Tuesday, February 16, 2016

More Mac App Store Certificate Problems

Keith Gugliotto:

Beginning February 14th, many of our users who purchased from the Mac App Store have experienced an issue where the application crashes while opening. What we know, so far, is this is another certificate issue on Apple’s end, preventing applications from properly validating a Mac App Store receipt.

[…]

The official word from Apple is that, in general, restarting the Mac in question should resolve the issue. In addition, for OS X El Capitan users, Apple says updating to OS X 10.11.2 or later is required, and OS X Snow Leopard users should be sure the Mac App Store Update for OS X Snow Leopard is installed. While what we have here is technically similar to what happened last November, it’s not quite the same and, being on Apple’s end, not something we could’ve prepared for. We’re grateful for your patience and understanding!

We’re not seeing the issue in-house, but we’ve learned a restart does not resolve the issue – reinstalling the application itself does.

Jeff Johnson:

On 2 different machines, I had to delete the apps entirely and re-download them from MAS in order to get them to work. Quality.

Russell Ivanovic:

Some of my Mac apps won’t open today. I know why, and I know a re-install fixes it…but…sigh. Mac App Store: It Just Works*

Jason Simms:

Yet another Mac App Store delight: today, several apps stopped opening (some say "verifying", some do nothing). Fixed by redownloading.

Peter Cohen:

This CF is still biting me, months later

Rich Trouton:

Mac admins who have previously downloaded installers from the Mac App Store may be seeing some of those installers displaying warning messages and/or failing to install as of this morning.

[…]

In the case of applications where the needed version is no longer available from the MAS, or the application itself is no longer available, there are two ways to handle this issue[…]

Unlike in November, I have not seen these problems on my Macs.

Previously: WWDR Intermediate Certificate Expiration, No One Minding the Store.

Update (2016-02-16): Gregg Keizer:

Apple’s support document […] added a caveat about OS X apps. “Users running OS X El Capitan (v10.11 or v10.11.1) may receive a notification that your Mac app is damaged if it utilizes receipt validation to request a new receipt from Apple,” the document said. “They can resolve this issue by restarting their Mac or updating to OS X El Capitan (v10.11.2) or later.”

Computerworld staffers running the latest El Capitan beta—OS X 10.11.4—encountered dead apps early Tuesday, including Byword, a text editor; the Fantastical 2 calendar; and Clear Day, a weather app. Some apps threw out a request for the Apple ID password used to access the Mac App Store—in some cases only a fleeting dialog box—but other apps just would not launch.

Restarting the Mac did not help.

Rob Griffiths:

We’re paying 30% for the privilege of explaining to Apple’s App Store customers why their purchased apps don’t work.

Rich Siegel:

If you have a product in the Mac App Store, be advised that the MAS had a certificate expiration over the weekend. Brace for impact.

Paul Hagstrom:

Yep. That was my guess—several MAS apps just started silently failing to launch. Reinstall fixes it, but... grr.

James Knight:

ah is that why none of my apps work :(

Bad Uncle Leo:

Yup, tried to do an El Cap re-install last night, “damaged Install” & can’t re-install

Steve Steiner:

I would like to have thought they’d have this worked out after the last debacle but I would have been a fool to have done so.

Update (2016-02-17): The certificate problems seem to also be affecting FoldingText.

Wade Cosgrove:

As a developer this is absolutely unacceptable and as a user it’s even worse (silent launch failure)!

Phil Schiller (via Cédric Luthi):

Developers were notified in advance and support was set up to help (always can do better)

This seems to miss the points that users were not notified, that we’ve heard reports of support not being familiar with the issue, and that Apple’s recommended remedy doesn’t always work.

Wade Cosgrove:

This tech note does not reflect my experience. I am running 10.11.3 and experienced the issue after cold boot on Monday.

As far as I know customers have never received anything from Apple explaining these failures or how to resolve them.

Rich Siegel:

This is hard to do 140ch at a time. :-) But alas “we warned you” doesn’t take the edge off the customer’s pain…

…and time & time again, customers come to us angry about something we couldn’t possibly have dealt with in advance.

Daniel Jalkut:

FWIW I believe Apple has prepared admirably for this but the specific issue Wade called out seems out of developer hands.

Ashkan Farhadtouski:

Delete and reinstall is not a solution. If purchased directly this wouldn’t have been a problem.

Mike Ash:

The problem was clearly announced, in the bottom of a drawer in a disused lavatory with a sign saying Beware of the Leopard.

It was working for me for several days after February 14, but starting this evening ReadKit will not launch for me. It reports (silently, in Console): “Failed to check receipt signature: No valid signer”. Neither of Apple’s two pieces of advice—that the OS will tell me the app is damaged and that I should restart—worked, but deleting and reinstalling did.

Update (2016-02-18): Adam Knight:

YAY! Another day that none of my Mac App Store programs will open. Thanks, Apple.

My understanding is that the developer’s only responsibility was to make sure that their receipt validation code works with the new certificate. In cases where users are having problems, the apps don’t seem to be getting to that point. Receipt validation is (correctly) failing because of receipts signed with the expired certificate. The store is then supposed to download a new receipt signed with the new certificate. This is not happening. [Update (2016-02-20): See these comments. I now think that the app’s receipt validation is incorrectly failing and that the system is (incorrectly) not downloading a new receipt.]

Update (2016-02-19): David Foltz:

@gte I know it’s not your fault. But Napkin failed to launch today. Had to reinstall. Is this @mjtsai’s fault? ;)

Update (2016-02-20): Apple has significantly added to its page about the certificate expiration:

In some scenarios, an app purchased from the Mac App Store that utilizes receipt validation may fail to launch (exiting with a 173 error code) since it considers a local receipt that includes the expired WWDR Intermediate certificate invalid. OS X regards the receipt as valid when the updated WWDR Intermediate is present on your system and therefore does not request an updated receipt for the application.

To resolve this issue, delete the renewed, non-expired WWDR Intermediate certificate from your System and/or Login keychain within the Keychain Access application. After re-launching the application, you will be prompted for your Mac App Store login credentials in order to obtain a new receipt for the application. After you have launched your application and obtained a valid receipt, you can re-install the renewed certificate to continue your development. This issue will be fixed in a forthcoming update to OS X El Capitan.

Update (2016-02-22): Wolf Rentzsch:

my list of Mac App Store Apps had to delete+reinstall due to Valentine’s Day Cert Massacre: BusyCal, Divvy, Fruit Juice, FoldingText, Shush

personal toll would have been higher but every chance I get I move my apps from Mac App Store to Direct. Don’t care if need to re-purchase

28 Comments RSS · Twitter


Tom Harrington

I'm running 10.11.3, and rebooting didn't resolve this issue. There's also nothing that would normally be considered a user-visible message about it. Apps just fail to launch, and Console shows the dreaded "Service exited with abnormal code: 173" message. Last fall I filed rdar://23582155 about this, which was later closed as "resolved", but someone at Apple has reopened it since the problem has returned.


I called Apple support about it and was told I should just reinstall every app that this happens with. Before I explained that reinstalling worked (he didn't figure that one out), the guy wanted me to reinstall OS X. He had no clue, told me no-one there would help me figure out the root cause, and then hung up on me.

It smelt like a certificate problem from the get go. I'm disappointed Apple support didn't give a crap, and of course that they hung up on me (I promise, I was not being rude!).


I’ve had the issue with 2 apps so far (Acorn and Transmit) - I didn’t need to reinstall the apps though. A dialogue popped up asking for my AppleID (… the app was purchased on a different machine … blablabla). OS X 10.11.3. (I somehow “knew” what the issue was, having seen a developer.apple.com tech note fly by in my feed reader about updated certs a few days ago).

That sort of issues shouldn’t happen of course.


This is a case where 3rd party developers were informed weeks ago by Apple but end-users were not informed by Apple.

Considering that 3rd party developers do not have any way to contact their MAS customers directly, it's not difficult to guess who is to blame for this fiasco.


[…] it might be Apple’s issue that causes the apps to fail to boot, users will likely blame the app developers, and most developers don’t have a way to directly contact their Mac App Store customers. The […]




Well, I'm screwed. Acorn 4.5 crashes and MAS wants me to pay for US$29.99 for Acorn 5. Tell you what Apple, I will - but directly from the developer. You screw me Apple, I'll screw you out of your 30% cut.

(Gus, I know it's not *your* fault in any way, and you make a great product! I wouldn't blame you for pulling things from MAS.)


Hmmm wonder if certificate expiration is why both my Mac mail imap email accounts deleted themselves this week (on both my macs) and now it is impossible to reconfigure the accounts (logs show continual message that the accounts already exists when they are no longer visible). My email account credentials are synchronised with iCloud Keychain access and I have iCloud synch of the keychain switched on. Around the time of the earlier certificate expiration issues my Mac mysteriously changed my login password (or at least it became corrupted). I had the iCloud password recovery feature switched on then. I no longer do. I was locked out of from both my desktop and laptop macs without having updated the password at any time! And I have suffered what appears to be cascade certificate issues across a range of apps and services ever since.


My 2cents. After hearing of this issue, I just tried launching all my MAS -purchased apps. Most came up just fine (even though some are older Apps, not updated since 2012), and a few hit me with the 'not bought on this computer, enter AppleD info' and then launched fine. So maybe Apple's got their end fixed now?


I use a computer as a photo and video editing workstation, with a known stable configuration, that is never* internet connected, specfically for a dedicated, calibrated, photo printer. I'm preparing to switch that workstation over to OSX. Now, I'm making notes on which applications are available outside the MAS, since it is obvious that a certificate failure could brick my workflow. Certainly, I could string some cable and do a one-time download and reinstall, but I don't like risking an automatic update accidentally being triggered that would break calibration, and I really don't like letting a production machine and my work archive touch the internet.
But, with this situation, it's not really a one time thing, is it? This is the secong time this sort of thing has happened, right? And old versions get pulled from the MAS, just like on iOS, so if a feature goes away, or the developer disappears, I'm forced into changing my workflow, right? And since the certs time out all by themselves, restoring from a backup won't work, because as soon as the system sees the right time, it will kill the app, right? Is the os savvy enough to do that if you reset the clock in the bios? I don't really want to find out. I want to move to OSX for more stability and predictability, not less!

*okay, rarely. But not since I got my current system stable.


@dave - you can reinstall Acorn 4 from the purchases tab. Let us know if that doesn't work for you ( via support@fm )


Another issue related to the certificate expiration: all Safari Extension developers are prevented from building extensions unless they are using the newest betas from Apple. Even if they followed all of Apple's directions to prepare for the new certificate, Safari will actually reinstall the expired certificate to the Keychain and will continue to do so unless the developer installs a beta of an OS that will presumably not be released until the Apple event next month.

https://forums.developer.apple.com/thread/37551


"Receipt validation is (correctly) failing because of receipts signed with the expired certificate."

Not "correctly". The previous cert expiration problem showed that receipt validation has, at least, to use the signing time to check if the certificate was valid at signing time (the default is "now", which fails).

I've checked several MAS apps which failed here and I do think it's a problem with receipt validation; if it's not done properly the leaf cert shows as invalid, even if it's not expired, because it's based on an expired intermediate cert.

My own MAS app didn't fail and I use a relatively more lenient check than is recommended in some docs. Namely, it has to use Apple's Root cert, the intermediate and leaf certs had to be valid at the time of signing, and both have to be signed by Apple. Testing for specific certs by the hash (or similar) fields will eventually fail, as we've seen.


[…] Michael Tsai: […]


@Rainer Yes, I think you are right that if the app (correctly) uses the signing time, validation won’t fail because of the expired certificate. This is probably why my own apps haven’t had problems. So perhaps the main issue is the interaction between apps that don’t use the signing time and the system that doesn’t always download a new receipt when the app exits with error 173. If the system did download a new receipt, the bad validation code would still work, so long as it wasn’t checking for a particular certificate. It also would have helped if Apple’s sample code used the signing time.


@michael exactly,the app mis-checks, does exit(173) and then the system looks at the receipt and thinks "heh, the receipt is OK" and does nothing...


Mark Griffiths

Interestingly, most of my MAS apps carried on working fine, no doubt by correctly implementing the signing time, but I had a few (SnippetsLab, Divvy, Folder Designer… maybe others I haven't noticed yet) that just wouldn't launch and no amount of deleting, restarting and reinstalling seemed to work - it would just repeatedly fail with error 173.

By chance this morning, I was in Keychain Access fixing an unrelated SSL issue and had 'Show Expired Certificates' selected. The recently expired 'Apple Worldwide Developer Relations Certification Authority' was visible - so I tried deleting it and reinstalling SnippetsLab from the MAS and it actually worked this time! I tried all the others that wouldn't launch and everything is just fine now. All of the Apps that wouldn't launch had reference to the old cert in their receipt (like below) - my guess is that having the old cert still in the keychain was causing those apps to fail - despite reinstalling.

*snip*
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 25 (0x19)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=US, O=Apple Inc., OU=Apple Certification Authority, CN=Apple Root CA
        Validity
            Not Before: Feb 14 18:56:35 2008 GMT
            Not After : Feb 14 18:56:35 2016 GMT
        Subject: C=US, O=Apple Inc., OU=Apple Worldwide Developer Relations, CN=Apple Worldwide Developer Relations Certification Authority
        Subject Public Key Info: 
*snip*

This is different to Apple's recently posted update on certificate expiration, but maybe it'll help others…


Mark Griffiths

https://twitter.com/pschiller/status/700418404604194817

Just found @pschiller's tweet from going through links above that would have saved me some pain… I'm a paid up developer and can't find anything from Apple that would suggest I was 'told' about this!



[…] annoying, this certificate problem is well documented by developers and users. Apparently the certificate expired a few weeks ago, but not all users have […]


[…] Previously: More Mac App Store Certificate Problems. […]


[…] And you’ll probably want the .dmg file to save a copy of that Xcode version, anyway. (I wouldn’t count on an archived copy from the Mac App Store to keep […]


[…] is happening. However, much remains to be done. The store apps themselves need work, as do the underlying OS services. The Mac App Store still lags behind, without support for gifting apps or TestFlight, […]


[…] CloudKit and Map Kit for Gatekeeper Apps, More Mac App Store Certificate Problems, WWDR Intermediate Certificate […]


[…] Previously: More Mac App Store Certificate Problems. […]


[…] раздражает, эта проблема с сертификатом хорошо задокументирована разработчиками и пользователями. Очевидно, срок […]


[…] a developer’s perspective, the Digital Rights Management (DRM) problems you have suffered are a compelling reason to offer non-Mac App Store editions of their […]

Leave a Comment