Apple apologizes to developers for Mac App Store certificate flap, explains fix
Apple in a note to developers on Tuesday apologized for last week's Mac App Store app signing issue that rendered certain applications inoperable, explaining server-side fixes and offering app makers instructions on how to patch affected software.
The letter, sent out by Apple Developer Relations, addressed a problem that caused users to see a false "damaged" error when opening certain apps, which in some cases forced a delete and re-download . A copy of the note was posted to Twitter by developer Donald Southard, Jr.
In summary, Apple said a planned Mac App Store app signing certificate update was the main cause of last week's problems.
In anticipation of the expiration of the old Mac App Store certificate, we issued a new certificate in September. The new certificate used the stronger SHA-2 hashing algorithm in accordance with current recommended industry practice, where the old certificate had used the SHA-1 hashing algorithm.
The company went on to say that a Mac App Store caching issue stored outdated certificate information on user Macs, which explains why a full system restart or re-download from the MAS solved the error for some. The problem is being addressed in a forthcoming OS X update.
The caching issue was compounded by apps running receipt validation code containing "very old versions" of OpenSSL not compatible with SHA-2 certificates. Apple replaced the SHA-2 certificate with a SHA-1 certificate last Thursday.
With the fixes in place, most of last week's Mac App Store maladies have been resolved, though Apple urges developers to check their code against its Receipt Validation Programming Guide and, if necessary, resubmit updated apps to iTunes Connect for expedited review.