Apple apologizes to developers for Mac App Store certificate flap, explains fix

Posted:
in macOS edited November 2015
Apple in a note to developers on Tuesday apologized for last week's Mac App Store app signing issue that rendered certain applications inoperable, explaining server-side fixes and offering app makers instructions on how to patch affected software.




The letter, sent out by Apple Developer Relations, addressed a problem that caused users to see a false "damaged" error when opening certain apps, which in some cases forced a delete and re-download . A copy of the note was posted to Twitter by developer Donald Southard, Jr.

In summary, Apple said a planned Mac App Store app signing certificate update was the main cause of last week's problems.
In anticipation of the expiration of the old Mac App Store certificate, we issued a new certificate in September. The new certificate used the stronger SHA-2 hashing algorithm in accordance with current recommended industry practice, where the old certificate had used the SHA-1 hashing algorithm.
The company went on to say that a Mac App Store caching issue stored outdated certificate information on user Macs, which explains why a full system restart or re-download from the MAS solved the error for some. The problem is being addressed in a forthcoming OS X update.

The caching issue was compounded by apps running receipt validation code containing "very old versions" of OpenSSL not compatible with SHA-2 certificates. Apple replaced the SHA-2 certificate with a SHA-1 certificate last Thursday.

With the fixes in place, most of last week's Mac App Store maladies have been resolved, though Apple urges developers to check their code against its Receipt Validation Programming Guide and, if necessary, resubmit updated apps to iTunes Connect for expedited review.

Comments

  • Reply 1 of 12
    How about an apology to all of the customers who purchased Quicken through the App Store. It stopped working one week after the October 22, 2015 version update. Transaction downloads stopped working because Intuit issued three more versions but none were available through the App Store. Intuit simply abandoned all Quicken users who chose to purchase via the App Store, and Apple has taken no steps to address the situation. So much for Apple protecting it's customers. I doubt I'll purchase software through the App Store again.
  • Reply 2 of 12
    Yet another reason why many devs don't trust the Mac App Store, which, frankly, is a bit of a joke. And this "explanation" should have been sent out earlier than this. Heck, Apple could have at least acknowledged the problem.
  • Reply 3 of 12
    Quote:

    Originally Posted by TheWhiteFalcon View Post



    Yet another reason why many devs don't trust the Mac App Store, which, frankly, is a bit of a joke. 

     

    Apple collected five billion dollars in App Store revenue last quarter alone. Some joke.

  • Reply 4 of 12
    Quote:

    Originally Posted by john galt View Post

     

     

    Apple collected five billion dollars in App Store revenue last quarter alone. Some joke.




    The iOS App Store is not the Mac App Store. And most major Mac app developers aren't in the MAS.

     

    But both stores have the same issues; no trials, no paid upgrades, discovery problems galore. So there's that.

  • Reply 5 of 12
    asciiascii Posts: 5,941member

    This is not purely Apple's fault. For example I have a lot of games bought from the Mac App Store and I noted that all the games from Feral Interactive were fine and all the ones from Aspyr Media fell down.

     

    The reason being that developers write their own code to check their receipts, not Apple. And when Apple changed from a SHA1 hash to a SHA2 one, some of these developer's code fell down. And if they were using OpenSSL (which is what Apple's example code suggests) this would only have happened if they were using a version earlier than 0.9.8o from 2010! 

     

    With the number of vulnerabilities discovered in OpenSSL since 2010, shame on any developer still linking against it. So basically any of your apps that broke, you know the developer has not been keeping their 3rd party libs up to date. The other possibility is that they were not reading the field of the cert that says what the hashing alg. is, and were simply assuming it was SHA1, which would also be bad coding practice.

     

    Apple should have stuck to their guns and insisted that everyone upgrade to SHA2 and resubmit their apps, for the good of the platform overall.

  • Reply 6 of 12
    Originally Posted by TheWhiteFalcon View Post

    The iOS App Store is not the Mac App Store.



    Originally Posted by ascii View Post

    Apple should have stuck to their guns and insisted that everyone upgrade to SHA2 and resubmit their apps, for the good of the platform overall.


     

    Here’s most of the explanation for why developers eschew the Mac App Store, presented fairly concisely. The platform isn’t as ubiquitous as their phones and developers are lazy (or frightened) and refuse to update (or don’t want to lose userbase) their code.

  • Reply 7 of 12
    evilutionevilution Posts: 1,347member
    I wonder if Apple will reimburse me the money I spent on Photoshop Elements 14 to sort the issue I had with my old Elements 9 that was apparently damaged on both of my Macs, just when I needed to edit some photos urgently?

    Tiny bit angry that I had to give money to Adobe and that I wasted a fair sized chunk of my limited broadband allowance redownloading Photoshop Elements 9, as recommended by Apple, just to receive the error.
  • Reply 8 of 12
    slurpyslurpy Posts: 5,115member
    evilution wrote: »
    I wonder if Apple will reimburse me the money I spent on Photoshop Elements 14 to sort the issue I had with my old Elements 9 that was apparently damaged on both of my Macs, just when I needed to edit some photos urgently?

    Tiny bit angry that I had to give money to Adobe and that I wasted a fair sized chunk of my limited broadband allowance redownloading Photoshop Elements 9, as recommended by Apple, just to receive the error.

    Not Apple's fault that you have an insanely small broadband allowance, that downloading a single small application like photoshop elements uses a "fair chunk" of it. Maybe, I dont know, switch to a reasonable plan?
  • Reply 9 of 12
    evilution wrote: »
    I wonder if Apple will reimburse me the money I spent on Photoshop Elements 14 to sort the issue I had with my old Elements 9 that was apparently damaged on both of my Macs, just when I needed to edit some photos urgently?

    Tiny bit angry that I had to give money to Adobe and that I wasted a fair sized chunk of my limited broadband allowance redownloading Photoshop Elements 9, as recommended by Apple, just to receive the error.

    The exact same thing happened to me. I contacted Adobe and they said they would send a new SN to me in a week so I downloaded PSE 14 trial version in the meantime.

    Now that Apple fixed the problem I can download PSE 9 from Adobe.
  • Reply 10 of 12
    evilutionevilution Posts: 1,347member
    slurpy wrote: »
    Not Apple's fault that you have an insanely small broadband allowance, that downloading a single small application like photoshop elements uses a "fair chunk" of it. Maybe, I dont know, switch to a reasonable plan?

    Clearly you are not understanding the crux of my complaint. If a restart and redownloading PSE9 had worked, it wouldn't have been a waste of data, however, it was.
    Having to download PSE14 was also a waste of data and money.

    As for your Sherlock style deduction that I should get a better broadband package, well done for knowing the full situation before commenting.
    In the US, they believe it's everyone's right to own a gun and have super fast unlimited broadband, however, it's not anyone's right to free healthcare.
    In the UK we have it the other way around. Not everyone has decent broadband but on the flip side, we have very low gun related death and we don't get stung for thousands when we get ill. I know which one I'd prefer. I live in the heart of the countryside, surrounded by farms and greenery, nice and peaceful. For me to have an unlimited broadband package I'd have to use the original phone line that was installed in the house over 60 years ago. Do you think you could live with 3mb download speeds?

    So I have to use a 4G dongle and tether to it. The highest data allowance for these packages is 50Gb but then I do get a usable speed around 18mb..
    What would you do? Unlimited and unusably slow or limited and useable? I can't magic up a broadband package that doesn't exist.
  • Reply 11 of 12
    evilutionevilution Posts: 1,347member
    cotten990 wrote: »
    The exact same thing happened to me. I contacted Adobe and they said they would send a new SN to me in a week so I downloaded PSE 14 trial version in the meantime.

    Now that Apple fixed the problem I can download PSE 9 from Adobe.

    Unfortunately I was one of the first people to have the problem. I had closed PSE9 only 20 minutes before and then it refused to open. There was no reports of this error online so I had no idea what the issue was. At no point did I think that it was Apple's fault and that the error would fix itself so I didn't think it was worth a short trial run.

    I'm glad it is sorted now though. I have gone back to using PSE9 as I don't like the layout and the useability of PSE14. It has a load of stuff I really don't need.
  • Reply 12 of 12
    damonfdamonf Posts: 217member

    Seems like OS X also needs to return a different error than "The app is damaged", which is rather misleading.  Stating "A certificate has expired" would be a more appropriate error message.

Sign In or Register to comment.