Fixing (and Explaining) PDFpen 8.3.1’s Crash on Launch
I was surprised today when I launched PDFpenPro 8.3.1 to work on a PDF and it crashed instantly, well before the app had a chance to load. PDFpenPro blew out on my MacBook Air as well, which struck me as odd — both it and my iMac had been running macOS 10.12.3 Sierra for some time, and the app had worked correctly on both Macs recently.
Luckily, my first guess at a solution worked: all I did was download the new PDFpenPro 8.3.2 manually. Replacing the old version with the new one restored PDFpenPro to full working order.
Shortly afterward, all PDFpen and PDFpenPro users received email from Smile that apologized for the inconvenience, explained the problem briefly, and gave the same solution.
For more details, I contacted Smile’s Greg Scown, whose expansion of the email’s explanation shows just how involved the modern Apple development world has become. Greg said that the reason PDFpen crashed — even before it actually launched — was because Smile’s developer signing certificate from Apple had expired. Code signing is a way of assuring users that an app comes from a known source and hasn’t been modified since it was last signed — it’s a way to prevent bad guys from attaching malware to legitimate apps.
In the past, the expiration of a code signing certificate had no effect on already shipped software. PDFpen 6.3.2, which Smile still makes available for customers using OS X 10.7 Lion, 10.8 Mountain Lion, and 10.9 Mavericks, is signed with a certificate that expired long ago, and it has no trouble launching.
What’s new with PDFpen 8 is that, in addition to being code signed, it has a provisioning profile, which is essentially a permission slip from Apple that’s checked against an online database in order to allow the app to perform certain actions, called entitlements. For PDFpen, the entitlement that’s being granted is the capability to access iCloud despite being sold directly, rather than through the Mac App Store, a feature that wasn’t possible until about a year ago.
Since PDFpen’s provisioning profile is also signed using Smile’s code signing certificate, the expiration of the certificate rendered the provisioning profile invalid. An app called taskgated-helper determines this even before PDFpen’s code runs, so there’s no way for Smile to detect the error condition and present an error to the user. Since the developer’s code never runs, macOS should recognize what’s going on and display an error message that encourages users to contact the developer.
The problem appears to be unique to apps that have provisioning profiles and are sold outside the Mac App Store. Since Smile’s certificate was good for only a year, it’s likely that other direct-purchase apps with iCloud entitlements will run into this problem soon too. As with PDFpen, downloading a new version with a current certificate should resolve the issue. Since the initial publication of this article, we’ve learned that both 1Password and Soulver have fallen victim to this problem.
Apple renewed Smile’s code signing certificate for five years, so if other developers receive a similarly long renewal, that will allow Apple to put off solving the problem within macOS.
Note that Mac App Store apps should be immune from this sort of problem since they’re signed by Apple when distributed instead of the developer. If Apple failed to keep its certificates current, vast numbers of Mac App Store apps would crash, so Apple needs to stay on top of renewing its certificates. Back in 2015, Apple did, in fact, have a certificate renewal that caused numerous Mac App Store apps to fail to launch, reporting that they were “damaged.” That problem was a little different, but it shows that even Apple doesn’t necessarily anticipate how everything fits together.
Thanks, Adam. Interesting stuff. The old days were a lot simpler.
Thanks for that. I had no idea. Because Smile never actually sent me an email about it!
Glad this was helpful! Getting email through reliably is tricky these days — it could easily have been filtered as possible spam before it got t you. :-(
Am I right that problem wouldn't exist if app didn't contain provisioning profile? Is expired Developer ID certificate alone not a source of the problem?
Yes, I believe the provisioning profile for a direct-sale app is a necessary part of the problem.
Michael Tsai had some good points about this issue:
http://mjtsai.com/blog/2017/02/18/fixing-and-explaining-pdfpen-8-3-1s-crash-on-launch/
We also had the same issue happen to 1Password. We published a few details here:
https://blog.agilebits.com/2017/02/19/1password-for-mac-6-5-5-manual-update-required/
We'll also have a more technical follow up post in the next week or two.
It's certainly been a very interesting weekend for a lot of developers! :)
++dave;
Sorry to hear you got bit by it too!
.
I'm glad I saw this here (regarding 1Password. I'm not sure why this is showing up as a reply to my own message). 6.5.3 is still running for me as of 7:58PM Pacific on 19 Feb. I'm downloading the 6.5.5 update now.
Are you sending a notice to users?
Same thing happened with Soulver
I had a problem a couple of days ago with 1Password (purchased directly from the company). Couldn't figure out what was wrong, it just wouldn't run. I thought I may have lost my whole password vault. Interestingly I solved the problem in just the way you described, downloading an update to the app. Thanks for letting me know I'm not totally out-to-lunch.
I've encountered this issue with 1Password, and solved it with a download of a new version.
I had no idea of the nuts and bolts of the problem until I received an e-mail from AgileBits explaining the certificate nightmare. From a security perspective, all is nice - users and developers are protected in some way. Apple is enforcing that the software is legitimate, and this is good.
Looking it from another perspective though, how frustrating it will be for users of unmaintened software when a certificate expires? As a matter of fact, if a piece software is coming from outside the App Store, the certificate enforcement may means you will lose access to your data - at least until you upgrade to a version with the new certificate. If there is not an updated version - well - you are out of luck. I am not aware on any way to circumvent gatekeeper from user side.
Cases like this push users to the App Store, as well as developers. Is it good for the user or the developers? Not so sure.