Apple apologizes to Mac devs for App Store certificate screw-up
"We apologize for any inconvenience to you and your customers," Apple said in an email to OS X developers, including Donald Southard, Jr., who posted an image of the email on Twitter Tuesday. Southard is the creator of the Mac utilities Watermarker and Thumbtack.
Apple also explained the cause of the Nov. 12 fiasco, saying that although it had issued a new certificate for signing Mac App Store purchase receipts, a "caching issue with the Mac App Store" meant many users had to restart their machines and re-enter their Apple Account password. In some instances, app owners were forced to delete the apps and re-download them from the store.
The problem impacted most if not all paid apps bought through the Mac App Store. The bulk of paid apps regularly check with Apple's servers to make sure that a receipt exists for the purchase before running.
Even after Apple replaced the outdated certificate last week, many apps still refused to run or displayed error messages, including one that said the app was "damaged and can't be opened."
After Apple swapped out the expired certificate for one that used the stronger SHA-2 hashing algorithm, later that day it was forced to backtrack and resort to a new SHA-1 certificate. "Some apps are running receipt validation code using very old versions of OpenSSL," Apple said in its email to developers.
Many firms and websites that rely on the weaker SHA-1 certificates are replacing them with ones using SHA-2, largely over concerns that the former may be cracked as early as next month, letting government intelligence agencies or even well-heeled hackers impersonate legitimate sites. Google, Microsoft and Mozilla, for example, have all recently said they will, or may, accelerate plans to drop browser support for sites that encrypt traffic with SHA-1 certificates.
Earlier this month, for instance, Microsoft said it was "now considering an accelerated timeline to deprecate SHA-1 signed TLS certificates as early as June 2016." Previously, Internet Explorer's maker had said it would drop support for SHA-1 certificates on Jan. 1, 2017.
Another developer wondered why Apple hadn't also apologized to its Mac customers, who had to hassle with their apps. "Question is, why are they only sending an apology to developers, and not actual customers Wait, we know the answer," tweeted Dan Loewenherz, founder of Lionheart Software.
Apple will fix the Mac App Store caching problem, it told developers, "in an upcoming OS X update," but did not reveal a timetable. Apple is currently testing OS X 10.11.2 -- the next version of El Capitan -- with both developers and the general public.
Apple did not reply to Computerworld's request last week for comment or an explanation for the expired-certificate mess.