What's causing Mac apps to report as 'damaged' and what can be done about it.
Earlier this week Mac App Store (MAS) apps, on launch, were showing up as "damaged" and couldn't be opened. The old MAS security certificate seemed to have expired and a new one, at first, didn't seem to be showing up. Here's my current understanding of what happened.
The old MAS certificate used SHA-1 (secure hash algorithm 1) cryptography. Before it expired, Apple issued a new certificate, but one using SHA-2 (secure hash algorithm 2). This was supposed to be transparent, but once the old certificate expired, some people began experiencing problems.
First, outdated certificate information was stuck in cache, which required some people to reboot or re-authenticate in order to clear it out.
Second, some apps are apparently using an old version of OpenSSL for receipt validation, and—you guessed it!—it doesn't support SHA-2, and hence isn't compatible with the new certificate.
SHA-2 support in OpenSSL has been kicking around since 2005, so it's really in everyone's best interests to use it.
In order to fix the current problem, Apple will need to roll back the MAS certificate to SHA-1 or developers will need to update their receipt validation to use OpenSSL that supports SHA-2. Obviously a roll back on Apple's side would be faster, a developer update better in the long run. Hopefully we'll get both.
UPDATE: Apple has rolled back to SHA-1.
Reader comments
Here's what's happening with the Mac App Store and 'damaged' apps
I'm a huge Apple apologist, so this is a great explanation and confirms in my head that it was really the developers that coded their apps wrong which is the problem.
Did you see the bit where it said, “Second, SOME apps are apparently using an old version of OpenSSL………….”.
This means that some were not. You are correct in that you are an apologist.
wow. good job of not understanding the story.
It was both. Apple's system didn't clear the old certificate out of cache properly, and some developers were using really old versions of OpenSSL that couldn't support the new SHA-2 certificate.
All that matters for customers, though, was that their apps were broken.
Apple's rolled back to SHA-1, really? Didn't expected that!
Still problems, or hoops to jump through. I tried to open an app, and got "You are trying to open and app bought on another computer. Enter your iTunes username, and password" it was a pop up. After entering the information, the app worked fine. Funny thing, I bought it on the Mac in the Mac store. Never used another computer.
Sent from the iMore App