Expiring Developer Certificates Causing Some Mac Apps to Refuse to Launch

A number of Mac apps failed to launch for users over the weekend because of a change to the way Apple certifies apps that have not been bought directly from the Mac App Store.

Several users of apps including Soulver and PDFPen who had downloaded the apps from the developers' websites all reported immediate crashes on launch. Developers of the apps quickly apologized and said that the issue was down to the apps' code signing certificates reaching their expiration date.

Apple issues developer signing certificates to assure users that an app they have downloaded outside of the Mac App Store is legitimate, comes from a known source, and hasn't been modified since it was last signed. In the past, the expiration of a code signing certificate had no effect on already shipped software, but that changed last year, when Apple began requiring apps to carry something called a provisioning profile.


A provisioning profile tells macOS that the app has been checked by Apple against an online database and is allowed to perform certain system actions or "entitlements". However, the profile is also signed using the developer's code signing certificate, and when the certificate expires, the provisioning profile becomes invalid.

Victims of expired provisioning profiles over the weekend included users of 1Password for Mac who had bought the app from the developer's website. AgileBits explained on Sunday that affected users would need to manually update to the latest version (6.5.5), noting that those who downloaded 1Password from the Mac App Store were unaffected. The developers' surprise was explained in a blog post:

We knew our developer certificate was going to expire on Saturday, but thought nothing of it because we believed those were only necessary when publishing a new version. Apparently that's not the case. In reality it had the unexpected side effect of causing macOS to refuse to launch 1Password properly.

Currently, the common factor among affected apps appears to be those that were issued iCloud entitlements as part of their provisioning profile. Smile, developers of PDFpen and PDFpenPro, told TidBITS that users would need to manually download the latest updates to the apps to fix the problem.

Acqualia, developers of number-crunching app Soulver, also apologized for the problem and asked affected users to download an update to fix the issue.

As the above suggests, the immediate solution for developers with potentially affected apps is to renew their code signing certificates before they expire. AgileBits said the incident had given them "a new understanding of the importance of expiring provisioning profiles and certificates" and would be renewing its current certificate, due to expire in 2022, "far before then".

Top Rated Comments

(View all)
Avatar
47 months ago

Very, very poor show from the developers. No excuse for their laziness/lack of awareness.

That's got to be the saddest reply I've seen this year. Go blame the developers for Apple's BULLCRAP NONSENSE. :rolleyes:

Software you have already installed and was already validated should NEVER STOP WORKING. PERIOD. There is NO EXCUSE for what Apple did as this will invalidate any software that authors stop updating.

What happens if an author dies or stops developing Mac software? Your older software should just stop working? What a load of crap and even more so for someone defending Apple.

As far as I'm concerned it's just another reason NOT to upgrade to Sierra. Apple is doing its damn best to screw the pooch for everyone when it comes to open software development. They clearly want the tools in place to invalidate your entire software library at the push of a button like they can already do on iOS devices and slowly keep heading in that direction with every Mac OS update.

Lets not forget last year's BS where Apple forgot to renew THEIR OWN certificates which caused total HAVOC with App Store Applications! My god was that a fracking mess! And did Apple do anything to make up for it? Yeah, they made Sierra even more bonkers nuts. Great job Apple. INFERIOR products is sadly becoming par for the course with Apple. (Wasn't that just a week ago I ready about black paint chipping off brand new iPhones?) :confused:
Score: 46 Votes (Like | Disagree)
Avatar
47 months ago

Amateur hour. Devs are happy to bemoan Apple taking their 30% - but can't even be bothered to sort this out?

The Apple documentation says



* Developer ID Application Certificate and Developer ID Installer Certificate (Mac applications)
If your certificate expires, users can still download, install, and run versions of your Mac applications that were signed with this certificate. However, you will need a new certificate to sign updates and new applications. If your certificate has been revoked, users will no longer be able to install applications that have been signed with this certificate.

https://developer.apple.com/support/certificates/

I think this is definitely an Apple bug. Developers were just relying on the information given by Apple, which turned out to be false.
Score: 11 Votes (Like | Disagree)
Avatar
47 months ago
N

"We knew our developer certificate was going to expire on Saturday, but thought nothing of it because we believed those were only necessary when publishing a new version."

Seems to me Apple was very clear, while the developer in this care decided not only to ignore it, but to admit it....

no, the developers didn't think anything of it because Apples documentation clearly states that the apps will continue to work.

https://developer.apple.com/support/certificates/
Score: 5 Votes (Like | Disagree)
Avatar
47 months ago

I was pointing out if the developer or company walks away from the app (or dies), then that app may very well stop working due to other circumstances like OS updates.

Yes, even without this certificate issue, an abandoned app may stop working. Or it may not - responsible OS developers don't introduce app-breaking changes lightly, and you can always choose to hold off major OS updates for a year or two until you've found a new solution.

With this issue, an abandoned app will stop working when the certificate expires. Like clockwork (you don't know when D-day is, so it will come without warning for you, but it is pre-ordained) For a totally avoidable (and, in this case, apparently undocumented) reason. Even if you don't upgrade the OS.

The certificate needs to have been valid when the app was signed. There's absolutely no security reason to do more than pop up a warning if it has expired (as opposed to revoked) when the app is run.

This is either a bug or a prime example of "defective by design".
Score: 4 Votes (Like | Disagree)
Avatar
47 months ago

The page you linked clearly talks ONLY about MAS apps....and MAS purchases were not affected...don't see your point.

EDIT:
If your certificate has been revoked, users will no longer be able to install applications that have been signed with this certificate.

An expired certificate is..."revoked"

Wrong, wrong, wrong. Expired and Revoked are completely different things. "Expired" means "this is a perfectly fine certificate and always was, but unfortunately it is now out of date". "Revoked" means "this is a highly dodgy certificate that should have never been trusted in the first place. Unfortunately we only found out just now. So don't trust anything signed with this certificate".
Score: 4 Votes (Like | Disagree)
Avatar
47 months ago

Expired certificate is no longer trusted. Revoked certificate is no longer trusted, although it did not expire yet. In terms of certificate management, both lead to the same status: cert is not trusted. Hence the described issue.

Completely different. Expired certificate was trusted. It was used to verify the app, therefore the app can be trusted. Expiration doesn't matter: The app was verified with a trusted certificate, so it can be trusted, 100 years after expiration of the certificate.

A revoked certificate has just been found out to be untrustworthy. It should never have been trusted in the first place. The app was verified with a certificate that should never have been trusted, therefore the app cannot be trusted.

It's like the difference between a child minder who let his certification slip, and a child minder who you just found is a multiple child killer. You don't trust either, but there is just that tiny little difference... And of course if you had been using a child minder for a year and his certification runs out, it's still the same person so you can trust them just as much as the day before.
Score: 3 Votes (Like | Disagree)

Top Stories

Leaker: 'iPhone 12 mini' and iPhone 12 Storage Capacities Start at 64GB, Pro Models at 128GB

Tuesday September 29, 2020 2:31 am PDT by
Rumors suggest Apple's iPhone 12 launch event will be held on October 13, with the more affordable 5.4 and 6.1-inch devices set to ship out ahead of the more expensive 6.1-inch and 6.7-inch Pro devices, and this morning hit-and-miss leaker Jon Prosser has further committed to that date by providing alleged details on Apple's first shipment of finalized iPhone 12 units. Prosser claims the...

Hands-On With iOS 14.2's New Shazam Music Recognition Toggle in Control Center

Monday September 28, 2020 2:35 pm PDT by
Shortly after launching iOS 14, Apple introduced an upcoming iOS 14.2 update, which is now available to developers and public beta testers ahead of a public release that could come at some point in October. Subscribe to the MacRumors YouTube channel for more videos. The iOS 14.2 update mainly focuses on the Control Center, introducing a new Music Recognition toggle that deepens the Shazam...

iPhone 12 'Pro Max' Model to Sport Unique High-End Features

Wednesday September 30, 2020 2:01 am PDT by
The upcoming "iPhone 12 Pro Max" is anticipated to have a number of unique high-end features not found on any other iPhone, such as its screen size, LiDAR scanner, faster 5G, and potentially a higher display refresh rate. The iPhone 12 Pro Max is also expected to be the largest ever iPhone, with a 6.7-inch display. Previously, the largest iPhones have been 6.5-inches in the iPhone XS Max and ...

DigiTimes: 12.9-inch Mini-LED iPad Pro Arriving Early 2021, Mini-LED MacBook Coming Later

Tuesday September 29, 2020 4:18 am PDT by
Apple will launch a 12.9-inch mini LED-backlit iPad Pro in early 2021 and a mini LED-backlit MacBook in the second-half of next year, according to DigiTimes. The Taiwan-based industry publication claims Epistar will supply the over-10,000 mini LEDs used in each iPad Pro tablet. Meanwhile, Apple is expected to recruit Osram Opto as another supplier of mini LEDs for use in a new "high-end"...

iOS 14.2 Suggests Apple Won't Include EarPods in the Box With iPhone 12

Tuesday September 29, 2020 2:19 pm PDT by
Rumors have suggested that Apple's iPhone 12 models will not include power adapters or EarPods in the box, and a minor code tweak in iOS 14.2 seemingly confirms Apple's plan to sell the new devices without EarPods. In iOS 14 and earlier versions of iOS, there's a mention of reducing exposure to RF energy by using the "supplied headphones," which is the same wording that Apple has used for...

iPhone 12 Production Lines at Foxconn's Zhengzhou Factory in China Running '24 Hours a Day'

Tuesday September 29, 2020 3:38 am PDT by
Apple contract manufacturer Foxconn is running its massive Zhengzhou factory in China 24 hours a day to produce the new iPhone 12, according to Chinese media reports. Apple's main iPhone manufacturer in China is said to be cancelling workers' holidays and introducing mandatory overtime with additional bonuses for longer-serving staff, according to information garnered from employees,...

iPhone 12 May Launch Earlier Than Usual in South Korea

Monday September 28, 2020 5:24 am PDT by
The upcoming iPhone 12 lineup may launch earlier than usual in South Korea, reports The Korea Herald. South Korean telecoms firms speaking to The Korea Herald have said that the iPhone 12 lineup will launch ahead of its usual schedule. Normally, the release of new iPhones in South Korea comes about one month after launch in the United States. Last year, the iPhone 11 arrived in South Korea ...

iOS 14.2 Beta 2 Adds New Emoji Characters like Ninja, Pinata, Bubble Tea, Polar Bear and More

Tuesday September 29, 2020 11:22 am PDT by
The second beta of iOS 14.2 introduces the new Emoji 13 characters that Apple previewed earlier this year as part of World Emoji Day. New emoji options include ninja, people hugging, black cat, bison, fly, polar bear, blueberries, fondue, bubble tea, and more, with a list below. Faces - Smiling Face with Tear, Disguised Face People - Ninja, Person in Tuxedo, Woman in Tuxedo, Person...

Epic Games Unlikely to Win Injunction in Ongoing Fortnite Battle With Apple, Jury Trial Possible

Monday September 28, 2020 1:14 pm PDT by
The ongoing legal dispute between Apple and Epic Games continued on today, with a preliminary injunction hearing taking place this morning. We're still waiting to hear the judge's official ruling, but it looks like Epic is not going to be granted an injunction to allow Fortnite back into the App Store as the case unfolds. Many of the arguments that lawyers for Apple and Epic Games made were...

Apple Releases Ninth Beta of macOS Big Sur to Developers

Tuesday September 29, 2020 10:07 am PDT by
Apple today seeded the Ninth beta of an upcoming macOS Big Sur update to developers for testing purposes, a week after releasing the eighth beta and more than two months after the new update was unveiled at the Worldwide Developers Conference. The macOS Big Sur beta can be downloaded through the Apple Developer Center and once the appropriate profile is installed, subsequent betas will be...