Hi all,
Background:
We have a Mac application that is distributed out of AppStore. The executables are signed by our Developer ID Application certificate, and the installation pkg is signed by Installer certificate. Both cert will expire by the end of April. We need to re-sign them with updated certificates.
The issue is how we can update Developer ID certificates without end-user interruption? I did browse and search over here and stackoverflow, and cannot find a spot-on answer.
Questions:
1. If Developer ID Installer Certificate expires, will end-user still be able to launch installer?
I understand that expired Developer ID Application Certificate has no impact on end-users. But I have different results between Apple document and my testing on Installer certficate. As per this page [https://developer.apple.com/support/certificates/], users can no longer launch installer packages for your Mac applications that were signed with an expired Installer certificate. Previously installed apps will continue to run however new installations will not be possible until you have re-signed your installer package with a valid Developer ID Installer certificate. On the other hand, when I manually changed MacOS time to May, I was still able to install the pkg file without any warning (though the pkg’s certificate is marked as expired by clicking the lock icon at the top-right corner of installer window). The security settings only allows apps from app store and identified developers. I am little confused here.
2. My understanding is that revoking the current certificates is not an option, as it will break the existing package and executables. Is it possible to generate a new set of Developer ID certs with updated date before the current ones expire? Or we have to wait until they expire, then create new ones.
Any thoughts would be greatly appreciated.
Thanks!
Hello winterpgz,
1) I'm not sure if you can test that by changing the local time. That should be a moot point though. I can see no reason to rely on the behaviour of an expired certificate. That seems very risky.
2) You can't revoke a Developer ID certificate. Only Apple can do that and they will only do it if it was compromised or something. You need a valid, security reason to revoke. The good news is that you can have as many Developer ID certificates as you want. I learned this the hard way back when I tried some previous beta version of Xcode with my production account and it happily created a duplicate. I recommend that developers keep burner accounts for any and all beta activity. The only issue is that the expiring and new certificates are identical. At least, they were back when I had that problem.
Don't forget to make a backup.