Early today people launching some Mac App Store purchased apps where greeted with errors upon launching them.
This has been pretty widely reported, & after reading a few other articles I started to panic. After which I wanted to try see how this would affect us Mac admins & if I could help detect affected apps.
Finding Affected Apps
The below tweet brought the issue to many people’s attention & gave me something I could use to try & detect affected apps:
From which I’ve written the below Extension Attribute that will look for .apps within /Applications/, check to see if they have a Mac App Store receipt & then report back the expiration date of the App Store certificate (which is the first certificate returned from the command above):
This will report back something like this:
<result>/Applications/AppIcon.app : Nov 11 21:58:01 2015 GMT /Applications/Clear.app : Nov 11 21:58:01 2015 GMT /Applications/Dash.app : Nov 11 21:58:01 2015 GMT /Applications/GarageBand.app : Nov 11 21:58:01 2015 GMT /Applications/Keynote.app : Nov 11 21:58:01 2015 GMT /Applications/Mactracker.app : Nov 11 21:58:01 2015 GMT /Applications/Slack.app : Nov 11 21:58:01 2015 GMT /Applications/TextWrangler.app : Nov 11 21:58:01 2015 GMT /Applications/Twitter.app : Nov 11 21:58:01 2015 GMT /Applications/Xcode.app : Nov 11 21:58:01 2015 GMT /Applications/iMovie.app : Nov 11 21:58:01 2015 GMT </result>
The issue is that the “App Store Certificate” within some applications expired at:
Nov 11 21:58:01 2015 GMT
The image below shows the three certificates included within each Mac App Store delivered app’s bundle:
Having an expired certificate causes issues with applications that make use of “Receipt Validation”.
Not all Mac App Store apps do, but those that are showing error messages like the below on launch post their “App Store Certificate” expiring do:
It’s interesting to note that of the Apple apps I’ve found to have an expired cert NONE have displayed errors like shown above, & so one can assume that in this instance Apple’s all about the “do as we say, not as we do”.
Fixing Affected Apps
One by one
Affected apps can be fixed as advised in the error messages shown above.
Once the above errors are dismissed you’ll then should be to login to the App Store:
This may download a newer version of the app or download an updated receipt.
After either, re-run the EA & the apps should report a new expiration date:
Oct 23 19:09:31 2017 GMT
Some people have advise that running the below command has worked for them, then launching the affected apps without having to sign in. I’ve personally not had much luck.
Turn it off & on again
It seems like another fix people are advising is restarting.
Again, as per the above. This did not work for me with the apps I had that were affected.
I’m guessing that as per the earlier linked article: “Receipt Validation”, there are two methods of validation: Local & Network.
Those that are working post restart I’m presuming are using Network based validation. With the act of restarting or performing the above command enough for that action to be performed & the new receipt is then validated.
Any apps that require re-download are probably using Local receipts & therefore requires re-downloading the app to get the new receipt.
Institutional Apple ID’s
If you’ve used an “Institutional Apple ID” due to reasons such as those that I posted here, & if a restart doesn’t resolve this sake then you’ll need to get newer versions of the apps & redeploy.
If newer versions are not available, then you will need to launch as above to get the new receipt & repackage the app (the receipt alone might work, but I’d urge caution with that approach).
Otherwise, your users will be prompted to sign in to the Mac App Store as your “Institutional Apple ID”. Not good.
One other option, which might be applicable if the apps are not required anymore or you have moved to other deployment methods & can communicate affectively to those affected, that is a bit drastic is to uninstall the App Store apps as per this guide.
Any re-installation via the Mac App Store would then have a valid receipt.
Sadly, I’ve not found a method to programatically update the receipts.
Thanks to @bmike, @bruienne, @ctdawe, @frogor & @mario on the macadmins.org Slack for helping test & figure the above.