Apple has emailed developers about the recent damaged apps bug affecting a sizeable proportion of the OS X user base with some getting repeated errors on app launch. Whilst a reboot should be enough to invalidate and reload the certificate cache for most people, there are some weird edge cases. Apple says that a permanent fix for the caching issue will be included in a future OS X software update.
The email is effectively Apple apologising to developers for the store platform problems, which caused many customers to understandably, but incorrectly, point blame at the app developers, not Apple.
The issue arose for several reasons, including the certificate expiration and a switch from SHA-1 to SHA-2 hashing. Older versions of OpenSSL in apps could not handle the SHA-2 format. Apple has reverted back to using a SHA-1 hash for the time being. Developers can check the Receipt Validation Guide to verify that they are handling the store verification process properly. If updates are required, Apple will accept any updates related to this problem as an expedited review.
It’s great that Apple is actively contacting developers about the problem, meeting their responsibilities as platform proprietor, but the response isn’t what you call ‘timely’. The problem started nearly a week ago with basically no official feedback from Apple until today.
You can see the full email below:
FTC: We use income earning auto affiliate links. More.
Hopefully they will be able to upgrade to SHA2 soon.