I was surprised today when I launched PDFpenPro 8.3.1 to work on a PDF and it crashed instantly, well before the app had a chance to load. PDFpenPro blew out on my MacBook Air as well, which struck me as odd — both it and my iMac had been running macOS 10.12.3 Sierra for some time, and the app had worked correctly on both Macs recently.
Luckily, my first guess at a solution worked: all I did was download the new PDFpenPro 8.3.2 manually. Replacing the old version with the new one restored PDFpenPro to full working order.
Shortly afterward, all PDFpen and PDFpenPro users received email from Smile that apologized for the inconvenience, explained the problem briefly, and gave the same solution.
For more details, I contacted Smile’s Greg Scown, whose expansion of the email’s explanation shows just how involved the modern Apple development world has become. Greg said that the reason PDFpen crashed — even before it actually launched — was because Smile’s developer signing certificate from Apple had expired. Code signing is a way of assuring users that an app comes from a known source and hasn’t been modified since it was last signed — it’s a way to prevent bad guys from attaching malware to legitimate apps.
In the past, the expiration of a code signing certificate had no effect on already shipped software. PDFpen 6.3.2, which Smile still makes available for customers using OS X 10.7 Lion, 10.8 Mountain Lion, and 10.9 Mavericks, is signed with a certificate that expired long ago, and it has no trouble launching.
What’s new with PDFpen 8 is that, in addition to being code signed, it has a provisioning profile, which is essentially a permission slip from Apple that’s checked against an online database in order to allow the app to perform certain actions, called entitlements. For PDFpen, the entitlement that’s being granted is the capability to access iCloud despite being sold directly, rather than through the Mac App Store, a feature that wasn’t possible until about a year ago.
Since PDFpen’s provisioning profile is also signed using Smile’s code signing certificate, the expiration of the certificate rendered the provisioning profile invalid. An app called taskgated-helper determines this even before PDFpen’s code runs, so there’s no way for Smile to detect the error condition and present an error to the user. Since the developer’s code never runs, macOS should recognize what’s going on and display an error message that encourages users to contact the developer.
The problem appears to be unique to apps that have provisioning profiles and are sold outside the Mac App Store. Since Smile’s certificate was good for only a year, it’s likely that other direct-purchase apps with iCloud entitlements will run into this problem soon too. As with PDFpen, downloading a new version with a current certificate should resolve the issue. Since the initial publication of this article, we’ve learned that both 1Password and Soulver have fallen victim to this problem.
Apple renewed Smile’s code signing certificate for five years, so if other developers receive a similarly long renewal, that will allow Apple to put off solving the problem within macOS.
Note that Mac App Store apps should be immune from this sort of problem since they’re signed by Apple when distributed instead of the developer. If Apple failed to keep its certificates current, vast numbers of Mac App Store apps would crash, so Apple needs to stay on top of renewing its certificates. Back in 2015, Apple did, in fact, have a certificate renewal that caused numerous Mac App Store apps to fail to launch, reporting that they were “damaged.” That problem was a little different, but it shows that even Apple doesn’t necessarily anticipate how everything fits together.