Apple has sent out an update and apology to developers detailing what caused the "damaged apps" situation with app from the Mac App Store last week. Overall, Apple's explanation seems to largely point to what we explained in our primer shortly after the issue reared its head last week. Here's the meat of the explanation:
Last week we updated the Mac App Store app signing certificate. This was a planned event and most users experienced no issues. However, some users experienced some issues during this change. We have corrected those issues, and wanted to share this update with you.
In anticipation of the expiration of the old Mac App Store certificate, we issued a new certificate in September. The new certificate used the stronger SHA-2 hashing algorithm in accordance with current recommended industry practice, where the old certificate had used the SHA-1 hashing algorithm.
Unfortunately, a caching issue with the Mac App Store meant that some users had to restart their systems and re-authenticate with the Mac App Store to clear a system cache of some outdated certificate information. We are addressing this caching issue in an upcoming OS X update.
Also, some apps are running receipt validation code using very old versions of OpenSSL that don't support SHA-2. We addressed this by replacing the new SHA-2 certificate with a new SHA-1 certificate last Thursday night.
Apple goes on to say that it has provided up-to-date troubleshooting information to the AppleCare support team, and most of the issues caused by the certificate problems should now be resolved. The company also notes that developers should double check that their code adheres to the Receipt Validation Programming Guide, but if necessary, they can resubmit their apps for expedited review.
