Expired certificates now prevents apps from launching?

So my app had its distribution certificate expired today. Usually, apps that were signed while the certificate was still valid should be unaffected and keep running. To my knowledge, this has been the case for years. You'd just then create a new certificate next time you wanted to push an update.


However, and I'm not sure if this is a new restriction in macOS 10.15, but now my app will refuse to launch! You can imagine the support nightmare that will be.


"You should've pushed an update with a new certificate already!" you might say? Well what happens if some of your users don't run you app very often and they miss the update? Well they´re stuck with an app that no longer launches and have to redownload the updated app entirely instead of getting it via in-app updates.


I don't know if this is a bug on Apple's end or this is now by design. If so, well this socks as this not only hurt developers that distribute their apps outside the MAS but users as well that rely on those apps and may find themselves unable to use the apps they need to get their work done until they figure out how to fix the problem or contact the developer for a solution.


Anyone else had this issue?

I think you might be confusing profile with dist cert...

There’s not a lot of concrete info to go on here. To start:

  • Presumably this is a Developer ID app, not a Mac App Store app, and thus by “distribution certificate” you mean your Developer ID Application certificate?

  • Does your app have a provisioning profile?

  • Have you actually checked the expiry dates involved? If you do the following, what do you see?

    % codesign -d --extract-certificates MyTest.app
    …
    % openssl x509 -inform der -in codesign0 -noout -text
    …
            Validity
                Not Before: Jul 31 16:31:20 2017 GMT
                Not After : Aug  1 16:31:20 2022 GMT
    …
    % security cms -D -i MyTest.app/Contents/embedded.provisionprofile 
    …
    <dict>
        …
        <key>ExpirationDate</key>
        <date>2038-03-29T08:32:41Z</date>
        …
    </dict>
    </plist>

    .

Finally, I want to be clear about one thing: While Developer ID certificates and provisioning profiles have an expiry date, the system is meant to ignore them. There have been circumstances where that’s not happened, but such problems are bugs. A Developer ID-sign product should not expire.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Hi Quinn,


Presumably this is a Developer ID app, not a Mac App Store app, and thus by “distribution certificate” you mean your Developer ID Application certificate?


Yes, this is a Developer ID app and a Developer ID App Cert was used to generate the provisioning provile. Sorry about the confusion.


Does your app have a provisioning profile?


Yes it does.


Have you actually checked the expiry dates involved? If you do the following, what do you see?


Here's the result:


Validity
            Not Before: Apr  1 20:33:20 2015 GMT
            Not After : Apr  1 20:33:20 2020 GMT


<key>ExpirationDate</key>
  <date>2020-04-01T20:33:20Z</date>


Finally, I want to be clear about one thing: While Developer ID certificates and provisioning profiles have an expiry date, the system is meant to ignore them. There have been circumstances where that’s not happened, but such problems are bugs. A Developer ID-sign product should not expire.


Well this sounds like a bug to me as now apps signed with this certificate and provisioning profile are refusing to launch and just crash!

My reply is being moderated for some reason. Also, this issue isn't exclusive to macOS 10.15.4. I had a user on El Capitan reporting the issue.

It’s interesting that your certificate and profile expire on the same second. This isn’t a coincidence, methinks. Notably, that’s not the case with mine.

There was a problem like this a year or two ago (I’m gonna be kinda vague here because I wasn’t supporting Mac code signing at the time) and the immediate fix was for us to push out the expiration date on profiles until 2038. This is what you can see with my profile.

My recollection is that this was an expedient measure, and that the plan was to change the OS to ignore profile expiry for Developer ID apps. However, I’ve not been tracking assiduously. If you’d like me to dig into that aspect of things, please open a DTS tech support incident so that I can allocate the time necessary.

However, I think there are two things you can do independently:

  • You should file a bug about this, attaching your current app. As I mentioned previously, Developer ID apps should not expire.

    Please post your bug number, just for the record.

  • You can resolve this issue by regenerating the profile for your app. This should have a 2038 expiring date, and thus you shouldn’t have to deal with this.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

I'll file a DTS when I have some time. As you may guess, it's been a support nightmare having to tell users to download the updated binary and it'll be like that for weeks.


This bug also breaks apps I no longer maintain but that are still used by some. I managed to re-sign the binary but you can imagine how bad this.


At least the updated binary will give me some time until 2038 (hopefully).


Certificate:


Validity
            Not Before: Apr  1 21:30:25 2020 GMT
            Not After : Apr  2 21:30:25 2025 GMT


Provisioning profile:


<key>ExpirationDate</key>
  <date>2038-03-28T21:44:40Z</date>


I'll update this post once I have a bug number.

So I had 2 users that contacted me in the past couple of days that told me that the app is crashing again (Termination Reason: Namespace CODESIGNING, Code 0x1). I've checked that both the certificate and profile did not expire and they are fine.


Please see FB7678285 and case ID 734264013

case ID 734264013

That’s in my queue and I’ll respond there later today.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"
Expired certificates now prevents apps from launching?
 
 
Q