Part of Mac apps failed to launch due to expiring developer certificates

During the last week, some users have reported part of Mac apps failed to launch. The reason is that Apple changed the verification of the purchases and downloads that are not from Mac App Store.

A few users who download apps from the developers’ sites all reported immediate crashes on launch. Developers of the apps soon apologized and explained the issue was down to the apps’ code signing certificates reaching their expiration date.

Apple issues developer signing certificates to assure users that an app they have downloaded outside of the Mac App Store is legitimate, and this hasn’t been modified since it’s last signed. In the past, the expiration of a code signing certificate won’t influence already shipped software, however, that changed last year, when Apple started requiring apps to carry a provisioning profile.

A provisioning profile tells macOS that the app has been checked by Apple against an online data base and is allowed to perform certain system actions or entitlements. But the profile is also signed using the developer’s code signing certificate, so when the certificate expires, the provisioning profile becomes invalid.

Over the weekend victims of expired provisioning profiles included users of 1Password for Mac how had bought the app from the developer’s site. AgileBits told on Sunday that affected users need to manually update to the latest version (6.5.5), noting that those who downloaded 1Password from the Mac App Store were unaffected.

The immediate solution for developers with potentially affected apps is to renew their code signing certificates before expiration.