Apple today has publicly addressed the issue with the Mac App Store that last week caused a number of Mac desktop applications to stop working, forcing users to restart their computers and reauthenticate with the Mac App Store after receiving error messages when trying to run their applications. As we previously reported, the problem was related not just to an expired security certificate, as had been first suspected, but because of a transition to a new certificate with stronger encryption that not all developers were ready for, as it turned out.
As expected, Apple has now begun reaching out to Mac App Store developers with an emailed apology, and further explanation.
In the letter, Apple says that it had issued a new certificate in September in anticipation of the old certificate’s expiration. The old certificate used the SHA-1 hashing algorithm, but the new one had been upgraded to support SHA-2. OpenSSL had started supporting SHA-2 in 2005, which is why Apple didn’t think the transition would be a problem.
There’s even a bit of subtle shaming in the letter to developers on Apple’s part when it says that “some apps are running receipt validation code using very old versions of OpenSSL” (emphasis ours), followed by news that it had to roll back to the SHA-1 certificate on Thursday because of this problem.
Additionally, the letter says that a caching issue meant that some Mac App Store end users had to reboot and reauthenticate with the store to clear outdated information from their systems when the new certificate went into effect. This, as it turns out, was a separate problem – something that was not clear in the immediate aftermath of the Mac App Store application crashes. Apple now says that it will address the caching issue through an update to Mac OS X.
Apple also says the AppleCare team now has up-to-date troubleshooting information regarding the problem, and asks developers to ensure their code adheres to the Receipt Validation Programming Guide then resubmit their app for an expedited review.
The two issues had highlighted one of the drawbacks to having a centralized repository for applications that’s managed by a single entity: it became a single point of failure when issues and changes on Apple’s side affected applications already installed on end users’ computers. But while in the grand scheme of things it was a more minor glitch that was fairly quickly corrected through a rollback to an older certificate, it also brought to light the fact that Apple doesn’t have a way to publicly speak to the Mac App developer community or their customers at this time, like through an official Twitter account, for example.