Mac App Store Apps 'Damaged' Following Security Certificate Bug (thestack.com)

← Back to Stories (view on slashdot.org)

Mac App Store Apps 'Damaged' Following Security Certificate Bug (thestack.com)

Posted by samzenpus on Thursday November 12, 2015 @08:03PM from the that-didn't-work dept.

An anonymous reader writes: A slew of complaints are emerging against Apple after users were forced to delete and re-install Mac App Store apps in the wake of a major security management error. The problem manifested with the apparent expiry of security certificates which validated the apps, but even after the certificates were updated yesterday to expire in 2035, the problems were not resolved; some users were unable to verify the new certificates, and others could not even connect to the internet. In some cases the programs had to be reinstalled from scratch, deleting the user's existing settings.

3 of 66 comments (clear)

Min score:

Reason:

Sort:

Web serfers by Anonymous Coward · 2015-11-12 21:30 · Score: 2, Informative

The joys of not controlling what you supposedly own.
So much bullshit in this summary by BitZtream · 2015-11-13 00:12 · Score: 5, Informative

Let's start with user settings. User settings are neither stored with the app not digitally signed or encrypted. They are buried in a semi hidden folder that resides in the users home directory. Deleting an app doesn't delete your settings. It can't. Intentionally.
You can't really 'update' a cert once it's been used, so if something expired all apps with that cert in they're chain of trust would need to be resigned to validate them. There is no way to magically make apps signed with the old cert work with a new one. That would be a massive whole in the entire PKI process.
I'm not saying something didn't break, but the summary is 100% factually incorrect.

--
Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
Let's score this by Maury+Markowitz · 2015-11-13 02:13 · Score: 4, Informative

"some users were unable to verify the new certificates, and others could not even connect to the internet. In some cases the programs had to be reinstalled from scratch, deleting the user's existing settings."
Ok, let's look at this...
1) some users were unable to verify the new certificates
Sure, I buy that.
2) others could not even connect to the internet
I call BS, App certs do not have any use whatsoever in the TCP stack. I'm sure people had problems, but it wasn't due to this.
3) the programs had to be reinstalled from scratch, deleting the user's existing settings
I call BS on that too. The app settings are in a text file in the user directories, you can go and open them in your favorite text editor right now. Re-installing an app does not overwrite these settings, which is *the whole reason* they're done this way. It is possible that app did that, but that's a bug in the app and has nothing to do with certs.
Crappy reportage.