Lapsed Apple certificate triggers massive Mac app fiasco

12.11.2015
A lapsed Apple digital certificate today triggered a massive app fiasco that prevented Mac users from running software they'd purchased from the Mac App Store.

"Whenever you download an app from the Mac App Store, the app provides a cryptographically-signed receipt," explained Paul Haddad, a co-founder of Tapbots, the company behind the popular Tweetbot Twitter client, in an email reply to questions today. "These receipts are signed with various certificates with different expiration dates. One of those is the 'Mac App Store Receipt Signing;' that expires every two years. That certificate expired on 'Nov 11 21:58:01 2015 GMT,' which caused most existing App Store receipts to no longer be considered valid."

Whoops.

The result: Bedlam.

Until Apple replaced the expired certificate, users who booted up their Macs today were unable to launch the apps they had bought through the Mac App Store, the OS X version of the iPhone's distribution portal.

But even after Apple replaced the outdated certificate, many apps still refused to run or threw off scary error messages, including one that said the app was "damaged and can't be opened," and others that said the app was already being used on another Mac, when it was, in fact, not.

Some Computerworld staffers instead were asked to re-enter their Apple account credentials -- those used to originally buy the apps -- in a too-fleeting dialog, or were stymied when clicking on an app in the Dock simply did nothing and displayed no alert, warning or error message.

Most users were forced to delete the dysfunctional apps, then download and reinstall them from the Mac App Store to restore them to working order.

The problem impacted most if not all paid apps bought through the Mac App Store; the bulk of paid apps regularly check with Apple's servers to make sure that a receipt exists for the purchase before running. "I'm guessing most paid Mac App Store apps will do this. Free ones may not bother," said Haddad, when explaining why some users haven't been affected.

Haddad also said that some underlying problems remained in Apple's e-store infrastructure. "Apple is now creating receipts which will expire in 2017, [but] for some reason some part of the Store infrastructure on [OS X] is either not requesting these new receipts until after a reboot or not properly validating them [emphasis added]. Either way, there's still a bug somewhere in OS X."

As Haddad mentioned, the certificates Apple uses have a two-year lifespan. In fact, the problem cropped up two years ago and will likely reoccur in 2017.

Craig Hockenberry, a partner at the development firm IconFactory, pointed out a similar issue in October 2013, and filed a bug report with Apple.

In a Thursday tweet, Haddad noted that the new certificate will expire on Oct. 23, 2017. "Hopefully, Apple fixes whatever caching issues by then," he said.

Haddad's advice for afflicted Mac users was to first reboot their machine, before going doing the delete-reinstall dance. "After a reboot OS X will grab a new receipt and that likely requires at least one log-in to your iTunes account," he said.

Apple did not immediately reply to questions about the snafu.

(www.computerworld.com)

Gregg Keizer