
Apple developer intermediate certificates are expiring Feb 14, 2016 - gdeglin
https://developer.apple.com/support/certificates/expiration/index.html
======
peterburkimsher
"Mac App Store customers running OS X Snow Leopard (v10.6.8) will be unable to
purchase new apps or run previously purchased apps that utilize receipt
validation until they install the OS X Snow Leopard update which will be
available via OS X Software Update this January."

Note that Mac OS 10.6.8 is the most recent OS version for the Intel Core Duo
Macs. Those are the first MacBook (early 2006), the first 2 MacBook Pros
(January 2006, May 2006), two Mac Minis (February 2006, September 2006), and
two iMacs (January 2006, July 2006).

It also affects people who keep Snow Leopard 10.6.8 for sentimental reasons.
Apparently 1 in 5 Macs use Snow Leopard. Not being able to receive new app
updates could be troublesome.

[http://www.computerworld.com/article/2487996/malware-
vulnera...](http://www.computerworld.com/article/2487996/malware-
vulnerabilities/apple-retires-snow-leopard-from-support--leaves-1-in-5-macs-
vulnerable-to-at.html)

~~~
fit2rule
I've got an old Powerbook running 10.6.8 .. I won't upgrade, but instead will
just install Linux on it. Its no longer worth the hassle of keeping up with
Apple on these kinds of issues - better to just switch to an OS/environment
where these kinds of fixes can be better maintained and won't result in apps
being killed from my life.

~~~
vetinari
How did you get 10.6 running on Powerbook? Afaik, 10.5 was the end of line for
PPC Macs.

I do have a PPC Mac too, but with Nvidia graphics, so Linux is not a solution
for me :(.

~~~
fit2rule
Ah, that should've been Macbook Pro, sorry about that confusion ..

------
zmanfx
I noticed this new certificate Apple issued is still using SHA-1 as its
signature algorithm. I wonder why Apple didn't make the jump to SHA-2 based
signatures.

~~~
fairplayd
They recently added support for SHA-256 (both full digest and truncated to 160
bits) hashes in their codesign system. I haven't seen it on iOS yet and
suspect that it is only for OS X at the moment.

~~~
fairplayd
Also, a 3GS at least has HW acceleration for AES, SHA-1, and some sort of RSA
bignum acceleration. Not sure what the new HW has but I suspect backwards
compatibility may be a reason for holding SHA-1++ back on iOS.

------
skywhopper
Can someone confirm that the intermediate certificate is actually expiring on
February 14, or just that it won't be accepted after that date? The linked
article just says the certificate is "expiring soon" and that developers will
have to start signing with the new certificate before February 15. It's a
nitpick, but I'm curious.

------
mikek
Why do certificates need to expire? It causes a lot of trouble for everyone.

~~~
mcpherrinm
As Admiral Piett said, "It's an older code, sir, but it checks out."

Without expiry dates on certificates, we're stuck with trusting whatever we've
issued forever. Lists of revoked certificates would grow forever, and work
even worse than they do today. At least now, we can stop worrying about
ancient certificates after they're expired.

Having certs expire and be reissued also ensures there's a continual path to
upgrade to newer certificates: I suspect you'd have a much harder time
retiring SHA-1 certificates if nobody had any regular-interval incentive to
replace their certs.

