
Mac Store Apps Stopped Working Due to Expired Security Certificate - jonas21
http://techcrunch.com/2015/11/12/all-mac-store-apps-stopped-working-due-to-expired-security-certificate/#.y37x7x:xhzD
======
dak1
The story has been updated with the following:

"Apple issued a new, stronger (SHA-2) Mac App Store certificate in September,
before the older (SHA-1) one expired, as planned. The new Mac App Store
certificate was using the current, strong SHA-2 algorithm. However, some apps
were running receipt validation code using very old versions of OpenSSL that
don’t support SHA-2.

OpenSSL started supporting SHA-2 in 2005, which is why Apple didn’t foresee
this issue."

~~~
lambada
This needs to be upvoted, and the title changed. Turns out it was due to
developers using incredibly old security code. Rather than an expired
certificate.

~~~
whatever_dude
Yup, this changes my own point of view from "Gee Apple what a blunder" to
"Some developers can be really dumb".

~~~
blinkingled
You'd be right if the developers were distributing their apps on their own -
once Apple has put up a service in the form of the App Store and are taking a
30% cut out of every sale, it's their responsibility to keep it running. If
that means detecting that many apps use incompatible OpenSSL and communicating
with the developers to address that issue before rolling out SHA-2 cert, so be
it - all competent services companies do things like these all the time.

It's not as if there wasn't a way for Apple to detect this (if there wasn't
then again it's their own fault) and it wasn't as if they couldn't have
renewed with another SHA-1 cert for a few months until they figured out how to
roll out SHA-2 one without causing a lot of people a lot of trouble.

~~~
tinalumfoil
> It's not as if there wasn't a way for Apple to detect this

Assuming developers were statically linking the old OpenSSH versions, how
would Apple detect this? Are developers forced to reveal source code before
submitting to Apple? Does OSX executables have some format to specify what
libraries it's using?

I don't develop for OSX so I'm genuinely curious.

~~~
JoachimSchipper
Apple is able to scan iOS code for e.g. use of nonpublic API's; certainly they
can grep a binary for a recognizable chunk of OpenSSL code, too.

(Neither the iOS scans nor the OpenSSL scan will catch _everything_ , of
course.)

~~~
joosters
A recognizable chunk of OpenSSL code? It could be any statically linked and
custom-compiled version, that's millions of possible versions, once you take
into account compile options, optimisation levels and linking techniques. Good
luck grepping for it! Even if the version number is in there somewhere,
there's probably all kinds of false positives that you would hit. Plus, it
could be due to other SSL libraries, not just OpenSSL.

In short, there's no realistic way to do what you are asking.

~~~
lstamour
I disagree. Finding recognizable chunks of code is what antivirus software
does every day. And while they're not perfect, the OpenSSL code in question
here isn't exactly trying to hide, unlike viruses in real life. This was
obviously an oversight, but I would expect that after this, they run
occasional tests of the app verification process across all apps, and not just
verify the apps themselves don't crash.

In fact, they must be doing this kind of thing right now -- how else could
they contact all the affected developers?

------
SyneRyder
The article makes it sound like this is now resolved, but it isn't.

One of my Macs is stuck on Snow Leopard. On Lion & El Capitan, I sign in to
the App Store again and it's resolved. But on Snow Leopard, it doesn't display
the sign-in error like 10.7 - 10.11 do. It just complains and tells you to
redownload the apps from the App Store.

But I can't. Apple doesn't let you download old versions from the Mac App
Store. Byword 1.5.2 is the last version that works on 10.6, the current 2.x
version requires 10.8. Similarly with Tweetbot, Mémoires, Space Gremlin, etc.
Unless Apple magically allows old downloads, I don't think this can be fixed
without Apple patching Snow Leopard. I'm not going to hold my breath.

It really seems like Apple has permanently broken my purchased apps.

~~~
jakobegger
Are you really sure about that? I thought that the App Store lets you download
the latest version of apps you purchased that are supported on your OS from
the "purchased" tab.

~~~
SyneRyder
Afraid not. When I click on the Install button in the Purchased tab for those
apps it tells me "[App name] can't be installed on this computer, because a
64-bit Intel processor is required" or "[App Name] can't be installed on
Macintosh HD, because Mac OS X version 10.7 or later is required."

(Thank you for trying to help, though!)

------
makecheck
I think "grace periods" should be a lot more common in software. Not every
issue is the user's problem, and not every problem requires a drastic
response.

For instance, they could have:

\- Quietly noted the issue in a file somewhere, waited 24 hours, and checked
again.

\- If the problem was still present after 24 hours, they could have made the
software discreetly submit a problem report to Apple (but still launch and
work correctly).

\- After 48 hours, they could issue a background notification to the user
indicating that a problem has been detected in the program and to “please
check for updates on the App Store”; but again, continue to work correctly.

Or in other words, there were only about a half dozen more reasonable things
they could have done that didn't involve an Amazonian break-things-immediately
type of response.

~~~
cortesoft
But if a program keeps running with an invalid security certificate, what is
the point of having the certificate at all? If the practice is 'let the
program with an invalid cert run silently for 2 days', then you aren't gaining
any security at all. Malware could do everything it needs in 48 hours.

~~~
wtallis
There's minimal security risk in allowing a formerly-validated piece of
software to remain usable so long as it is not modified by any updates that
cannot be verified by a current certificate.

Being this strict at the cost of usability isn't about security, it's about
DRM and making sure you don't get to keep using your software after the
subscription has expired.

~~~
joosters
But these apps aren't paid for by subscription.

~~~
Joeri
Every app store purchase is a subscription. If it were a purchase, you could
resell. As you can't, it's clearly a rental model with payment up-front. Apple
decides when they pull the plug on your 'purchase'. The same thing applies to
google play, windows store, steam, etc... The era of buying software is
drawing to a close. From here on out it's rental only, unless you follow the
advice of rms and use libre software exclusively.

------
valine
I guess it a good thing hardly anyone uses the Mac App Store.

~~~
toyg
I'm "hardly anyone". Despite some misgivings on security policies, it's
extremely convenient to have a "Steam for apps". At the end of the day,
homebrew is the same thing, except it uses the command line and it doesn't
remunerate developers.

I have an issue with the concept of MAS as a monopoly (the same I've had with
Windows Update), but MAS as a tool is undoubtedly a good thing.

~~~
valine
Oh I wasn't questioning the value of the Mac App Store. As a tool for
installing free apps it's fantastic. However as a developer if you want to
make money off of an application the Mac App Store is all but useless. Even if
your app makes it into the top charts your profits will be almost non
existent. The user base for the store is simply far too small.

Source: [http://www.macrumors.com/2015/05/07/redacted-mac-app-
profits...](http://www.macrumors.com/2015/05/07/redacted-mac-app-profits/)

~~~
mangeletti
Wow, that's terrible. It's really too bad, because the idea of being able to
just browse for cool apps is very appealing to me. I use the Mac App Store. I
bought Pixelmator, Relax Melodies (2 versions), and a few other apps this way.
Pixelmator was the only one that I would have bought anyway, so the App Store
is definitely a way to earn extra revenue, if Apple could fix whatever it is
that's keeping people from using it (perhaps just awareness?).

~~~
SyneRyder
Developers are actively leaving the App Store - Panic pulled their popular
Coda web development app & recommended customers switch to the version from
their own site. The sandboxing requirements of the App Store made many of
Coda's features impossible to implement in the App Store, plus Apple had to
approve all updates & took a 30% cut (compared to about 2.6% for a direct
credit card transaction).

They say after they left the App Store, their revenue went _up_ 44%:

[https://www.panic.com/blog/the-2014-panic-
report/](https://www.panic.com/blog/the-2014-panic-report/)

"I was pretty nervous to be pulling Coda from the Mac App Store. But when we
finally did it, I felt an incredible, almost indescribable sense of relief —
mostly because as we began to wrap up bug fix releases, we were able to
immediately post them to our customers within minutes of qualifying them. My
god. That’s how it should be. There’s just no other way to put it — that’s how
you treat your customers well, by reacting quickly and having total control
over your destiny. To not be beholden to someone else to do our job feels just
fantastic. (Also to not pay someone 30% in exchange for frequent stress is a
fine deal.)"

~~~
hisyam
But Coda is already popular among Mac developers. We can't say the same about
less popular apps though.

------
0xCMP
Oh wow, is that what that was. I had upgraded recently to 10.11 and thought
that caused everything. Thankfully, it solved it self a little while after.

So as someone who didn't really know what was going on: It didn't really
affect me too much, most apps seemed to still work partially (1Password,
etc.). Still it didn't seem annoying because I thought it was the upgrade
process.

------
jlarocco
I keep feeling better about dumping OSX on my iMac. If I didn't need to edit
photos, I'd get rid of it on my MBP, too. Debian is faster on the same
hardware, and I don't have issues like this.

I still love Apple hardware, but they keep screwing up the software side of
things on both OSX and iOS.

~~~
SyneRyder
I realise people are downvoting you for snark, but you make a good point. I
have an old 2007 MacBook stuck on Snow Leopard & no longer getting updates
from Apple (and now a bunch of software broken by this App Store bug) - but I
also have Windows 10 installed on a second partition via Boot Camp, and it
runs really well. Microsoft will apparently keep supporting the machine with
security updates through 2025.

Installing a different OS (like Windows 10, or Debian) can be a great way to
give older hardware new life & continued productive use.

------
Kristine1975
Can you work around it by right-clicking[1] on the application and selecting
"open" from the context menu? In some situations that helps with applications
OS X deems "insecure."

[1] Yes, Macs support mice with more than a single button now ;-)

~~~
arm
Macs have had support for mice with more than a single button since at least
Mac OS 9 (released in 1999).

~~~
TazeTSchnitzel
OS 9? Was it added so PC USB mice would work on the iMac?

~~~
arm
From what I can see from this thread¹, it would seem so:

“ _The last versions of OS 9 were pretty good about right mouse button
support. Most mice should work fine._ ”

I would test it myself on my iMac G3 (Summer 2001), but unfortunately, I
already upgraded it to Mac OS X v10.4.11 Tiger, and it’s getting active use,
so I can’t exactly go downgrading it at the moment.

――――――

¹ —
[https://discussions.apple.com/thread/1824021](https://discussions.apple.com/thread/1824021)

------
jacquesm
Score one for centralization I guess.

------
escobar
This happened to me a number of times over the last few days. The first time
it happened I shrugged and rebooted the computer. When it came back up, it
asked me to authentcate with the MAS and those few apps worked. Then, later
that night, the same issue happened with a different app. I actually
uninstalled and reinstalled the app and that worked.

Hopefully they've actually fixed this now but I was pretty confused about what
could be going on. The only other time I've gotten messages like that is when
I'm opening an unsigned application Apple doesn't think is good, and the
Security settings say to only allow trusted software.

~~~
eridius
There seems to be a bug in the system where sometimes it reports an app as
damaged when it's perfectly capable of downloading a new receipt (this is why
a reboot works, because the bug seems to only crop up after some period of
usage). When I bought a new iMac and transferred all my stuff from my old
computer, I had this exact same issue, all of my MAS apps were reported as
damaged. After reinstalling one, I tried rebooting, and that worked; got a
password prompt for the next MAS app, and the rest just worked fine at that
point.

Hopefully they're aware of what's causing this bug and will fix it in an OS
update.

Of course, when the certificate is actually expired, and they haven't replaced
it yet, then the "damaged" dialog is reasonable, because the system cannot get
a valid replacement receipt. But once they replaced it, OS X should have just
started working again. In fact, I'm going to go file a radar right now.

------
mdlowman
The company I work for is in the process of migrating off of SHA-1 certs, and
the amount of due diligince that has to go into this sort of an upgrade is
incredible.

It involves analyzing full logs of all supported client enctypes and tracking
down the full set of "flavors" of clients that only do SHA-1.

At the end of the day, you're going to break people, and it's all about
minimizing how many people that is. Imagine the situation with hardware
devices in the field from ten or so years ago. You can't update them and their
software rev only supports SHA-1. What do you do?

(You break them.)

------
eridal
Curious about how do the user launches the app store if any app-store app
cannot be launched?

Isn't then the app store validated with the same method?

~~~
ceejayoz
I suspect the App Store comes with the OS, not from the MAS. Same situation as
Messages, Calendar, Safari, etc.

~~~
mikeash
Indeed. If you got the App Store from the App Store, that would be a bit of a
catch-22.

The expired certificate was part of the receipt that gets generated for an App
Store app to indicate that you have the right to use that app on your
computer. Stuff that ships with the system doesn't need this and so doesn't
have receipts.

------
jackjeff
> Apple quickly addressed the problem by issuing a new certificate with an
> expiration date of 2035

2035?

>The new Mac App Store certificate was using the current, strong SHA-2
algorithm. However, some apps were running receipt validation code using very
old versions of OpenSSL that don’t support SHA-2.

I sure hope it's not a SHA-1 expiring in 2035...

~~~
mdlowman
There's no problem with that. Assume the key material isn't compromised, since
you have to assume that.

You imply that Apple is going to keep using the cert until 2035. I can assure
you they won't.

~~~
profmonocle
> Assume the key material isn't compromised, since you have to assume that.

The nice thing about root certs is the private key is only needed to sign
intermediate certs and CRLs. This means they can be kept offline in a secure
location, and only accessed once every few months or so to sign new
intermediate certs or CRLs. The actual crypto typically happens in a special
locked-down piece of hardware, so that the actual private key never touches
the memory or disk of the computer being used.

The whole process is called a "key ceremony" and follows strict procedures,
with technical staff and outside auditors watching every step.

As far as I know, no CA has _ever_ had its root key compromised. It would
require physically breaking into a secure facility, or factoring of public
key. Considering there's much lower-hanging fruit for anyone attempting to
attack PKI, I'm not too concerned with a 20 year root cert lifetime. (Like you
say, they could just remove it from future versions of OSX before then!)

------
toyg
I've seen this happen with Yoink! on my machine, I assumed it was a bad update
and just kept going... after 24 hours without Yoink, I was so annoyed that I
deleted it and redownloaded it, and after a couple of failures starting
eventually it worked. Glad to see developers are not at fault!

------
nsxwolf
Kind of surprised nobody thought to look at the certificate before and
predicted this would happen.

~~~
cjensen
Craig Hockenberry noted the problems with cert caching two years ago[1].

[1] [http://furbo.org/2013/10/21/mac-app-store-receipts-and-
maver...](http://furbo.org/2013/10/21/mac-app-store-receipts-and-mavericks/)

------
bruinfish
Just check the _MASReceipt/receipt of some apps I downloaded from App Store.
The NotAfter field of the receipt certificate is still Nov 11, 2015. Wonder
how OSX still allows me to run the app... Any idead?

------
privacy101
Nobody is perfect at creating software (and probably not perfect at creating
hardware either for that matter).

------
draw_down
Everything about this tells you what Apple really thinks about 3rd party devs.
Just shameful.

------
tarellel
I'm sure someone probably lost their job because of this.

------
a3voices
As anyone who's released an app knows, the real problem is Apple's excessively
bureaucratic certificate and provisioning processes.

------
nfriedly
Must be fixed already. I just launched pixelmator (the only app I've purchased
through the mac app store) and it started up without a hitch.

------
swiley
git, tar, make, and gcc (or clang/llvm) Probably still work.

~~~
CJefferson
Actually no they didn't if you had recently upgraded xcode, because you have
to agree to the xcode terms and conditions to use them.

~~~
arm
Based on the update to the article that dak1 mentioned¹, I’d say that’s
actually incorrect:

“ _Apple issued a new, stronger (SHA-2) Mac App Store certificate in
September, before the older (SHA-1) one expired, as planned. The new Mac App
Store certificate was using the current, strong SHA-2 algorithm. However, some
apps were running receipt validation code using very old versions of OpenSSL
that don’t support SHA-2. OpenSSL started supporting SHA-2 in 2005, which is
why Apple didn’t foresee this issue._ ”

Since I seriously doubt any of Apple apps would be using the older SHA-1
certificate, this probably only affected third-party apps.

――――――

¹ —
[https://news.ycombinator.com/item?id=10561748](https://news.ycombinator.com/item?id=10561748)

