macoslib and new Mac App Store app signing certificate

I’m sure I’m not the only one who just received this email from Apple Developer:

[quote]Last week we updated the Mac App Store app signing certificate. This was a planned event and most users experienced no issues. However, some users experienced some issues during this change. We have corrected those issues, and wanted to share this update with you.

In anticipation of the expiration of the old Mac App Store certificate, we issued a new certificate in September. The new certificate used the stronger SHA-2 hashing algorithm in accordance with current recommended industry practice, where the old certificate had used the SHA-1 hashing algorithm.

Unfortunately, a caching issue with the Mac App Store meant that some users had to restart their systems and re-authenticate with the Mac App Store to clear a system cache of some outdated certificate information. We are addressing this caching issue in an upcoming OS X update.

Also, some apps are running receipt validation code using very old versions of OpenSSL that don’t support SHA-2. We addressed this by replacing the new SHA-2 certificate with a new SHA-1 certificate last Thursday night.

In addition to issuing the new certificate and addressing the Mac App Store caching issue, we have provided up-to-date troubleshooting information to the AppleCare support team.

Most of the issues are now resolved, though some apps may still experience receipt verification failure if their receipt checking code makes incorrect assumptions about the certificate. Please ensure your code adheres to the Receipt Validation Programming Guide and check that all receipt validation issues are resolved. If necessary, you may resubmit your app for expedited review in iTunes Connect. [/quote]

My question is: is the code for validating receipts in macoslib now obsolete, or does it still work? Sorry I can’t tell from this unusual rambling message from Apple.


From what I understood, it should still work… It seems that they changed something on their end, which broke oh so many apps and now they’ve switched it back… But the damage may already be done.

This morning I also received this note from Apple and someone complaining that my app is now broken…