Apple Worldwide Developer Relations Intermediate Certificate Expiration
To help protect customers and developers, we require that all third party apps, passes for Apple Wallet, Safari Extensions, Safari Push Notifications, and App Store purchase receipts are signed by a trusted certificate authority. The Apple Worldwide Developer Relations Certificate Authority issues the certificates you use to sign your software for Apple devices, allowing our systems to confirm that your software is delivered to users as intended and has not been modified.
The previous Apple Worldwide Developer Relations Certification Intermediate Certificate expired on February 14, 2016 and the renewed certificate must now be used when signing Apple Wallet Passes, push packages for Safari Push Notifications, Safari Extensions, and submissions to the App Store, Mac App Store, and App Store for Apple TV.
All developers should download and install the renewed certificate on their development systems and servers. All apps will remain available on the App Store for iOS, Mac, and Apple TV.
Since different methods can be used for validating receipts and delivering remote notifications, we recommend that you test your services to ensure no implementation-specific issues exist. Your apps may experience receipt verification failure if the receipt checking code makes incorrect assumptions about the certificate. Make sure that your code adheres to the Receipt Validation Programming Guide and resolve all receipt validation issues.
Who needs to take action?
Developers who provide passes for Apple Wallet, deliver Safari Push Notifications, create Safari Extensions or submit apps to the App Store, Mac App Store, or App Store for Apple TV need to download the renewed certificate, and take the following action:
Apple Wallet Passes
Update your pass signing server to replace the expired certificate with the renewed certificate by February 14, 2016. After this date, apps that generate passes for Apple Wallet will not be able to install new passes until the server has been updated.
You can verify your receipt validation code is compatible with the renewed certificate in the test and production environments. The Mac App Store Update for OS X Snow Leopard is available via OS X Software Update.
Install the renewed certificate to build your extensions after February 14, 2016. If your certificate is not available in Safari Extension Builder, update your signing system to OS X El Capitan v10.11.4 beta in order to build updates to your extension. All existing Safari Extensions will continue to run as expected.
Safari Push Notifications
Update your notification package signing server to include your web push certificate and the renewed intermediate certificate by February 14, 2016. After this date, new users will not be able to sign up for push notifications from your website until your server has been updated. If you were using the openssl_pkcs7_sign function to sign your push package with only your web push certificate, you should pass the path to the renewed intermediate for the extra certificates parameter.
App Store Submissions
All submissions to the App Store, Mac App Store, and App Store for Apple TV after February 14, 2016 must utilize the renewed certificate. New app submissions compiled with the expired intermediate will be returned to the developer.
Xcode unable to create distribution builds for App Store submissions or Enterprise apps.
This issue occurs when the expired WWDR Intermediate certificate is present in both the System keychain and Login keychain within the Keychain Access application. To resolve the issue, first download and install the renewed certificate. Next, in the Keychain Access application, select the System keychain. Select 'Show Expired Certificates' in the View menu and then delete the expired version of the Apple Worldwide Developer Relations Certificate Authority Intermediate certificate. Your certificates should now appear as valid in Keychain Access and be available to Xcode. This issue is resolved in OS X El Capitan v10.11.4 beta.
Mac App Store purchases failing to launch.
In some scenarios, an app purchased from the Mac App Store that utilizes receipt validation may fail to launch (exiting with a 173 error code) since it considers a local receipt that includes the expired WWDR Intermediate certificate invalid. OS X regards the receipt as valid when the updated WWDR Intermediate is present on your system and therefore does not request an updated receipt for the application.
To resolve this issue, delete the renewed, non-expired WWDR Intermediate certificate from your System and/or Login keychain within the Keychain Access application. After re-launching the application, you will be prompted for your Mac App Store login credentials in order to obtain a new receipt for the application. After you have launched your application and obtained a valid receipt, you can re-install the renewed certificate to continue your development. This issue will be fixed in a forthcoming update to OS X El Capitan.
Safari Extension Builder unable to locate Safari Extension signing certificate.
When building updates to your extension with Safari Extension Builder in Safari 9.0.3 or earlier, you will encounter an issue where Safari Extension Builder fails to recognize your Safari Extension signing certificate. If your certificate is not available in Safari Extension Builder, update your signing system to OS X El Capitan v10.11.4 beta or install Safari 9.1 for OS X Yosemite and Mavericks beta in order to build updates to your extension.
Do I need to regenerate any of my certificates?
No. Your existing certificates will work with both the expiring and the renewed intermediate certificate.
Do I need to recompile or resubmit any of my apps, passes or Safari Extensions?
No. You do not need to recompile or resubmit your currently deployed apps, passes or Safari Extensions. They will continue to run as expected. Keep in mind that all submissions to the App Store and updates to passes and extensions made after February 14, 2016 must use the renewed certificate.
How will customers be affected by the certificate renewal?
Customers who have purchased and installed iOS apps, tvOS apps, or Safari Extensions will not be affected by the certificate renewal. Users running OS X El Capitan (v10.11 or v10.11.1) may receive a notification that your Mac app is damaged if it utilizes receipt validation to request a new receipt from Apple. They can resolve this issue by restarting their Mac or updating to OS X El Capitan (v10.11.2) or later.
Mac App Store customers running OS X Snow Leopard (v10.6.8) will be unable to purchase new apps or run previously purchased apps that utilize receipt validation until they install the Mac App Store Update for OS X Snow Leopard which is available via OS X Software Update.
Will my apps in development continue working?
Yes. The development versions of your apps will continue to run until the provisioning profile used to compile them expires or you revoke your signing certificate.
Will my in-house enterprise iOS apps continue working?
Yes. All in-house enterprise iOS apps that you have deployed will continue to run as expected until the provisioning profile used to compile them expires or you revoke your signing certificate.
When will the renewed certificate expire?
The renewed Apple Worldwide Developer Relations Certification Intermediate Certificate will expire on February 7, 2023.