Whatever they might teach on MBA courses, there’s an inevitability about time. Hide under the bedclothes as much as you like on Sunday, it’s an inescapable fact that tomorrow will be Monday. Almost twenty years ago, all those well-paid executives learned that they couldn’t stop the arrival of Y2K and had to prepare. Nearly five years ago, Apple’s senior managers learned that even Einstein couldn’t work his way around dates of expiry of security certificates. Yet last week we’ve borne the brunt of a repeat performance.
In case you hadn’t noticed it, almost all of Apple’s existing installers and updaters now lie in tatters, their signing certificates expired, because Apple did too little too late. It failed to plan for the progression of time.
The first time this struck Apple (and had impact on many users) was in March 2012, when a lot of the Software Update certificates on Mac installers expired. At the time, as Rich Trouton observed, users could work around this when using the Installer app, but it wasn’t so easy at the command line.
The problem struck again in February 2015, when an Intermediate Certificate from the Apple Software Update Certificate Authority expired. Apple then had to re-sign and reissue many installers and updaters to cope with that crisis. The new Intermediate Certificate used then was set to expire on 24 October 2019, a date which gave Apple over four years to plan for, to ensure that there’d be no disruption when it arrived.
Since the release of Mac OS X 10.6 Leopard in October 2007, major releases of Mac operating systems have taken place between July and October. Sure enough, this autumn/fall macOS 10.15 Catalina was scheduled for release, and the period September to October was going to be very busy with releases and updates. It wasn’t going to be a good time to have to change certificates, or to reissue old installers and updaters with new ones.
With the release of the last Supplemental Updates to Mojave and the imminence of Catalina, this was a time when a lot of users were downloading full Mojave installers, either to set up virtual machines or to keep at hand in case their upgrades went awry. But until the end of September, each of those Mojave installers was still being signed using certificates which were going to expire in less than a month. Now every downloadable installer or updater offered by Apple prior to the end of September has to be replaced with an identical installer using new certificates.
Thankfully, rumours that the first release Catalina installers also relied on certificates which expired on 24 October have proved to be false. However, as has transpired, checking when any given macOS installer app’s certificates expire has proved technically demanding, and not something ordinary users can do, say, in the Finder.
Looking at these re-signed Installer packages, the new Intermediate Certificate is valid from 22 March 2019, and doesn’t expire until 15 October 2031. The Software Update certificate itself is valid from 17 April 2019, and expires on 14 April 2029. The one lesson that Apple does appear to have learned is to issue certificates which don’t expire so soon.
But how come certificates which came into force in March and April of this year are only now being used in October? Were they actually created and ready to use that long ago, or has someone backdated them to make it look as if it was someone else’s fault that they haven’t been used for six months?
Meanwhile, as Apple’s engineers frantically try to dig its services out of this deep hole, crucial downloads just vanished. One example was Swift 5 Runtime Support for Command Tools, previously available from here, which just went missing for days (it’s available again, now). If you’re running any version of macOS prior to Mojave 10.14.4 – which includes High Sierra, still officially supported by Apple – you need to download and install this in order to run command tools built using Swift 5. Without it, you simply can’t run those tools because those libraries, incorporated into recent releases of macOS, aren’t supplied as part of previous versions of the system.
Like many other users, I now have tens of gigabytes of Apple installers and updaters whose certificates have expired. Replacing them isn’t going to be an easy task, as Apple thinks it’s good to hide them away, rather than providing ready access. Even if I can find El Capitan in the App Store, Software Update won’t let me download it, as neither of my current Macs can run it. Others report that they’re unable to obtain a re-signed copy of the El Capitan installer even on Macs which can run it.
As usual, Apple isn’t saying anything, not to users or developers. Its most meaningful communication about this inexcusable failure of support were the 404 errors from download pages. There’s no explanation, no apology, no timescale, no support. Yet again, it seems to hope that if it pretends nothing has happened, we’ll all forget about it. Just like Apple clearly did until someone’s Calendar notified them that crucial certificates expired in a few days time.
That’s corporate planning for you: just pretend the inexcusable never happened. Maybe that’s the MBA approach to time management.