Mikey Campbell
Apple in a note to developers on Tuesday apologized for last week's Mac App Store app signing issue that rendered certain applications inoperable, explaining server-side fixes and offering app makers instructions on how to patch affected software.
The letter, sent out by Apple Developer Relations, addressed a problem that caused users to see a false "damaged" error when opening certain apps, which in some cases forced a delete and re-download . A copy of the note was posted to Twitter by developer Donald Southard, Jr.
In summary, Apple said a planned Mac App Store app signing certificate update was the main cause of last week's problems.
In anticipation of the expiration of the old Mac App Store certificate, we issued a new certificate in September. The new certificate used the stronger SHA-2 hashing algorithm in accordance with current recommended industry practice, where the old certificate had used the SHA-1 hashing algorithm.
The company went on to say that a Mac App Store caching issue stored outdated certificate information on user Macs, which explains why a full system restart or re-download from the MAS solved the error for some. The problem is being addressed in a forthcoming OS X update.
The caching issue was compounded by apps running receipt validation code containing "very old versions" of OpenSSL not compatible with SHA-2 certificates. Apple replaced the SHA-2 certificate with a SHA-1 certificate last Thursday.
With the fixes in place, most of last week's Mac App Store maladies have been resolved, though Apple urges developers to check their code against its Receipt Validation Programming Guide and, if necessary, resubmit updated apps to iTunes Connect for expedited review.
William Gallagher
Christine McKee
AppleInsider Staff
Chip Loder
Malcolm Owen
12 Comments
How about an apology to all of the customers who purchased Quicken through the App Store. It stopped working one week after the October 22, 2015 version update. Transaction downloads stopped working because Intuit issued three more versions but none were available through the App Store. Intuit simply abandoned all Quicken users who chose to purchase via the App Store, and Apple has taken no steps to address the situation. So much for Apple protecting it's customers. I doubt I'll purchase software through the App Store again.
Yet another reason why many devs don't trust the Mac App Store, which, frankly, is a bit of a joke. And this "explanation" should have been sent out earlier than this. Heck, Apple could have at least acknowledged the problem.
Yet another reason why many devs don't trust the Mac App Store, which, frankly, is a bit of a joke.
Apple collected five billion dollars in App Store revenue last quarter alone. Some joke.
Apple collected five billion dollars in App Store revenue last quarter alone. Some joke.
The iOS App Store is not the Mac App Store. And most major Mac app developers aren't in the MAS.
But both stores have the same issues; no trials, no paid upgrades, discovery problems galore. So there's that.
This is not purely Apple's fault. For example I have a lot of games bought from the Mac App Store and I noted that all the games from Feral Interactive were fine and all the ones from Aspyr Media fell down.
The reason being that developers write their own code to check their receipts, not Apple. And when Apple changed from a SHA1 hash to a SHA2 one, some of these developer's code fell down. And if they were using OpenSSL (which is what Apple's example code suggests) this would only have happened if they were using a version earlier than 0.9.8o from 2010!
With the number of vulnerabilities discovered in OpenSSL since 2010, shame on any developer still linking against it. So basically any of your apps that broke, you know the developer has not been keeping their 3rd party libs up to date. The other possibility is that they were not reading the field of the cert that says what the hashing alg. is, and were simply assuming it was SHA1, which would also be bad coding practice.
Apple should have stuck to their guns and insisted that everyone upgrade to SHA2 and resubmit their apps, for the good of the platform overall.