Apple-issued developer certificate expires, causing crashes in 1Password and other apps
The consequences of an Apple-issued security certificate expiration combined with a change made by Apple, is leading to some apps purchased outside the app store like 1Password, PDFpen, and Soulver for Mac to require reinstallation with a new version before coming back to life -- but the issue may have lasting consequences for some software.
Over the weekend, a certificate issued by Apple required to access iCloud services expired, as expected. However, the immediate issue induced by the problem, coupled by a change in how Apple handles a lookup of apps allowed to perform certain functions, called "entitlements," had unforeseen side effects.
As a result, leading users of 1Password, PDFPen, and Soulver, amongst others, discovered that the apps relying on the certificate were crashing on launch. Apple's change in handling the variable meant that simply renewing the certificate wasn't sufficient to restore functionality.
"We knew our developer certificate was going to expire on Saturday, but thought nothing of it because we believed those were only necessary when publishing a new version," said the 1Password developers in a blog post. "Apparently that's not the case. In reality it had the unexpected side effect of causing macOS to refuse to launch 1Password properly."
A combination of factors led to 1Password not launching after simply updating the certificate, as the installer didn't recognize the new certificate as valid.
The "crash" turned out to be a feature of macOS in PDFPen's case. According to TidBits, the "taskgated-helper" system app examines a code signing certificate and compares it to the "entitlements" list. Should the the provisioning profile be linked to an expired certificate, macOS blocks the app with the expired certificate from launching.
Soulver, PDFPen, and 1Password have been updated by the developers to rectify the problem, and all users need to do is download an updated version and install it. However, other apps not updated as frequently, or abandoned by developers, may stop working with no recourse by users to get them to start working again.
Apps sold through the Mac App Store are signed by Apple, and not by the developer. Because of that, only apps sold outside the app store, needing "entitlements" are impacted by the problem.
While this issue is limited to apps purchased outside the Mac App Store, Apple has had its own problem with certificate expiration and unforeseen consequences. In Nov. 2015 an upgrade to SHA-2 certificate encryption caused issues in conjunction with a Mac App Store issue storing outdated certificate information on user Macs, which rendered many apps non-functional.
Over the weekend, a certificate issued by Apple required to access iCloud services expired, as expected. However, the immediate issue induced by the problem, coupled by a change in how Apple handles a lookup of apps allowed to perform certain functions, called "entitlements," had unforeseen side effects.
As a result, leading users of 1Password, PDFPen, and Soulver, amongst others, discovered that the apps relying on the certificate were crashing on launch. Apple's change in handling the variable meant that simply renewing the certificate wasn't sufficient to restore functionality.
"We knew our developer certificate was going to expire on Saturday, but thought nothing of it because we believed those were only necessary when publishing a new version," said the 1Password developers in a blog post. "Apparently that's not the case. In reality it had the unexpected side effect of causing macOS to refuse to launch 1Password properly."
A combination of factors led to 1Password not launching after simply updating the certificate, as the installer didn't recognize the new certificate as valid.
The "crash" turned out to be a feature of macOS in PDFPen's case. According to TidBits, the "taskgated-helper" system app examines a code signing certificate and compares it to the "entitlements" list. Should the the provisioning profile be linked to an expired certificate, macOS blocks the app with the expired certificate from launching.
Soulver, PDFPen, and 1Password have been updated by the developers to rectify the problem, and all users need to do is download an updated version and install it. However, other apps not updated as frequently, or abandoned by developers, may stop working with no recourse by users to get them to start working again.
Apps sold through the Mac App Store are signed by Apple, and not by the developer. Because of that, only apps sold outside the app store, needing "entitlements" are impacted by the problem.
While this issue is limited to apps purchased outside the Mac App Store, Apple has had its own problem with certificate expiration and unforeseen consequences. In Nov. 2015 an upgrade to SHA-2 certificate encryption caused issues in conjunction with a Mac App Store issue storing outdated certificate information on user Macs, which rendered many apps non-functional.
Comments
Fan Boyz? What are you, a 12 year old troll?
Thousands upon thousands of developers don't seem to have this problem. It's absolutely their fault.
These particular applications where included as examples, not the only apps having problems. In these cases, the developers were very active in creating a solution to a problem caused by Apple.
What, you don't think that's an appropriate term for someone who absolutely ignores or excuses any problem caused by a the entity they're a fan of, even when the problem is serious and obviously that entity's fault?
An expired dev cert should stop new versions launching( newly compiled with the old cert that is) but that's it.
Otherwise apps would stop working daily.
https://www.macintouch.com/forums/showthread.php?tid=1032&pid=15507#pid15507
The short version is that Apple added a feature requiring code signing for non-Apple Store applications to access certain features, such as access to iCloud. (Generally a good thing.) But they treated expired certificates exactly like revoked certificates, which is a bad thing.
The argument was prior to using the term. I used it to demonstrate my contempt for those who place the blame where it clearly does not belong.
Grow up.
Grow up.
Seriously, how do some of you get dressed in the morning?