App Store enigma

Only a few days ago, I lamented the problems which many users of the Mac App Store experienced recently.

It seems that Apple has now taken the trouble to explain and apologise to its developers (at least, those whose apps are sold by the App Store), but not its customers, for the fiasco which they may well have suffered. However, Apple’s explanation differs from what was suggested by users, and is enigmatic, to say the least.

Apple claims that it renewed the security certificate at the centre of the problems back in September, but that a problem in the App Store app meant that this went unnoticed by that app, due to caching of certificate information. In other words, the apps which were reported as being damaged were still looking for the old certificate, even though it had expired and a new one provided over a month before. To flush that cache, Apple said that users had to sign on the App Store afresh, and restart.

Even then, according to Apple, some apps could not see the new certificate, as it used SHA-2 hashing, which was not apparently supported by the old versions of OpenSSL which those few apps apparently used. In other words, Apple is saying that the developers were also at fault.

appstore173What Apple did not mention was my original gripe: the error alert reported in the circumstances was not just misleading, it was totally wrong. As this error message was generated by the App Store in concert with OS X (or perhaps the other way around), that is fairly and squarely Apple’s problem to address, if Apple can actually see that point. I’m not sure, though, that it is looking.

As for the issue about the App Store app cache, that is very puzzling.

In my case, any cache should have been well flushed between issue of the new certificate and expiry of the old one. Over that period. this iMac has undergone the upgrade from Yosemite to El Capitan, which should have trashed every cache around, and the El Capitan updates since. It has been restarted on several occasions, and in late October was shut down for a while. I have signed onto the App Store on many occasions too. If none of those managed to flush the cache, then it is less of a cache and behaves more like ROM.

The OpenSSL issue is more curious still. Apparently, when App Store apps check that they are authorised to run, part of that process involves checking the hash signature in Apple’s security certificate. Although there are other methods available, a sensible place to start would be in OpenSSL, which is part of every OS X installation.

Only Apple warns developers not to use the OpenSSL libraries in OS X, because they get updated (which is a twisted piece of logic in itself). Instead developers are instructed to compile their own version of OpenSSL and statically link that into their apps. An inevitable side-effect of that is that App Store apps are likely to use some quite old versions of OpenSSL, which may lack more recent features, and even have security vulnerabilities.

When Apple then unilaterally, and without any warning to developers or users, changes the type of hash key provided by its security certificate, as it admits it did in September 2015, there is a good chance that will break many apps in the App Store – even those which may have been updated very recently, if their developers have followed Apple’s advice and linked in their own version of OpenSSL.

The whole purpose in providing operating system services such as OpenSSL, and in keeping those up to date, is so that they can be used by other processes and apps. Apple is here the author of the misfortune for which it is blaming developers.

So the factual summary here seems to be:

  1. Apple had updated their security certificate, and did not allow it to lapse;
  2. however, Apple’s software (the App Store app and OS X) failed to recognise the certificate update, because that software is broken;
  3. Apple’s instructions to developers encourage third-party apps to rely on old, flawed, and vulnerable versions of OpenSSL despite more recent versions being available in OS X;
  4. Apple issued a new certificate which it should have known would not be recognised by many App Store apps;
  5. Apple’s error message is not just misleading but totally wrong;
  6. Apple has not apologised to its customers.

I don’t think that I have forgotten anything, have I?