Yes, OS update is known risk for old apps. That's why people still use Windows 95, Windows 3.1 & DOS for old apps. But introduction of this new requirement for up-to date dev certificate benefits nobody and only increase Apple's control of their eco systems. Some people may like that - you getting safer environment, but sacrifice freedom. You only allowed to do what Apple wants you to do and only in a way how Apple wants you to do it. Luckily we have a free choice of OS (yet).
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Expiring Developer Certificates Causing Some Mac Apps to Refuse to Launch
- Thread starter MacRumors
- Start date
- Sort by reaction score
Yes, OS update is known risk for old apps. That's why people still use Windows 95, Windows 3.1 & DOS for old apps. But introduction of this new requirement for up-to date dev certificate benefits nobody and only increase Apple's control of their eco systems. Some people may like that - you getting safer environment, but sacrifice freedom. You only allowed to do what Apple wants you to do and only in a way how Apple wants you to do it. Luckily we have a free choice of OS (yet).
Yeah, because they were rushed to release an update due to the Apple bug.
Autoupdate wouldn't have worked in any case because the system wouldn't even allow the app to start.
(AgileBits) "We knew our developer certificate was going to expire on Saturday, but thought nothing of it because we believed those were only necessary when publishing a new version."
They push new versions of 1Password every few weeks, though. They made that long blog post with follow-up comments explaining what happened, but they still haven't explained why they didn't just renew their certificate on time, as a matter of business, like renewing a domain name registration, or web hosting, or paying their phone bill. Was $100/year as an Apple developer a hardship? (Or are code signing certificates no longer included for free?)
They push new versions of 1Password every few weeks, though. They made that long blog post with follow-up comments explaining what happened, but they still haven't explained why they didn't just renew their certificate on time, as a matter of business, like renewing a domain name registration, or web hosting, or paying their phone bill. Was $100/year as an Apple developer a hardship? (Or are code signing certificates no longer included for free?)
Why they had to renew certificate if they were not aware of any negative consequences of not renewing it?
As I just said, they would have been "pushing a new version" within weeks (or days), anyway, so why not just keep things up to date as a matter of good business practice?
It is their internal matter when to renew certificate, it maybe not the best practise but definitely not their fault that currents apps stopped working. They were not aware that they must to renew it before expiration.
So they let it lapse for a few weeks to save a few bucks. I agree that's what it seems to come down to, but it's less than I'd expect from AgileBits as a user of 1Password on three different platforms. In fact, the amount I've paid alone would just about cover a year of Apple dev membership.
The savings for them would be negligible in the grand scheme of things. More likely they just neglected to get to it because they had other things to do and based on what they already knew about Apple's documented guidelines it didn't seem like a high priority.
HobeSoundDarryl
macrumors G5
Is certificate renewals just an operational thing (fill out an online form or something like that) and/or is there a fee involved? If the latter, who is paid the fee?
That's got to be the saddest reply I've seen this year. Go blame the developers for Apple's BULLCRAP NONSENSE.
Software you have already installed and was already validated should NEVER STOP WORKING. PERIOD. There is NO EXCUSE for what Apple did as this will invalidate any software that authors stop updating.
What happens if an author dies or stops developing Mac software? Your older software should just stop working? What a load of crap and even more so for someone defending Apple.
As far as I'm concerned it's just another reason NOT to upgrade to Sierra. Apple is doing its damn best to screw the pooch for everyone when it comes to open software development. They clearly want the tools in place to invalidate your entire software library at the push of a button like they can already do on iOS devices and slowly keep heading in that direction with every Mac OS update.
Lets not forget last year's BS where Apple forgot to renew THEIR OWN certificates which caused total HAVOC with App Store Applications! My god was that a fracking mess! And did Apple do anything to make up for it? Yeah, they made Sierra even more bonkers nuts. Great job Apple. INFERIOR products is sadly becoming par for the course with Apple. (Wasn't that just a week ago I ready about black paint chipping off brand new iPhones?)
You do not understand the process. Please... Take the time to educate yourself before embarrassing yourself.
Yeah, sorry but no. These are some of Apple's best 3rd party app developers falling prey to this - it is nothing they did. Apple is the one that made a change to the security requirements (Which honestly doesn't even make sense, basically it looks like if these devs closed shop today their certificates would be invalidated and all users software would just crap out immediately.)
I didn't have any problems with 1Password over the weekend and it was news to me about the problem unti I read the article this morning.
Maybe there is an advantage to being one version behind in software because when I tried to update I found out that I had an older version?
Yep, this happened to me. My 1Password stopped working suddenly. Luckily I know how to use google and had it working again within 5mins.
Agreed with the "forever" part, but it should at least work UNTIL OS upgrades leave it behind, because any upgrade would require the developer to also update the certificate.
Once it's obvious that an app no longer is supported, consumers would have to look for alternatives, which would put the decision into their hands. Again, Until then the latest version of an app should run with the last approved certificate. (Kind of grandfathered)
The developers probably misinterpreted or underestimated what would happen, if they didn't renew.
In the case of smileOnMyMac pdf pen/pdfpenPro they informed customers that theirs expired and their new certificate is made out to be for another 5 years.
Maybe that is the way to go. If a developer is still supporting their app for or after 5 years, chances are it's worthwhile and will not be abandoned.
BTW: Smile is excellent with support in responding to customer inquiries. pdfpenPro is a bread and butter app for me and is my default pdf reader app.
Anybody who wants to print anything with pdf reader DC and is getting gray hair while waiting for printing to happen should look into this app.
[doublepost=1487599989][/doublepost]
Yes, kind of like a drivers license. If you continue to drive renew it. If you no longer drive , let it go.
Why even take a chance to upset customers?
Don't see what is so difficult to understand by people.
Obviously they need to hire some H1B's at Agilebits. And Apple needs more, they work tirelessly and accurately, not like the current crew that let their certificates expire. Read their blog - they knew they would expire, but didn't think it would mean anything. Why not crank the clock ahead and see what happens before we all have to figure it out and get locked out of our accounts. I couldn't do my online banking until I got it fixed.
Moving to another password manager, I've had it.
Moving to another password manager, I've had it.
While I quite often disagree with MagnusvonMagnum, in this case he was absolutely spot on. I never had the impression that he needed education, and the one who embarrased himself is you.
The rules are: You don't accept an expired certificate to verify something. However, once you verified something with a certificate that wasn't expired at that time, that verification is correct even after the certificate expired. So if you downloaded their app _now_, with a certificate that is expired _now_, it should be rejected. But since the Mac checked the certificate when it wasn't expired, the app would be verified, and should stay verified and usable even after expiration of the certificate.
[doublepost=1487600251][/doublepost]
But this is one situation where the app _shouldn't_ break. Something that was verified with a certificate that wasn't expired at the time is verified. As long as it is the same certificate, even if that certificate is expired.
I, for one, agree with this "change". Remember, almost all of the Windows viruses and Malware come from so called developers that are outside of their App Store. If a developer is so hell-bent on his/her product, why not make it available on the App Store for all?
I am getting to the point that, if it's not on the app store, I dont use it.
Oh, by the way, the above comments are coming from a registered Apple developer and user.
I am getting to the point that, if it's not on the app store, I dont use it.
Oh, by the way, the above comments are coming from a registered Apple developer and user.
Well no, what Apple is doing is wrong. I'm a developer and I wouldn't expect my apps to crash that users have downloaded earlier with an old certificate when the certificate expires - because the expiration doesn't change that the app _has been verified_ once.
They probably did renew it on time. We have no way of knowing whether they did or not.
Renewing it on time is (now) not all that is required. This Apple bug means that you not only have to renew the certificate on time, you also have to push an update to your users BEFORE the old certificate expires.
In the past, you didn't have to do that. So AgileBits et al were probably expecting that they could push the updated certificate to their users with their next scheduled update, as used to be the case.
because the local date doesn't matter, the certs are checked via Apple servers and you can not just crank the clock ahead on those.
The 1password guys did nothing wrong here. You don't just replace a certificate without reason, Apple told developers the apps will continue to work fine with expired certificates, which wasn't true. No way for developers to verify that before it's too late.
It's only Apples fault.
Wrong, wrong, wrong. Expired and Revoked are completely different things. "Expired" means "this is a perfectly fine certificate and always was, but unfortunately it is now out of date". "Revoked" means "this is a highly dodgy certificate that should have never been trusted in the first place. Unfortunately we only found out just now. So don't trust anything signed with this certificate".
Apologies for the confusion. Trying out the "punctuation paradigm shift" of moving the punctuation to the right of the quotation marks. I realize it's "the British style", but apparently it increasingly rules on message and bulletin boards and has been adopted by Wikipedia and the journal of the Linguistic Society of North America.
But maybe that topic/debate could use a separate thread.
The period should always go inside the quotation marks in the USA. Also, other punctuation should be inside the quotation marks.
In the past, criticizing (spelled with a 'z' in the USA, 's' in the UK) MacRumors for grammar errors has resulted in warnings. The don't like to be criticized for split infinitives.
[doublepost=1487601333][/doublepost]It certainly is disconcerting to open an app - especially a financial one - and see the warning that the certificate has expired and the site may not be trustworthy … then Open Anyway?