Apple-issued developer certificate expires, causing crashes in 1Password and other apps

Posted:
in Mac Software edited February 2017
The consequences of an Apple-issued security certificate expiration combined with a change made by Apple, is leading to some apps purchased outside the app store like 1Password, PDFpen, and Soulver for Mac to require reinstallation with a new version before coming back to life -- but the issue may have lasting consequences for some software.




Over the weekend, a certificate issued by Apple required to access iCloud services expired, as expected. However, the immediate issue induced by the problem, coupled by a change in how Apple handles a lookup of apps allowed to perform certain functions, called "entitlements," had unforeseen side effects.

As a result, leading users of 1Password, PDFPen, and Soulver, amongst others, discovered that the apps relying on the certificate were crashing on launch. Apple's change in handling the variable meant that simply renewing the certificate wasn't sufficient to restore functionality.

"We knew our developer certificate was going to expire on Saturday, but thought nothing of it because we believed those were only necessary when publishing a new version," said the 1Password developers in a blog post. "Apparently that's not the case. In reality it had the unexpected side effect of causing macOS to refuse to launch 1Password properly."

A combination of factors led to 1Password not launching after simply updating the certificate, as the installer didn't recognize the new certificate as valid.

The "crash" turned out to be a feature of macOS in PDFPen's case. According to TidBits, the "taskgated-helper" system app examines a code signing certificate and compares it to the "entitlements" list. Should the the provisioning profile be linked to an expired certificate, macOS blocks the app with the expired certificate from launching.

Soulver, PDFPen, and 1Password have been updated by the developers to rectify the problem, and all users need to do is download an updated version and install it. However, other apps not updated as frequently, or abandoned by developers, may stop working with no recourse by users to get them to start working again.

Apps sold through the Mac App Store are signed by Apple, and not by the developer. Because of that, only apps sold outside the app store, needing "entitlements" are impacted by the problem.

While this issue is limited to apps purchased outside the Mac App Store, Apple has had its own problem with certificate expiration and unforeseen consequences. In Nov. 2015 an upgrade to SHA-2 certificate encryption caused issues in conjunction with a Mac App Store issue storing outdated certificate information on user Macs, which rendered many apps non-functional.

Comments

  • Reply 1 of 19
    crowleycrowley Posts: 10,453member
    Very shoddy work by Apple. 
    netmageSpamSandwichewtheckmanStrangeDaysasdasd
  • Reply 2 of 19
    crowley said:
    Very shoddy work by Apple. 
    Very dumb post by Crowley.
    SpamSandwichwatto_cobramacxpressStrangeDaysdoozydozennhtasdasdmacguibadmonkjony0
  • Reply 3 of 19
    So a developer I'm supposed to trust with my passwords just lets a certificate expire, and even admits they knew it was going to expire but didn't think it would matter?
    SpamSandwichwatto_cobraStrangeDays
  • Reply 4 of 19
    crowley said:
    Very shoddy work by Apple. 
    Such a comment by you is not unexpected. The developer failed to do their homework. It's their fault for not querying Apple.
    watto_cobraStrangeDays
  • Reply 5 of 19
    lkrupplkrupp Posts: 10,557member
    crowley said:
    Very shoddy work by Apple. 
    Blah, blah, blah, blah, shoddy, blah, blah, blah, blah, doomed, blah, blah, blah, Steve is dead, blah, blah, blah, no innovation, blah, blah, blah, blah, blah, blah...
    StrangeDaysdoozydozenwatto_cobrabadmonkjony0
  • Reply 6 of 19
    So a developer I'm supposed to trust with my passwords just lets a certificate expire, and even admits they knew it was going to expire but didn't think it would matter?
    They apparently weren't the only ones to not know that their programs can expire after being installed? That's probably an unfamiliar concept to most developers unless they're leasing software like Adobe does.
    edited February 2017 ewtheckman
  • Reply 7 of 19
    Apple implements a system that causes an application to stop working even when nothing has changed, requiring an update from the developer and reinstallation, and which does not take into account real-world cases such as users needing to use an older version of software or applications which are no longer being updated, and some of you have the nerve to blame the developer?!?!? Don't you think you're taking the Fan Boyz thing a bit far?
    edited February 2017 SpamSandwichasdasd
  • Reply 8 of 19
    Apple implements a system that causes an application to stop working even when nothing has changed, requiring an update from the developer and reinstallation, and which does not take into account real-world cases such as users needing to use an older version of software or applications which are no longer being updated, and some of you have the nerve to blame the developer?!?!? Don't you think you're taking the Fan Boyz thing a bit far?

    Fan Boyz? What are you, a 12 year old troll?

    Thousands upon thousands of developers don't seem to have this problem. It's absolutely their fault.
    SpamSandwichwatto_cobrajony0
  • Reply 9 of 19
    Apple implements a system that causes an application to stop working even when nothing has changed, requiring an update from the developer and reinstallation, and which does not take into account real-world cases such as users needing to use an older version of software or applications which are no longer being updated, and some of you have the nerve to blame the developer?!?!? Don't you think you're taking the Fan Boyz thing a bit far?

    Fan Boyz? What are you, a 12 year old troll?

    Thousands upon thousands of developers don't seem to have this problem. It's absolutely their fault.
    They don't? That's very presumptive of you. From the article:
    The "crash" turned out to be a feature of macOS in PDFPen's case. According to TidBits, the "taskgated-helper" system app examines a code signing certificate and compares it to the "entitlements" list. Should the the provisioning profile be linked to an expired certificate, macOS blocks the app with the expired certificate from launching.
    However, other apps not updated as frequently, or abandoned by developers, may stop working with no recourse by users to get them to start working again.
    These particular applications where included as examples, not the only apps having problems. In these cases, the developers were very active in creating a solution to a problem caused by Apple.
    badmonk
  • Reply 10 of 19

    Fan Boyz?
    What, you don't think that's an appropriate term for someone who absolutely ignores or excuses any problem caused by a the entity they're a fan of, even when the problem is serious and obviously that entity's fault?
  • Reply 11 of 19
    MacProMacPro Posts: 19,712member
    So a developer I'm supposed to trust with my passwords just lets a certificate expire, and even admits they knew it was going to expire but didn't think it would matter?
    Exactly, and that's why I would never risk using any such service.  KeyChain works fine for me.
    watto_cobra
  • Reply 12 of 19
    foggyhillfoggyhill Posts: 4,767member

    Fan Boyz?
    What, you don't think that's an appropriate term for someone who absolutely ignores or excuses any problem caused by a the entity they're a fan of, even when the problem is serious and obviously that entity's fault?
    No its not, especially in this case, it's lazy. You didn't make a proper argument at all.
    watto_cobra
  • Reply 13 of 19
    asdasdasdasd Posts: 5,686member
    Apple implements a system that causes an application to stop working even when nothing has changed, requiring an update from the developer and reinstallation, and which does not take into account real-world cases such as users needing to use an older version of software or applications which are no longer being updated, and some of you have the nerve to blame the developer?!?!? Don't you think you're taking the Fan Boyz thing a bit far?

    Fan Boyz? What are you, a 12 year old troll?

    Thousands upon thousands of developers don't seem to have this problem. It's absolutely their fault.
    It's not. It's Apple's fault. They will probably fix it in some release (as they fixed the Nov 2015 issue). 

    An expired dev cert should stop new versions launching( newly compiled with the old cert that is) but that's it. 

    Otherwise apps would stop working daily. 
    edited February 2017 ewtheckman
  • Reply 14 of 19
    Can't you simply disable gatekeeper to run this apps?
  • Reply 15 of 19
    There is a brief (2 comments) discussion of this over at MacInTouch that gives some important details of what went wrong.

    https://www.macintouch.com/forums/showthread.php?tid=1032&pid=15507#pid15507

    The short version is that Apple added a feature requiring code signing for non-Apple Store applications to access certain features, such as access to iCloud. (Generally a good thing.) But they treated expired certificates exactly like revoked certificates, which is a bad thing.
  • Reply 16 of 19

    foggyhill said:

    Fan Boyz?
    What, you don't think that's an appropriate term for someone who absolutely ignores or excuses any problem caused by a the entity they're a fan of, even when the problem is serious and obviously that entity's fault?
    No its not, especially in this case, it's lazy. You didn't make a proper argument at all.
    The argument was prior to using the term. I used it to demonstrate my contempt for those who place the blame where it clearly does not belong.
  • Reply 17 of 19
    crowleycrowley Posts: 10,453member
    crowley said:
    Very shoddy work by Apple. 
    Very dumb post by Crowley.
    Why's that?  How is this not Apple screwing up, and third parties getting messed up by it?

    Grow up.
    edited February 2017
  • Reply 18 of 19
    crowleycrowley Posts: 10,453member
    lkrupp said:
    crowley said:
    Very shoddy work by Apple. 
    Blah, blah, blah, blah, shoddy, blah, blah, blah, blah, doomed, blah, blah, blah, Steve is dead, blah, blah, blah, no innovation, blah, blah, blah, blah, blah, blah...
    Not at all.  Just shoddy work.

    Grow up.
  • Reply 19 of 19
    focherfocher Posts: 687member
    It's so difficult to know who to blame in this situation.  So, like an adult who faces comparable situations in every day life, I choose to just manually install the update and move on. 

    Seriously, how do some of you get dressed in the morning?
Sign In or Register to comment.