WWDR Intermediate Certificate Expiration
Apple (via Paul Haddad, comments):
While most developers and users will not be affected by the certificate change, we recommend that all developers download and install the renewed certificate on their development systems and servers as a best practice.
Harish Jonnalagadda makes it sound like developers are supposed to use the new certificate when submitting updates, but I don’t think it’s actually needed when codesigning. Rather, the reason to install it is for testing validation.
You can verify your receipt validation code is compatible with the renewed certificate in the test environment now. You will be able to test your Mac apps and receipt validation code in production starting in January.
Unfortunately, the test environment is still broken.
Mac App Store customers running OS X Snow Leopard (v10.6.8) will be unable to purchase new apps or run previously purchased apps that utilize receipt validation until they install the OS X Snow Leopard update which will be available via OS X Software Update this January.
It’s nice to have some notice this time, but it’s not that much notice. In the event that there’s a problem with 10.6, testing would be possible sometime “in January,” and then you would have to make it through App Review, and have the customer update the app, all before February 14.
Update (2016-01-15): It’s now a month before the certificate expiration. The test environment is still broken. The Snow Leopard update is not available yet.
Update (2016-01-29): The Snow Leopard update is now available.
Gus Mueller and others have continued to find that the test environment doesn’t work. Daniel Jalkut figured out that the test environment does work if you install the new Apple certificate. So perhaps it worked all along if you knew to do this. But it was not documented or obvious, and apparently no one told the Radar filers. As I found, the certificate must be installed in the System keychain. Back in December, I had installed it in my user keychain (which I think was the default), and that seemed to work because receipt validation was working with clock set in the future, but the test environment was not working.