Apple apologizes to developers for Mac App Store certificate flap, explains fix
Apple in a note to developers on Tuesday apologized for last week's Mac App Store app signing issue that rendered certain applications inoperable, explaining server-side fixes and offering app makers instructions on how to patch affected software.
The letter, sent out by Apple Developer Relations, addressed a problem that caused users to see a false "damaged" error when opening certain apps, which in some cases forced a delete and re-download . A copy of the note was posted to Twitter by developer Donald Southard, Jr.
In summary, Apple said a planned Mac App Store app signing certificate update was the main cause of last week's problems.
The caching issue was compounded by apps running receipt validation code containing "very old versions" of OpenSSL not compatible with SHA-2 certificates. Apple replaced the SHA-2 certificate with a SHA-1 certificate last Thursday.
With the fixes in place, most of last week's Mac App Store maladies have been resolved, though Apple urges developers to check their code against its Receipt Validation Programming Guide and, if necessary, resubmit updated apps to iTunes Connect for expedited review.
The letter, sent out by Apple Developer Relations, addressed a problem that caused users to see a false "damaged" error when opening certain apps, which in some cases forced a delete and re-download . A copy of the note was posted to Twitter by developer Donald Southard, Jr.
In summary, Apple said a planned Mac App Store app signing certificate update was the main cause of last week's problems.
The company went on to say that a Mac App Store caching issue stored outdated certificate information on user Macs, which explains why a full system restart or re-download from the MAS solved the error for some. The problem is being addressed in a forthcoming OS X update.In anticipation of the expiration of the old Mac App Store certificate, we issued a new certificate in September. The new certificate used the stronger SHA-2 hashing algorithm in accordance with current recommended industry practice, where the old certificate had used the SHA-1 hashing algorithm.
The caching issue was compounded by apps running receipt validation code containing "very old versions" of OpenSSL not compatible with SHA-2 certificates. Apple replaced the SHA-2 certificate with a SHA-1 certificate last Thursday.
With the fixes in place, most of last week's Mac App Store maladies have been resolved, though Apple urges developers to check their code against its Receipt Validation Programming Guide and, if necessary, resubmit updated apps to iTunes Connect for expedited review.
Comments
Yet another reason why many devs don't trust the Mac App Store, which, frankly, is a bit of a joke.
Apple collected five billion dollars in App Store revenue last quarter alone. Some joke.
Apple collected five billion dollars in App Store revenue last quarter alone. Some joke.
The iOS App Store is not the Mac App Store. And most major Mac app developers aren't in the MAS.
But both stores have the same issues; no trials, no paid upgrades, discovery problems galore. So there's that.
This is not purely Apple's fault. For example I have a lot of games bought from the Mac App Store and I noted that all the games from Feral Interactive were fine and all the ones from Aspyr Media fell down.
The reason being that developers write their own code to check their receipts, not Apple. And when Apple changed from a SHA1 hash to a SHA2 one, some of these developer's code fell down. And if they were using OpenSSL (which is what Apple's example code suggests) this would only have happened if they were using a version earlier than 0.9.8o from 2010!
With the number of vulnerabilities discovered in OpenSSL since 2010, shame on any developer still linking against it. So basically any of your apps that broke, you know the developer has not been keeping their 3rd party libs up to date. The other possibility is that they were not reading the field of the cert that says what the hashing alg. is, and were simply assuming it was SHA1, which would also be bad coding practice.
Apple should have stuck to their guns and insisted that everyone upgrade to SHA2 and resubmit their apps, for the good of the platform overall.
Apple should have stuck to their guns and insisted that everyone upgrade to SHA2 and resubmit their apps, for the good of the platform overall.
Here’s most of the explanation for why developers eschew the Mac App Store, presented fairly concisely. The platform isn’t as ubiquitous as their phones and developers are lazy (or frightened) and refuse to update (or don’t want to lose userbase) their code.
Tiny bit angry that I had to give money to Adobe and that I wasted a fair sized chunk of my limited broadband allowance redownloading Photoshop Elements 9, as recommended by Apple, just to receive the error.
Not Apple's fault that you have an insanely small broadband allowance, that downloading a single small application like photoshop elements uses a "fair chunk" of it. Maybe, I dont know, switch to a reasonable plan?
The exact same thing happened to me. I contacted Adobe and they said they would send a new SN to me in a week so I downloaded PSE 14 trial version in the meantime.
Now that Apple fixed the problem I can download PSE 9 from Adobe.
Clearly you are not understanding the crux of my complaint. If a restart and redownloading PSE9 had worked, it wouldn't have been a waste of data, however, it was.
Having to download PSE14 was also a waste of data and money.
As for your Sherlock style deduction that I should get a better broadband package, well done for knowing the full situation before commenting.
In the US, they believe it's everyone's right to own a gun and have super fast unlimited broadband, however, it's not anyone's right to free healthcare.
In the UK we have it the other way around. Not everyone has decent broadband but on the flip side, we have very low gun related death and we don't get stung for thousands when we get ill. I know which one I'd prefer. I live in the heart of the countryside, surrounded by farms and greenery, nice and peaceful. For me to have an unlimited broadband package I'd have to use the original phone line that was installed in the house over 60 years ago. Do you think you could live with 3mb download speeds?
So I have to use a 4G dongle and tether to it. The highest data allowance for these packages is 50Gb but then I do get a usable speed around 18mb..
What would you do? Unlimited and unusably slow or limited and useable? I can't magic up a broadband package that doesn't exist.
Unfortunately I was one of the first people to have the problem. I had closed PSE9 only 20 minutes before and then it refused to open. There was no reports of this error online so I had no idea what the issue was. At no point did I think that it was Apple's fault and that the error would fix itself so I didn't think it was worth a short trial run.
I'm glad it is sorted now though. I have gone back to using PSE9 as I don't like the layout and the useability of PSE14. It has a load of stuff I really don't need.
Seems like OS X also needs to return a different error than "The app is damaged", which is rather misleading. Stating "A certificate has expired" would be a more appropriate error message.