Have you read the news over the weekend?
iPhone Hacks: Expired Apple Developer Certificates Led Many Popular Mac Apps To Crash on Launch (english)
MacTechNews: macOS: Einige Dritthersteller-Apps durch abgelaufene Zertifikate lahmgelegt (german)
1Password (downloaded from their website, not via MAS) could no longer be launched on Saturday.
The reason seems to be that their DeveloperID certificate had expired that Saturday.
However, the App has been built before that date, customers could use it. But only until the date of the certificate expiraton date… Out of the blue, customers can no longer launch an app they’ve been using before.
What’s worrying me most: Google-translated from the german MacTechNews:
A DeveloperID certificate is valid for 5 years. 1Password obviously has ordered theirs in February 2012 (valid until Feb 2017).
Many of us have done the same - got their DeveloperID certificate in 2012 or 2013.
Have you renewed meanwhile? Probably not, such as 1Password didn’t.
Does this really mean:
- DeveloperID certificate from Mar 2012 (until Mar 2017)
- App built and signed in Feb 2017 (with that certificate)
- customers can use it only until Mar 2017? Then macOS Sierra will “shut down” that app?
Here’s how to read the certificate:
codesign --display --extract-certificate /path-to/myApp.app
-> will output the certs to the current working directory
-> rename "codesign0" to "codesign.cer"
-> select it, press <space> (to open it in Spotlight)
Let’s do it with Xojo 2016r4.1:
codesign --display --extract-certificate /Applications/Xojo/Xojo\\ 2016\\ Release\\ 4.1/Xojo\\ 2016r4.1.app
DeveloperID Application: Xojo, Incorporated (valid until Nov 5th 2018, 21:09 MEZ)
- we’re happily using that version now
- but does this mean we can only launch Xojo 2016r4.1 until Nov 5th 2018?
Sure, there are/will be workarounds. But think of if as an average user of your “codesigned (not MAS) 3rd party” app…
Am I interpreting the news correct? A codesigned macOS app (downloaded outside MAS) can only last 5 years max (assuming the developer has just renewed the DeveloperID certificate right before signing)?
If yes, then we better have a look at when our certs will expire… and renew rather sooner than later.
Otherwise you may produce/sign an app “today” which will last for only a month or two (if the DeveloperID certificate expires in 1-2 months).
I still hope I’ve read this wrong… So thanks to any input on what’s going on here, and what we need to watch out for regarding those “Developer ID certificates” (and their expiration date).