The consequences of an Apple-issued security certificate expiration combined with a change made by Apple, is leading to some apps purchased outside the app store like 1Password, PDFpen, and Soulver for Mac to require reinstallation with a new version before coming back to life — but the issue may have lasting consequences for some software.
Over the weekend, a certificate issued by Apple required to access iCloud services expired, as expected. However, the immediate issue induced by the problem, coupled by a change in how Apple handles a lookup of apps allowed to perform certain functions, called "entitlements," had unforeseen side effects.
As a result, leading users of 1Password, PDFPen, and Soulver, amongst others, discovered that the apps relying on the certificate were crashing on launch. Apple's change in handling the variable meant that simply renewing the certificate wasn't sufficient to restore functionality.
"We knew our developer certificate was going to expire on Saturday, but thought nothing of it because we believed those were only necessary when publishing a new version," said the 1Password developers in a blog post. "Apparently that's not the case. In reality it had the unexpected side effect of causing macOS to refuse to launch 1Password properly."
A combination of factors led to 1Password not launching after simply updating the certificate, as the installer didn't recognize the new certificate as valid.
The "crash" turned out to be a feature of macOS in PDFPen's case. According to TidBits, the "taskgated-helper" system app examines a code signing certificate and compares it to the "entitlements" list. Should the the provisioning profile be linked to an expired certificate, macOS blocks the app with the expired certificate from launching.
Soulver, PDFPen, and 1Password have been updated by the developers to rectify the problem, and all users need to do is download an updated version and install it. However, other apps not updated as frequently, or abandoned by developers, may stop working with no recourse by users to get them to start working again.
Apps sold through the Mac App Store are signed by Apple, and not by the developer. Because of that, only apps sold outside the app store, needing "entitlements" are impacted by the problem.
While this issue is limited to apps purchased outside the Mac App Store, Apple has had its own problem with certificate expiration and unforeseen consequences. In Nov. 2015 an upgrade to SHA-2 certificate encryption caused issues in conjunction with a Mac App Store issue storing outdated certificate information on user Macs, which rendered many apps non-functional.