Expired Developer ID Installer and application certificates

Question

Created May ’21

Replies 2

Boosts 0

Views 1.6k

Participants 3

Hello,

Our Production packages and executables were signed with a Developer ID installer and application certificates, that have expired yesterday. These packages were notarised but not stapled.

After the certificate is expired, will the users be able to download and install the packages that were signed those certificates.
(In our quick test we are able to download and install these packages but will they continue to work )

Answered by DTS Engineer in 675353022

The general guideline for a Developer ID signed item is that the signing identity must have been valid at the time that it was signed. This is why, when you sign an app for notarisation, you must include a secure timestamp (via the --timestamp option). So, as long as your signed items contain that timestamp, you should be fine.

Having said that, my advice is that you not trust me here! (-: Rather, test this on a Mac whose clock is set to after the expiry date you’re concerned about. Do this on a Mac that’s disconnected from the network, so that there’s no way for it to know that its clock is ‘wrong’.

In fact, you could adapt the process in my Testing a Notarised Product post by adding:

Step 3.5 — Set the clock in the future.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Boost

Answer 1

DTS Engineer OP

Apple

May ’21

Accepted Answer

The general guideline for a Developer ID signed item is that the signing identity must have been valid at the time that it was signed. This is why, when you sign an app for notarisation, you must include a secure timestamp (via the --timestamp option). So, as long as your signed items contain that timestamp, you should be fine.

Having said that, my advice is that you not trust me here! (-: Rather, test this on a Mac whose clock is set to after the expiry date you’re concerned about. Do this on a Mac that’s disconnected from the network, so that there’s no way for it to know that its clock is ‘wrong’.

In fact, you could adapt the process in my Testing a Notarised Product post by adding:

Step 3.5 — Set the clock in the future.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 2

DTS Engineer OP

Apple

Apr ’22

Is this statement here For installer packages signed with a Developer ID Installer certificate correct?

It is not. This came up recently in another thread.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0