate expires and/or changes.

Receipt verification is a whole separate process. Wether or not you put an expiration date for your application (which is totally acceptable in the submission process) this has nothing to do with what the security requirements of the App Store requires developers to adhere to which is verifying the certificate is valid. If its expired, its invalid and shouldn't be accepted and if your application didn't check for a valid certificate under the rules of the App Store it would be rejected. So if you're playing by the rules and terms of agreement, you can't bypass this check for valid certificate.

"In order to test your main application during the development process, you need a valid receipt so that your application launches."

Testing Verification:
  • The system interprets the exit status and attempts to obtain a valid receipt. Assuming your application signing certificate is valid, the system installs a valid receipt for the application. The system may prompt you for your iTunes credentials.

  • The system relaunches your application, and your application successfully validates the receipt
Again if they provide no facility to re-sign a previous app with the current certificate, or if the App Store fails to do that, you'd have to bypass one of their biggest security functions and this would be a flag from submission. Right now that also means that the App Store is blindingly sending out expired cert signed applications, which I find to be a major over sight and flaw.
 

JosephAW

macrumors 68040
May 14, 2012
3,393
4,020
This is another sneaky way that apple is using to force ppl to upgrade to 10.11 which I can't so that means I have to buy a newer computer. Next will be iOS 8 user where they won't be able to access apps unless they are on iOS 9. Sneaky...
Maybe it's time for me to drop all apple products and switch to windows for all my devices and stop recommending and installing Apple products for all my business clients.
 
  • Like
Reactions: SyneRyder

Jonas Wepeel

macrumors newbie
Nov 17, 2015
2
4
If its expired, its invalid and shouldn't be accepted and if your application didn't check for a valid certificate under the rules of the App Store it would be rejected.

Developers choose whether they want to verify the receipt. Many developers choose not to. Again, if the app runs and determines the receipt is invalid they ask the store for a new one. Unless the developer's receipt verification code is broken, the new receipt should pass their tests and the app will launch like normal.

Apple does warn about checking a certificate expiration in their receipt validation WWDC session. Developers should only check if the receipt was valid the day it was issued. An expired certificate should never cause an app to flag a receipt as invalid. If they all did that and Apple shut down the app store no apps would run as soon as the certificate expired.
 

Fofer

macrumors 6502a
Oct 24, 2002
653
105
This is another sneaky way that apple is using to force ppl to upgrade to 10.11 which I can't so that means I have to buy a newer computer. Next will be iOS 8 user where they won't be able to access apps unless they are on iOS 9. Sneaky...
Maybe it's time for me to drop all apple products and switch to windows for all my devices and stop recommending and installing Apple products for all my business clients.

It's not a sneaky, nefarious plot. It's called progress, and it's always been this way in the software industry, with every OS manufacturer.

Besides, why, exactly, "can't" you upgrade to 10.11? Is your hardware too old?

Maybe it's time for me to drop all apple products and switch to windows for all my devices and stop recommending and installing Apple products for all my business clients.

Maybe. Seems like a big leap to me over something pretty common. I don't think you'll avoid this issue with Windows, but yeah, whatever, have at it.
 
  • Like
Reactions: Brewer_Dude

rdlink

macrumors 68040
Nov 10, 2007
3,226
2,434
Out of the Reach of the FBI
Software purchased through the MAS is like that. From what I read, people who purchased the same software directly from the developer or through other means didn't have to deal with this nonsense.

In the good ol' days, prior to the existence of the MAS, online activation, and subscription services, I'd install a program and it would just work™ until it got replaced or the computer died.

Or an OS got updated, and caused the program to stop working. So you'd you go to the developer's website and all you'd hear is crickets. Or even better, be greeted by a patch that masqueraded as a paid "upgrade."
 
  • Like
Reactions: Brewer_Dude
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.