Expired Developer ID Installer and application certificates

Question

Hello,

Our Production packages and executables were signed with a Developer ID installer and application certificates, that have expired yesterday. These packages were notarised but not stapled.

After the certificate is expired, will the users be able to download and install the packages that were signed those certificates.
(In our quick test we are able to download and install these packages but will they continue to work )

711

Posted by

swethach

Reply

Add a Comment

Answer 1

The general guideline for a Developer ID signed item is that the signing identity must have been valid at the time that it was signed. This is why, when you sign an app for notarisation, you must include a secure timestamp (via the --timestamp option). So, as long as your signed items contain that timestamp, you should be fine.

Having said that, my advice is that you not trust me here! (-: Rather, test this on a Mac whose clock is set to after the expiry date you’re concerned about. Do this on a Mac that’s disconnected from the network, so that there’s no way for it to know that its clock is ‘wrong’.

In fact, you could adapt the process in my Testing a Notarised Product post by adding:

Step 3.5 — Set the clock in the future.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by

eskimo

We are observing the same behavior as the OP. Our Developer ID Installer cert expires in a couple of weeks and we have run a number of "future" tests per the Testing a Notarised Product with addition of step 3.5 above (+ 1 month). On 10.15.3, 10.15.7, 11., 12. - none of our install packages are flagged by Gatekeeper even although they are xattr'd for quarantine.

Is this statement here For installer packages signed with a Developer ID Installer certificate correct? Can it be confirmed?

Thanks

—
sdunn

Add a Comment

Answer 2

The general guideline for a Developer ID signed item is that the signing identity must have been valid at the time that it was signed. This is why, when you sign an app for notarisation, you must include a secure timestamp (via the --timestamp option). So, as long as your signed items contain that timestamp, you should be fine.

Having said that, my advice is that you not trust me here! (-: Rather, test this on a Mac whose clock is set to after the expiry date you’re concerned about. Do this on a Mac that’s disconnected from the network, so that there’s no way for it to know that its clock is ‘wrong’.

In fact, you could adapt the process in my Testing a Notarised Product post by adding:

Step 3.5 — Set the clock in the future.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by

eskimo

We are observing the same behavior as the OP. Our Developer ID Installer cert expires in a couple of weeks and we have run a number of "future" tests per the Testing a Notarised Product with addition of step 3.5 above (+ 1 month). On 10.15.3, 10.15.7, 11., 12. - none of our install packages are flagged by Gatekeeper even although they are xattr'd for quarantine.

Is this statement here For installer packages signed with a Developer ID Installer certificate correct? Can it be confirmed?

Thanks

—
sdunn

Add a Comment

Answer 3

Is this statement here For installer packages signed with a Developer ID Installer certificate correct?

It is not. This came up recently in another thread.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by

eskimo

Add a Comment

Expired Developer ID Installer and application certificates

Accepted Reply

Replies