Here's what's happening with the Mac App Store and 'damaged' apps

Earlier this week Mac App Store (MAS) apps, on launch, were showing up as "damaged" and couldn't be opened. The old MAS security certificate seemed to have expired and a new one, at first, didn't seem to be showing up. Here's my current understanding of what happened.

The old MAS certificate used SHA-1 (secure hash algorithm 1) cryptography. Before it expired, Apple issued a new certificate, but one using SHA-2 (secure hash algorithm 2). This was supposed to be transparent, but once the old certificate expired, some people began experiencing problems.

First, outdated certificate information was stuck in cache, which required some people to reboot or re-authenticate in order to clear it out.

Second, some apps are apparently using an old version of OpenSSL for receipt validation, and—you guessed it!—it doesn't support SHA-2, and hence isn't compatible with the new certificate.

SHA-2 support in OpenSSL has been kicking around since 2005, so it's really in everyone's best interests to use it.

In order to fix the current problem, Apple will need to roll back the MAS certificate to SHA-1 or developers will need to update their receipt validation to use OpenSSL that supports SHA-2. Obviously a roll back on Apple's side would be faster, a developer update better in the long run. Hopefully we'll get both.

UPDATE: Apple has rolled back to SHA-1.

Getting 'app is damaged and can't be opened' errors on your Mac? Here's the fix!

Rene Ritchie is one of the most respected Apple analysts in the business, reaching a combined audience of over 40 million readers a month. His YouTube channel, Vector, has over 90 thousand subscribers and 14 million views and his podcasts, including Debug, have been downloaded over 20 million times. He also regularly co-hosts MacBreak Weekly for the TWiT network and co-hosted CES Live! and Talk Mobile. Based in Montreal, Rene is a former director of product marketing, web developer, and graphic designer. He's authored several books and appeared on numerous television and radio segments to discuss Apple and the technology industry. When not working, he likes to cook, grapple, and spend time with his friends and family.

6 Comments

I'm a huge Apple apologist, so this is a great explanation and confirms in my head that it was really the developers that coded their apps wrong which is the problem.
Did you see the bit where it said, “Second, SOME apps are apparently using an old version of OpenSSL………….”.
This means that some were not. You are correct in that you are an apologist.
wow. good job of not understanding the story.
It was both. Apple's system didn't clear the old certificate out of cache properly, and some developers were using really old versions of OpenSSL that couldn't support the new SHA-2 certificate. All that matters for customers, though, was that their apps were broken.
Apple's rolled back to SHA-1, really? Didn't expected that!
Still problems, or hoops to jump through. I tried to open an app, and got "You are trying to open and app bought on another computer. Enter your iTunes username, and password" it was a pop up. After entering the information, the app worked fine. Funny thing, I bought it on the Mac in the Mac store. Never used another computer. Sent from the iMore App

Show more comments