Lapsed Apple certificate triggers massive Mac app fiasco
13 November 2015 | 0
A lapsed Apple digital certificate triggered a massive app fiasco that prevented Mac users from running software they’d purchased from the Mac App Store.
“Whenever you download an app from the Mac App Store, the app provides a cryptographically-signed receipt,” explained Paul Haddad, a co-founder of Tapbots, the company behind the popular Tweetbot Twitter client, in an e-mail. “These receipts are signed with various certificates with different expiration dates. One of those is the ‘Mac App Store Receipt Signing;’ that expires every two years. That certificate expired on ‘Nov 11 21:58:01 2015 GMT,’ which caused most existing App Store receipts to no longer be considered valid.”
The result: Bedlam.
Until Apple replaced the expired certificate, users who booted up their Macs were unable to launch apps they had bought through the Mac App Store, the OS X version of the iPhone’s distribution portal.
But even after Apple replaced the outdated certificate, many apps still refused to run or threw off scary error messages, including one that said the app was ‘damaged and can’t be opened,’ and others that said the app was already being used on another Mac, when it was, in fact, not.
Most users were forced to delete the dysfunctional apps, then download and reinstall them from the Mac App Store to restore them to working order.
The problem impacted most if not all paid apps bought through the Mac App Store; the bulk of paid apps regularly check with Apple’s servers to make sure that a receipt exists for the purchase before running. “I’m guessing most paid Mac App Store apps will do this. Free ones may not bother,” said Haddad, when explaining why some users haven’t been affected.
Haddad also said that some underlying problems remained in Apple’s e-store infrastructure. “Apple is now creating receipts which will expire in 2017, [but] for some reason some part of the Store infrastructure on [OS X] is either not requesting these new receipts until after a reboot or not properly validating them [emphasis added]. Either way, there’s still a bug somewhere in OS X.”
As Haddad mentioned, the certificates Apple uses have a two-year lifespan. In fact, the problem cropped up two years ago and will likely reoccur in 2017.
Haddad’s advice for afflicted Mac users was to first reboot their machine, before going doing the delete-reinstall dance. “After a reboot OS X will grab a new receipt and that likely requires at least one log-in to your iTunes account,” he said.
Apple did not immediately issue a comment.
IDG News Service