Expired DeveloperID Certificate leads macOS Apps to crash on launch?

Targets macOS
1

Have you read the news over the weekend?
iPhone Hacks: Expired Apple Developer Certificates Led Many Popular Mac Apps To Crash on Launch (english)
MacTechNews: macOS: Einige Dritthersteller-Apps durch abgelaufene Zertifikate lahmgelegt (german)

1Password (downloaded from their website, not via MAS) could no longer be launched on Saturday.
The reason seems to be that their DeveloperID certificate had expired that Saturday.
However, the App has been built before that date, customers could use it. But only until the date of the certificate expiraton date… Out of the blue, customers can no longer launch an app they’ve been using before.

What’s worrying me most: Google-translated from the german MacTechNews:

A DeveloperID certificate is valid for 5 years. 1Password obviously has ordered theirs in February 2012 (valid until Feb 2017).
Many of us have done the same - got their DeveloperID certificate in 2012 or 2013.
Have you renewed meanwhile? Probably not, such as 1Password didn’t.

Does this really mean:

  • DeveloperID certificate from Mar 2012 (until Mar 2017)
  • App built and signed in Feb 2017 (with that certificate)
  • customers can use it only until Mar 2017? Then macOS Sierra will “shut down” that app?

Here’s how to read the certificate:

codesign --display --extract-certificate /path-to/myApp.app -> will output the certs to the current working directory -> rename "codesign0" to "codesign.cer" -> select it, press <space> (to open it in Spotlight)

Let’s do it with Xojo 2016r4.1:

codesign --display --extract-certificate /Applications/Xojo/Xojo\\ 2016\\ Release\\ 4.1/Xojo\\ 2016r4.1.app

DeveloperID Application: Xojo, Incorporated (valid until Nov 5th 2018, 21:09 MEZ)

  • we’re happily using that version now
  • but does this mean we can only launch Xojo 2016r4.1 until Nov 5th 2018?

Sure, there are/will be workarounds. But think of if as an average user of your “codesigned (not MAS) 3rd party” app…

Am I interpreting the news correct? A codesigned macOS app (downloaded outside MAS) can only last 5 years max (assuming the developer has just renewed the DeveloperID certificate right before signing)?

If yes, then we better have a look at when our certs will expire… and renew rather sooner than later.
Otherwise you may produce/sign an app “today” which will last for only a month or two (if the DeveloperID certificate expires in 1-2 months).

I still hope I’ve read this wrong… So thanks to any input on what’s going on here, and what we need to watch out for regarding those “Developer ID certificates” (and their expiration date).

2

https://blog.agilebits.com/2017/02/19/1password-for-mac-6-5-5-manual-update-required/

However, I am able to launch the expired certificate version on Mac 10.11.6 so I wonder if it’s a Sierra thing?

3

then why is it my certs expire at the same time my $99 Dev subscription expires (ie. once a year)
I too had heard they were good for 5 years… but they should not deactivate an app if the cert the app was signed with was in effect when the app went to the AppStore… Otherwise 5 years (1 year) after the developer gets hit by a bus, all his/her customers are “frelled” (Farscape reference :slight_smile: )

4

This is news to me. I have had apps in the MAS since 2013 and never heard any such reports.

5

This affects certificates that expire five years after they were issued. This probably won’t affect anything in the store because they pull your apps when your developer account expires, which is four years before your certificate expires.

6

@Michel Bujardet : This does NOT apply to Apps distributed via (Mac) App Store
@Tim Parnell : Yes, it seems this is a “feature change” in macOS Sierra
again: these two answers are just based on what i’ve read in the news.

7

@Dave S : The (Mac) App Store Certs last 1 year (and/or until the Dev subscription expires).
This is all about Apps we’re codesigning ourselves (with the “DeveloperID certificate”) and distributing on our own (e.g. our own webservers).
One example is the Xojo.app from Xojo Inc. :wink:

8

I have a Developer ID app and my certificate expires in June 2017. I just set my clock ahead to 20 August 2017 and launched the app, and it launched normally.

(note: if you do this test, expect all sorts of other things to go haywire, since certificates for iCloud, HTTPS websites, etc. will fail to validate if the new date is beyond their expiration date. I recommend quitting all other apps before changing your clock).

9

Then this is counter to the report : none of the IDEs has been in trouble for me, under Sierra 10.12.4.

10

yes, right (now) - at least not until Nov 6th 2018.
Their IDE’s are codesigned with their DeveloperID which expires in Nov. 2018:
DeveloperID Application: Xojo, Incorporated (valid until Nov 5th 2018, 21:09 MEZ)
The question is: what happens then (in Dez. 2018)?
I still hope: nothing, such as Michael tried to simulate (assuming that simulation is “valid” - i don’t know if the validation gets the “official date” from Apple’s servers or from the “local machine”).

11

Apple states that apps signed with a valid certificate will continue to function. An expired certificate means that no new apps can be signed with that certificate. This is much ado about nothing.
link text

12

[quote=316980:@Roger Clary]Apple states that apps signed with a valid certificate will continue to function. An expired certificate means that no new apps can be signed with that certificate. This is much ado about nothing.
link text[/quote]

That’s the only sensible way for this to be designed, and what all us developers are relying on, but doesn’t explain these headlines. Confusing.

13

As a former journalist, I am always suspicious about reports that very visibly have not been confirmed. From what it seems, the iPhone Hacks article has been echoed with little and probably no verification. The iPhone Hacks article makes no mention of confirmation by any other source than the publishers. It is not impossible, but the report cites a couple apps, among the possibly millions apps out there. Could that not be the result of a badly signed app, rather than a problem on Apple’s side ?

Would that not be a clever plot from the 1Password and PDFPen publishers to gain tons of free coverage ?
14

Michel… are you infering that there might be “alternative facts” at play here? :slight_smile:

15

Newspeak ?

16

Back when one of Apple Core certs expired I suddenly experienced a whole bunch of apps simply not launching on my El Cap machine. Sadly that included third party apps which I’ve been enjoying for years but are no longer maintained.

17

There are no alternative facts here. The current version of 1Password didn’t launch on one of my computers. I was busy yesterday and didn’t install the update.

18

OK. So 1Password stopped working. But in the meantime, millions of apps remained perfectly functional…

Could it be something like SHA256 ?

19

https://www.macrumors.com/2017/02/20/mac-apps-fail-launch-expired-apple-certificates/

It appears the crash occurs when using iCloud, for which you also need a provisioning profile.

20

Thanks @Sam Rowlands , that MacRumors Article explains it quite good.

[quote]In the past, the expiration of a code signing certificate had no effect on already shipped software, but that changed last year, when Apple began requiring apps to carry something called a provisioning profile.
A provisioning profile tells macOS that the app has been checked by Apple against an online database and is allowed to perform certain system actions or “entitlements”. However, the profile is also signed using the developer’s code signing certificate, and when the certificate expires, the provisioning profile becomes invalid.[/quote]

@Roger Clary :

…this seems correct if we add: as long as the app doesn’t use an “Entitlement” or “provisioning profile” (e.g. to use iCloud).

It isn’t… but it seems that not many Xojo developers will be affected, as not many of us are CodeSigning using Entitlements to use iCloud. But those who are should be aware of this “fact”.