Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Apple Responds to Developers Regarding Expired Mac App Store Security Certificates

applerocks said:
Did someone at Apple win a prize for drafting a note with the most use of "issues" in the first paragraph? How did this letter get by Apple PR?

If Apple normally does one thing well, it's strong apologies once they've completed an investigation into a problem. This letter is not that.
Click to expand...

I guess they wanted to make it clear they had an issue, fixed the issue, and publish that the issue was resolved and that no further issues were found.
 
  • Like
Reactions: rhoydotp
This is what you get for running signed apps on your desktop. Nothing like being about to give a presentation to 100 people and having Keynote refuse to launch because of an expiration date on a freaking certificate.
 
  • Like
Reactions: darkknight14, vjl323 and neier
I was on a 10h flight when this effect kicked in. Uncool when you're offline and apps you paid for simply stop working :(:(
 
  • Like
Reactions: SyneRyder
Tech changes. Replacing old tech with new must be part of the engineering process.

Unfortunately, not everyone in a decision-making position is able to see that.
 
Ankou_Sabat said:
Actually this response does nothing about a much larger issue on the App Store.

Take the Tweetbot issue which I had hit me. They had released a new version, Tweetbot 2.1.1, right before this issue happened on Oct 15. This updated version is incompatible with Mac OS Mavericks (10.09) so those running Mavericks were stuck with the previous version. This means that for all those running an OS older than 10.10, you're only able to run Tweetbot 1.6.2. If you go to the App Store and try to update it, or even re-download on such an older OS it explicitly tells you of the incompatibility and says that it will download the "old" version for compatibility.

That would be fine, except the old versions are still signed with the EXPIRED CERTIFICATE! So even if you follow the directions to "re-download the damaged app" it will refuse to run because the certificate signed is expired. So the only "fix" is to upgrade your OS to 10.10. Sure it can be argued to upgrade to the latest version, but there are quite a few instances where this is impossible to do and as such, Apple has just put an expiration date on older software preventing you from running it by linking it to this certificate and not providing developers a way to re-sign those submissions with an updated cert. Neither does the App Store itself provide such a facility.

So if by the current expiration date which I believe now is 2 years from now, if your computer is unable to be upgraded to current OS and the current version is unsupported on your system, then you are completely out of luck and stuck with no app that you paid for. This makes the "download old version" feature in the App Store completely flawed if they provide no way to back sign older provided version on the store front.
Click to expand...
Oh boy...

At this point I really have to wonder what's going so horribly wrong in Cupertino that they don't think things through and don't look at older software at all...

A new low for their quality assurance... :(

diddl14 said:
I was on a 10h flight when this effect kicked in. Uncool when you're offline and apps you paid for simply stop working :(:(
Click to expand...
Good example of how the App Store is a consumer product that's able to run on work machines and "pro equipment" (or what's left of it).

There should be an easy way to - without playing with date and time on your system clock - ignore the certificate issue.
Hell, I can do it in my browser and it's easily accessible.

Glassed Silver:mac
 
  • Like
Reactions: snowmoon
mariusignorello said:
This just in: "Apple Writes Poorly Written Apology Letter to Developers Regarding Mac App Store Bug"

:D
Click to expand...

It's not an apology. It is an informational letter telling them what happened. Importantly, it tells them that some developers are using a crappy old version of OpenSSL that can't verify more secure certificates. (In this context, "secure" means "harder to forge and to get an app for free with a forged certificate").
 
jrlcopy said:
"This was a planned event"

Ugh, yeah... sure it was...
Click to expand...

With the sunsetting of SHA1 it's not surprising that Apple would be moving it's certificates to SHA2.

That said this was a little league mistake of not QA'ing the change first! These forced upgrades and growing library of broken old software is starting to get very tiresome.
 
  • Like
Reactions: sracer
JosephAW said:
This is another sneaky way that apple is using to force ppl to upgrade to 10.11 which I can't so that means I have to buy a newer computer. Next will be iOS 8 user where they won't be able to access apps unless they are on iOS 9. Sneaky...
Maybe it's time for me to drop all apple products and switch to windows for all my devices and stop recommending and installing Apple products for all my business clients.
Click to expand...
If you have so little trust in Apple that you actually think this was more than a simple mistake, then yes. Sell all your Apple products and go completely Windows and Android. That said, there are no signs of this being any more than an honest, if not boneheaded, mistake.
 
sw1tcher said:
Software purchased through the MAS is like that. From what I read, people who purchased the same software directly from the developer or through other means didn't have to deal with this nonsense.

In the good ol' days, prior to the existence of the MAS, online activation, and subscription services, I'd install a program and it would just work™ until it got replaced or the computer died.
Click to expand...

This is a good point. We don't actually "purchase" applications from the App store - they will all "expire" and stop working at some point - we "rent" them. Making a note to myself to get things directly from the developer whenever possible (and no included time bombing like you get from the Mac App store).
 
Am I the only one that is slightly surprised they were even doing it with SHA1 to begin with? There was talk years ago before the App store even launched that SHA2 was the way to go!
 
  • Like
Reactions: QuickDraw
JosephAW said:
This is another sneaky way that apple is using to force ppl to upgrade to 10.11 which I can't so that means I have to buy a newer computer. Next will be iOS 8 user where they won't be able to access apps unless they are on iOS 9. Sneaky...
Maybe it's time for me to drop all apple products and switch to windows for all my devices and stop recommending and installing Apple products for all my business clients.
Click to expand...

Simple as "it's not as simple as it once was". Apple's job of managing everything that they do has become 10x harder. Something is bound to not "just work" once in a while. Not making excuses for Apple, they clearly are making missteps, but as a software developer and server administrator, I know first-hand that over time, as you build more and more, it gets significantly harder to manage.
 
  • Like
Reactions: QuickDraw
I do agree, though, that a time limit should have been set between warning and not having the software work at all.
 
gnasher729 said:
It's not an apology. It is an informational letter telling them what happened. Importantly, it tells them that some developers are using a crappy old version of OpenSSL that can't verify more secure certificates. (In this context, "secure" means "harder to forge and to get an app for free with a forged certificate").
Click to expand...
Either way it was sarcasm but yeah you're right
 
Ankou_Sabat said:
Actually this response does nothing about a much larger issue on the App Store.

Take the Tweetbot issue which I had hit me. They had released a new version, Tweetbot 2.1.1, right before this issue happened on Oct 15. This updated version is incompatible with Mac OS Mavericks (10.09) so those running Mavericks were stuck with the previous version. This means that for all those running an OS older than 10.10, you're only able to run Tweetbot 1.6.2. If you go to the App Store and try to update it, or even re-download on such an older OS it explicitly tells you of the incompatibility and says that it will download the "old" version for compatibility.

That would be fine, except the old versions are still signed with the EXPIRED CERTIFICATE! So even if you follow the directions to "re-download the damaged app" it will refuse to run because the certificate signed is expired. So the only "fix" is to upgrade your OS to 10.10. Sure it can be argued to upgrade to the latest version, but there are quite a few instances where this is impossible to do and as such, Apple has just put an expiration date on older software preventing you from running it by linking it to this certificate and not providing developers a way to re-sign those submissions with an updated cert. Neither does the App Store itself provide such a facility.

So if by the current expiration date which I believe now is 2 years from now, if your computer is unable to be upgraded to current OS and the current version is unsupported on your system, then you are completely out of luck and stuck with no app that you paid for. This makes the "download old version" feature in the App Store completely flawed if they provide no way to back sign older provided version on the store front.
Click to expand...


All for a free app or one you paid < $3 for. Oh, the horrors! If you paid more than that, contact the developer. If you read the user agreement, you will see that this is all covered in it. You are LUCKY if the app is UPDATED to run on a new system.
 
sw1tcher said:
Software purchased through the MAS is like that. From what I read, people who purchased the same software directly from the developer or through other means didn't have to deal with this nonsense.

In the good ol' days, prior to the existence of the MAS, online activation, and subscription services, I'd install a program and it would just work™ until it got replaced or the computer died.
Click to expand...

IOW, nothing whatsoever has changed, except for code signing. Deal with it?
 
Ankou_Sabat said:
So if by the current expiration date which I believe now is 2 years from now, if your computer is unable to be upgraded to current OS and the current version is unsupported on your system, then you are completely out of luck and stuck with no app that you paid for. This makes the "download old version" feature in the App Store completely flawed if they provide no way to back sign older provided version on the store front.
Click to expand...

As an independent developer myself, I find the entitlement to perpetual free lifetime upgrades crazy. How are we supposed to live from a one time purchase of an app which in some cases is the less than price of a mcdonalds happy meal. Even more expensive software takes time and effort to produce. Most folks have no problem throwing down $1k a year on a new iPhone, but balk at the idea of ever having to pay an update fee for an app which was purchased eat some point in the distant past. Apple is the biggest company in the world with unlimited money and resources, most indie devs are not. a 2 year lifespan for an app is more than generous i think.
 
BollywooD said:
As an independent developer myself, I find the entitlement to perpetual free lifetime upgrades crazy. How are we supposed to live from a one time purchase of an app which in some cases is the less than price of a mcdonalds happy meal. Even more expensive software takes time and effort to produce. Most folks have no problem throwing down $1k a year on a new iPhone, but balk at the idea of ever having to pay an update fee for an app which was purchased eat some point in the distant past. Apple is the biggest company in the world with unlimited money and resources, most indie devs are not. a 2 year lifespan for an app is more than generous i think.
Click to expand...

I would like to humbly suggest that the two of you are talking past each other. As a user affected by this issue in a rather painful way. I am running MacFamilyTree version 6 (genealogy software) on a white plastic MacBook with 10.6.8. Everything has worked perfectly since 2011 and my database now contains over 3000 people. When the certificate issue arose, my copy of MacFamilyTree broke. But, I cannot re-download it from the App store (where I purchased it) because it contains version 7 and that version is not compatible with 10.6.8.

Now, when MacFamilyTree version 7 was released, the developers indicated that it would cost an additional 40 dollars for those of us using version 6, but we we warned not to upgrade if we were staying on OS 10.6.8. So, I stayed with the legacy software since it Just Worked.

When my old plastic MacBook breaks, I will buy a new Mac laptop with whatever is the latest system software. And, I fully expect to buy version 7 (for 50 dollars now) as a way to support the developers.

But, that said, and this goes to the heart of the issue: it is altogether crazy that one hidden update from Apple has cracked my perfectly functioning software ecosystem. Now I am SOL where my genealogy work is concerned.
 
  • Like
Reactions: msephton
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back