Expiring Developer Certificates Causing Some Mac Apps to Refuse to Launch

[MacRumors]

A number of Mac apps failed to launch for users over the weekend because of a change to the way Apple certifies apps that have not been bought directly from the Mac App Store.

Several users of apps including Soulver and PDFPen who had downloaded the apps from the developers' websites all reported immediate crashes on launch. Developers of the apps quickly apologized and said that the issue was down to the apps' code signing certificates reaching their expiration date.

Apple issues developer signing certificates to assure users that an app they have downloaded outside of the Mac App Store is legitimate, comes from a known source, and hasn't been modified since it was last signed. In the past, the expiration of a code signing certificate had no effect on already shipped software, but that changed last year, when Apple began requiring apps to carry something called a provisioning profile.

A provisioning profile tells macOS that the app has been checked by Apple against an online database and is allowed to perform certain system actions or "entitlements". However, the profile is also signed using the developer's code signing certificate, and when the certificate expires, the provisioning profile becomes invalid.

Victims of expired provisioning profiles over the weekend included users of 1Password for Mac who had bought the app from the developer's website. AgileBits explained on Sunday that affected users would need to manually update to the latest version (6.5.5), noting that those who downloaded 1Password from the Mac App Store were unaffected. The developers' surprise was explained in a blog post:

We knew our developer certificate was going to expire on Saturday, but thought nothing of it because we believed those were only necessary when publishing a new version. Apparently that's not the case. In reality it had the unexpected side effect of causing macOS to refuse to launch 1Password properly.

Currently, the common factor among affected apps appears to be those that were issued iCloud entitlements as part of their provisioning profile. Smile, developers of PDFpen and PDFpenPro, told TidBITS that users would need to manually download the latest updates to the apps to fix the problem.

Acqualia, developers of number-crunching app Soulver, also apologized for the problem and asked affected users to download an update to fix the issue.

As the above suggests, the immediate solution for developers with potentially affected apps is to renew their code signing certificates before they expire. AgileBits said the incident had given them "a new understanding of the importance of expiring provisioning profiles and certificates" and would be renewing its current certificate, due to expire in 2022, "far before then".

Article Link: Expiring Developer Certificates Causing Some Mac Apps to Refuse to Launch

 

[Fzang]

Couldn't one just "allow apps from anywhere" thus bypassing the need of a valid certificate? At least for emergency purposes, if the developer is snoozing.

 

[G4-power]

Does this mean that some time in the future you can't open apps you have installed on your computer, if the developer is no longer providing you with updates with an up-to-date certificate?
Or you should at that point disable the check from macOS?

 

[dilbert99]

Can someone please clarify - is this only affecting users who downloaded 1Password or other apps after the certificate expired?

It wouldn't be very good if you have software on your mac that stopped working because of the inaction of a developer.

 

[Steve121178]

Very, very poor show from the developers. No excuse for their laziness/lack of awareness.

 

[mikerr]

Does this put an expiry date on all apps?

Developer writes a good app, but doesn't renew his Dev/provisioning cert after a year.

So 1 year later no one can run the app ?

 

[Kraszim]

Does this put an expiry date on all apps?

Developer writes a good app, but doesn't renew his Dev/provisioning cert after a year.

So 1 year later no one can run the app ?

Yes. It does exactly that. It's for your "security"

 

[Ritmo]

those who downloaded 1Password from the Mac App Store were unaffected.

Well that's one way to push the mac app store.

 

[MagnusVonMagnum]

Very, very poor show from the developers. No excuse for their laziness/lack of awareness.

That's got to be the saddest reply I've seen this year. Go blame the developers for Apple's BULLCRAP NONSENSE.

Software you have already installed and was already validated should NEVER STOP WORKING. PERIOD. There is NO EXCUSE for what Apple did as this will invalidate any software that authors stop updating.

What happens if an author dies or stops developing Mac software? Your older software should just stop working? What a load of crap and even more so for someone defending Apple.

As far as I'm concerned it's just another reason NOT to upgrade to Sierra. Apple is doing its damn best to screw the pooch for everyone when it comes to open software development. They clearly want the tools in place to invalidate your entire software library at the push of a button like they can already do on iOS devices and slowly keep heading in that direction with every Mac OS update.

Lets not forget last year's BS where Apple forgot to renew THEIR OWN certificates which caused total HAVOC with App Store Applications! My god was that a fracking mess! And did Apple do anything to make up for it? Yeah, they made Sierra even more bonkers nuts. Great job Apple. INFERIOR products is sadly becoming par for the course with Apple. (Wasn't that just a week ago I ready about black paint chipping off brand new iPhones?)

 

[MichaelQ]

Amateur hour. Devs are happy to bemoan Apple taking their 30% - but can't even be bothered to sort this out?

 

[Kraszim]

Amateur hour.

Not necessarily. You have to remember that certs used to ship apps to appstore do not work in the way described in the article. It's safe to assume everybody was thinking that the rules are similar for external applications, seems that changed in Sierra. Still I agree with people above. Software should never stop working like this. We cannot guarantee that developer will be there to always renew certs for his applications. If the cert was valid during installation then this should be enough.

 

[ILikeAllOS]

If 1Password can't even bother updating their certificate even when they know it's expiring then this just further proves the $1 a month I pay for LastPass was the right choice.

 

[unixkid]

This is pretty typical of Agilebits. They don't even follow basic best practices. They think PGP signatures are "security theater". http://mostvulnerable.com/ pretty sad to see such a loved app miss understand what cryptographic signatures are for.

 

[Fuzzi]

Amateur hour. Devs are happy to bemoan Apple taking their 30% - but can't even be bothered to sort this out?

The Apple documentation says

• Developer ID Application Certificate and Developer ID Installer Certificate (Mac applications)
  If your certificate expires, users can still download, install, and run versions of your Mac applications that were signed with this certificate. However, you will need a new certificate to sign updates and new applications. If your certificate has been revoked, users will no longer be able to install applications that have been signed with this certificate.

https://developer.apple.com/support/certificates/

I think this is definitely an Apple bug. Developers were just relying on the information given by Apple, which turned out to be false.

 

[Kraszim]

I think this is definitely an Apple bug.

That's not true. Above situation happened only for applications distributed outside of the mac app store. Starting from Sierra those have different signing rules. So not a bug, mainly lack of proper clarification.

 

[timmyh]

Off topic, but... shouldn't the period be inside the quotes?

Apologies for the confusion. Trying out the "punctuation paradigm shift" of moving the punctuation to the right of the quotation marks. I realize it's "the British style", but apparently it increasingly rules on message and bulletin boards and has been adopted by Wikipedia and the journal of the Linguistic Society of North America.

But maybe that topic/debate could use a separate thread.

 

[Fuzzi]

That's not true. Above situation happened only for applications distributed outside of the mac app store. Starting from Sierra those have different signing rules. So not a bug, mainly lack of proper clarification.

No. Read the documentation. It should still work. https://developer.apple.com/support/certificates/
This is the most recent documentation that Apple made available. All those apps where signed using Developer ID certificates.

 

[Kraszim]

No. Read the documentation. It should still work. https://developer.apple.com/support/certificates/
This is the most recent documentation that Apple made available. All those apps where signed using Developer ID certificates.

When I read this I have a feeling this is only about distribution through official channels. I may be wrong though.

 

[Max Portakabin]

Imagine if you'd been stupid enough to subscribe to 1P.

 

[Fuzzi]

When I read this I have a feeling this is only about distribution through official channels. I may be wrong though.

Developer ID signed apps can only be distributed outside of the Mac App Store. This is what Developer ID is for. In my opinion definitely an Apple bug.

 

[KiwiAdventure]

Apple keep your closed system and for those lazy developers it's you lose over customers.

 

[neeklamy]

Trying out the "punctuation paradigm shift" of moving the punctuation to the right of the quotation marks. I realize it's "the British style", but apparently it increasingly rules on message and bulletin boards and has been adopted by Wikipedia and the journal of the Linguistic Society of North America.

It’s not that the punctuation is necessarily outside of the quotation, it’s that the quotation is complete and exact.

The American style often adds punctuation that wasn’t in the original text or speech, contrary to what a quote should be.

Summed up: Logical punctuation only uses quote marks around the original text, nothing is added.

For example, if you wanted to quote my first sentence:

It’s not that the punctuation is necessarily outside of the quotation, it’s that the quotation is complete and exact.

 

[LIVEFRMNYC]

I had no issues with Enpass or any other app.

 

[gnasher729]

That's got to be the saddest reply I've seen this year. Go blame the developers for Apple's BULLCRAP NONSENSE.

Software you have already installed and was already validated should NEVER STOP WORKING. PERIOD. There is NO EXCUSE for what Apple did as this will invalidate any software that authors stop updating.

It shouldn't stop working because the certificate expired, because the certificate is exactly the same trusted certificate as before.

Software _should_ stop working if a certificate gets _revoked_. That's a different process where it is believed that there are forgeries of the certificate around, or the certificate was issued to someone who lied about their identity, and so on. In these cases, the software should never have been allowed to run in the first place. But you're right, that isn't the case here. If you downloaded the software before the certificate expired, then it should keep running after the certificate expires.
[doublepost=1487588194][/doublepost]

When I read this I have a feeling this is only about distribution through official channels. I may be wrong though.

Apps from the App Store should continue running just the same; I don't know if they do or they don't. Developers won't be able to put new versions on the App Store with an expired certificate, and apps are removed from the store if the developer doesn't renew their developer's license. (Removed from the store means it keeps working, but you can't reinstall it on a different device).

 

[Apple 26.2]

Apologies for the confusion. Trying out the "punctuation paradigm shift" of moving the punctuation to the right of the quotation marks. I realize it's "the British style", but apparently it increasingly rules on message and bulletin boards and has been adopted by Wikipedia and the journal of the Linguistic Society of North America.

But maybe that topic/debate could use a separate thread.

No, no... the fact that you're UK-based completely explains why you're placing periods are outside of the quotes. Placing periods inside the quotation marks is what I was taught and what I believe to be correct usage for American English.

All's well, just curiosity on my part... and of course, great article