Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Expiring Developer Certificates Causing Some Mac Apps to Refuse to Launch

MagnusVonMagnum said:
That's got to be the saddest reply I've seen this year. Go blame the developers for Apple's BULLCRAP NONSENSE. :rolleyes:

Software you have already installed and was already validated should NEVER STOP WORKING. PERIOD. There is NO EXCUSE for what Apple did as this will invalidate any software that authors stop updating.

What happens if an author dies or stops developing Mac software? Your older software should just stop working? What a load of crap and even more so for someone defending Apple.

As far as I'm concerned it's just another reason NOT to upgrade to Sierra. Apple is doing its damn best to screw the pooch for everyone when it comes to open software development. They clearly want the tools in place to invalidate your entire software library at the push of a button like they can already do on iOS devices and slowly keep heading in that direction with every Mac OS update.

Lets not forget last year's BS where Apple forgot to renew THEIR OWN certificates which caused total HAVOC with App Store Applications! My god was that a fracking mess! And did Apple do anything to make up for it? Yeah, they made Sierra even more bonkers nuts. Great job Apple. INFERIOR products is sadly becoming par for the course with Apple. (Wasn't that just a week ago I ready about black paint chipping off brand new iPhones?) :confused:
Click to expand...

Omg calm down. There's different opinions regarding this topic and I stand behind apple's closed system. No need to call someone "load of crap".
 
MagnusVonMagnum said:
That's got to be the saddest reply I've seen this year. Go blame the developers for Apple's BULLCRAP NONSENSE. :rolleyes:

Software you have already installed and was already validated should NEVER STOP WORKING. PERIOD. There is NO EXCUSE for what Apple did as this will invalidate any software that authors stop updating.

What happens if an author dies or stops developing Mac software? Your older software should just stop working? What a load of crap and even more so for someone defending Apple.

As far as I'm concerned it's just another reason NOT to upgrade to Sierra. Apple is doing its damn best to screw the pooch for everyone when it comes to open software development. They clearly want the tools in place to invalidate your entire software library at the push of a button like they can already do on iOS devices and slowly keep heading in that direction with every Mac OS update.

Lets not forget last year's BS where Apple forgot to renew THEIR OWN certificates which caused total HAVOC with App Store Applications! My god was that a fracking mess! And did Apple do anything to make up for it? Yeah, they made Sierra even more bonkers nuts. Great job Apple. INFERIOR products is sadly becoming par for the course with Apple. (Wasn't that just a week ago I ready about black paint chipping off brand new iPhones?) :confused:
Click to expand...

It's still the developers fault.
 
MagnusVonMagnum said:
Software you have already installed and was already validated should NEVER STOP WORKING. PERIOD. There is NO EXCUSE for what Apple did as this will invalidate any software that authors stop updating.
Click to expand...

Could be said louder, but not clearer. That's exactly the point! Apple did it again...

Money, money, money, money... Money! (The O'Jays)
 
  • Like
Reactions: Evil Lair and gumma
MacsRgr8 said:
Developers can die.... so can organisations who employ them....

This could turn out to be tricky if there is no "overrule" setting for the user.
Click to expand...
I think it would be silly to expect an app to run forever if the developer dies, walks away or the organization closes down. The cert is but one example of an app breaking under those circumstances. updates to the OS, could also cause an abandoned app to stop working as well.
 
Haven't experienced this with any iOS apps yet...
But have been experiencing this with desktop applications for some time.
Adobe CS3 installer and updates fail unless you roll back the date.
iLife installer fails unless you roll back the date.
We have a custom 4D Webstar application and the other year Webstar stopped allowing us to sign in because their certificate expired. Had to manually recreate the certificates both in the server and desktop client.
I'm still surprised that you can still install and update snow leopard, I can see the day coming where Apple fails to update their server certs and updating fails.
Forget Y2K, this is the next big fiasco to occur for desktops and supposedly iOS.
 
maflynn said:
I think it would be silly to expect an app to run forever if the developer dies, walks away or the organization closes down. The cert is but one example of an app breaking under those circumstances. updates to the OS, could also cause an abandoned app to stop working as well.
Click to expand...
So you buy version 1.0 of a software, which will receive free updates for lets say 2 years. Afterwards the developer may release a paid upgrade to version 2.0. After those two years you'd still expect the old version to continue working, wouldn't you?

Would you be fine with OSX 10.10 just stopping to work because it doesn't receive updates anymore?
 
MagnusVonMagnum said:
Go blame the developers for Apple's BULLCRAP NONSENSE. :rolleyes:
Click to expand...
"We knew our developer certificate was going to expire on Saturday, but thought nothing of it because we believed those were only necessary when publishing a new version."

Seems to me Apple was very clear, while the developer in this care decided not only to ignore it, but to admit it....
 
In MacOS Sierra you no longer can sellect run from anywhere in system preferences but if you right-click and open an app you can still run unsigned apps.
When this goes away in 10.13 Yucatán all our apps that still work fine will stop and be thrown under the bus.
And of course when the A10x laptops and desktops will rollout their Rosetta emulation for x86 will only be available for signed apps until the removal of emulation in 10.14 Grand Teton just as Apple did in Lion.
 
  • Like
Reactions: adib
ppcebay said:
"We knew our developer certificate was going to expire on Saturday, but thought nothing of it because we believed those were only necessary when publishing a new version."

Seems to me Apple was very clear, while the developer in this care decided not only to ignore it, but to admit it....
Click to expand...

Please cite the passage in the developer documentation that states this.
 
N
ppcebay said:
"We knew our developer certificate was going to expire on Saturday, but thought nothing of it because we believed those were only necessary when publishing a new version."

Seems to me Apple was very clear, while the developer in this care decided not only to ignore it, but to admit it....
Click to expand...
no, the developers didn't think anything of it because Apples documentation clearly states that the apps will continue to work.

https://developer.apple.com/support/certificates/
 
  • Like
Reactions: adib, RuralJuror, Avenged110 and 2 others
Fuzzi said:
So you buy version 1.0 of a software, which will receive free updates for lets say 2 years. Afterwards the developer may release a paid upgrade to version 2.0. After those two years you'd still expect the old version to continue working, wouldn't you?
Click to expand...
That's not my point. My point is that people were complaining about this not working, and used the scenerio that if developer dies then once the cert expires the app will stop working.

I was pointing out if the developer or company walks away from the app (or dies), then that app may very well stop working due to other circumstances like OS updates. Some people were arguing about how the cert will prevent their apps from working if the developer dies, and I was merely pointing out that if the developer dies, then the app may stop working for a variety of reasons and to complain about the cert seems odd
 
fhall1 said:
No you aren't -allowing "from anywhere " does not make the software stop crashing on launch. It's also not just a Sierra thing - also happens in 10.11.6
Click to expand...
AFAIK "allowing from anywhere" isn't disabling gatekeeper, you have to do it via terminal. I'm not currently having the issue
 
Fuzzi said:
N

no, the developers didn't think anything of it because Apples documentation clearly states that the apps will continue to work.

https://developer.apple.com/support/certificates/
Click to expand...
The page you linked clearly talks ONLY about MAS apps....and MAS purchases were not affected...don't see your point.

EDIT:
If your certificate has been revoked, users will no longer be able to install applications that have been signed with this certificate.

An expired certificate is..."revoked"
 
There is a workaraound (I did this for PDFPen before the new version was released - don't blame me if you screw something up):


1. open Keychain Access (/Applications/Utilities/Keychain Access)
2. Select "Keychain Access > Certificate Assistant > Create a Certificate…" and create yourself a self-signed certificate (use a name (without spaces) and change “Certificate type” to “Code Signing”)
3. File > Get Info on that certificate
4. select "Code Signing > Always Trust"
5. In terminal, type "sudo codesign -s <CERTIFICATE_NAME_HERE> -f /Applications/PDFPenPro.app
(obviously change the app name if you're signing a different app)

check “Let me override defaults” in order to enter a date a few years into the future - otherwise its default is one year.

…this should re-sign the app with your own certificate, and you're set.
 
  • Like
Reactions: adib and zuiram
ppcebay said:
The page you linked clearly talks ONLY about MAS apps....and MAS purchases were not affected...don't see your point.

EDIT:
If your certificate has been revoked, users will no longer be able to install applications that have been signed with this certificate.

An expired certificate is..."revoked"
Click to expand...
No. Revokation and expiration are two completely different things.
Revocation is only done in very specific cases, e.g. if a developer did something malicious, the certificate was stolen or similar.

Also the docs clearly talk about developer id signed applications -> distributed outside the MAS
 
Last edited:
  • Like
Reactions: Demo Kit and RuralJuror
ppcebay said:
The page you linked clearly talks ONLY about MAS apps....and MAS purchases were not affected...don't see your point.

EDIT:
If your certificate has been revoked, users will no longer be able to install applications that have been signed with this certificate.

An expired certificate is..."revoked"
Click to expand...

Beside difference in expired/revoked, it was not about installation - previously installed applications stopped working.
 
maflynn said:
That's not my point. My point is that people were complaining about this not working, and used the scenerio that if developer dies then once the cert expires the app will stop working.

I was pointing out if the developer or company walks away from the app (or dies), then that app may very well stop working due to other circumstances like OS updates. Some people were arguing about how the cert will prevent their apps from working if the developer dies, and I was merely pointing out that if the developer dies, then the app may stop working for a variety of reasons and to complain about the cert seems odd
Click to expand...

I agree that if development of an app ceases it may stop working at some point because of an OS update or other reasons. But cert expiration shouldn't be one of them. On the other hand, I expect vendors whose apps are under active development to stay on top of this. In AgileBits' case, their renewed certificate still didn't work because of another cert-related problem, which they've fixed with a release that has to be installed manually.
 
maflynn said:
I was pointing out if the developer or company walks away from the app (or dies), then that app may very well stop working due to other circumstances like OS updates.
Click to expand...

Yes, even without this certificate issue, an abandoned app may stop working. Or it may not - responsible OS developers don't introduce app-breaking changes lightly, and you can always choose to hold off major OS updates for a year or two until you've found a new solution.

With this issue, an abandoned app will stop working when the certificate expires. Like clockwork (you don't know when D-day is, so it will come without warning for you, but it is pre-ordained) For a totally avoidable (and, in this case, apparently undocumented) reason. Even if you don't upgrade the OS.

The certificate needs to have been valid when the app was signed. There's absolutely no security reason to do more than pop up a warning if it has expired (as opposed to revoked) when the app is run.

This is either a bug or a prime example of "defective by design".
 
  • Like
Reactions: RuralJuror, Avenged110, thejadedmonkey and 1 other person
maflynn said:
Some people were arguing about how the cert will prevent their apps from working if the developer dies, and I was merely pointing out that if the developer dies, then the app may stop working for a variety of reasons and to complain about the cert seems odd
Click to expand...

May. As opposed to "is scheduled to [stop working]". Surely you see a meaningful distinction?

No software lasts forever, but planned obsolescence unrelated to functionality, of software already installed and working fine, seems to at the very least ignore the principle of least astonishment. Indeed, no doubt a number of users were quite astonished to find their system mysteriously ceasing to do what it had done so well for some time, reminiscent of the wintendo experience of yesteryear, though for different reasons.

It is one of the main complaints about DRM systems and "mandatory" DLCs in games, that one is reliant on the continued existence of the original provider, and continued interest of said provider in providing on an ongoing basis, leading to the inevitable loss of what may still be serviceable, and in the long term leading to a digital dark age in which historians can no longer catch a glimpse of our time due to its existence having been made needlessly reliant on a mortal entity (such as a company) willing it to exist by providing certs and keys and so forth. You can still fire up a PDP-11 emulator and reconstruct the environment in which a certain document was processed by a certain piece of software way back when, allowing you to work with data that are in a no longer intelligible format. You can probably still turn back the time to get expired certs to work again, but when that changes for other (presumably sound) reasons, even that is up in the air.

I certainly agree that Apple is under no obligation to keep software working, and that authors should be diligent in maintaining their certificates if possible (death, depression and other conditions can of course permanently or intermittently render the necessary action impossible), but the organic process of bits and pieces breaking down over time is materially different from the policy process of swaths of software being culled regularly. Organic failure would be having the behavior stated in the documentation, i.e. that updates and new installs become impossible when the cert dies, and that incompatibilities accumulate over successive updates.

Software can and should go extinct. It should not be wiped out. Especially not the installed base. (IMNSFHO etc.)

Practically, it's not a huge deal, but as a policy, it has implications at odds with responsible computing.

ETA: Luggage nailed it. Should I null this post?
 
Last edited:
  • Like
Reactions: Demo Kit and RuralJuror
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back