What's causing Mac apps to report as 'damaged' and what can be done about it.

Earlier this week Mac App Store (MAS) apps, on launch, were showing up as "damaged" and couldn't be opened. The old MAS security certificate seemed to have expired and a new one, at first, didn't seem to be showing up. Here's my current understanding of what happened.

The old MAS certificate used SHA-1 (secure hash algorithm 1) cryptography. Before it expired, Apple issued a new certificate, but one using SHA-2 (secure hash algorithm 2). This was supposed to be transparent, but once the old certificate expired, some people began experiencing problems.

First, outdated certificate information was stuck in cache, which required some people to reboot or re-authenticate in order to clear it out.

Second, some apps are apparently using an old version of OpenSSL for receipt validation, and—you guessed it!—it doesn't support SHA-2, and hence isn't compatible with the new certificate.

SHA-2 support in OpenSSL has been kicking around since 2005, so it's really in everyone's best interests to use it.

In order to fix the current problem, Apple will need to roll back the MAS certificate to SHA-1 or developers will need to update their receipt validation to use OpenSSL that supports SHA-2. Obviously a roll back on Apple's side would be faster, a developer update better in the long run. Hopefully we'll get both.

UPDATE: Apple has rolled back to SHA-1.