"Mac App Store customers running OS X Snow Leopard (v10.6.8) will be unable to purchase new apps or run previously purchased apps that utilize receipt validation until they install the OS X Snow Leopard update which will be available via OS X Software Update this January."
Note that Mac OS 10.6.8 is the most recent OS version for the Intel Core Duo Macs.
Those are the first MacBook (early 2006), the first 2 MacBook Pros (January 2006, May 2006), two Mac Minis (February 2006, September 2006), and two iMacs (January 2006, July 2006).
It also affects people who keep Snow Leopard 10.6.8 for sentimental reasons. Apparently 1 in 5 Macs use Snow Leopard. Not being able to receive new app updates could be troublesome.
I don't think this is an issue. The article mentions that there will be a new update for Snow Leopard in January, which will resolve the problem before the certificates expire.
I've got an old Powerbook running 10.6.8 .. I won't upgrade, but instead will just install Linux on it. Its no longer worth the hassle of keeping up with Apple on these kinds of issues - better to just switch to an OS/environment where these kinds of fixes can be better maintained and won't result in apps being killed from my life.
I noticed this new certificate Apple issued is still using SHA-1 as its signature algorithm. I wonder why Apple didn't make the jump to SHA-2 based signatures.
They recently added support for SHA-256 (both full digest and truncated to 160 bits) hashes in their codesign system. I haven't seen it on iOS yet and suspect that it is only for OS X at the moment.
Also, a 3GS at least has HW acceleration for AES, SHA-1, and some sort of RSA bignum acceleration. Not sure what the new HW has but I suspect backwards compatibility may be a reason for holding SHA-1++ back on iOS.
IIRC, because last time they tried using SHA-2, it broke a lot of OS X apps that were using an embedded older version of OpenSSL that didn't support it.
Can someone confirm that the intermediate certificate is actually expiring on February 14, or just that it won't be accepted after that date? The linked article just says the certificate is "expiring soon" and that developers will have to start signing with the new certificate before February 15. It's a nitpick, but I'm curious.
As Admiral Piett said, "It's an older code, sir, but it checks out."
Without expiry dates on certificates, we're stuck with trusting whatever we've issued forever. Lists of revoked certificates would grow forever, and work even worse than they do today. At least now, we can stop worrying about ancient certificates after they're expired.
Having certs expire and be reissued also ensures there's a continual path to upgrade to newer certificates: I suspect you'd have a much harder time retiring SHA-1 certificates if nobody had any regular-interval incentive to replace their certs.
Revoking certificates is a hard problem (how do you know if the CRL is blocked by an attacker, or just down right now?), so instead we rely somewhat on the certs expiring after a while so that they'll eventually get replaced. It also offers some mitigation against certs being stolen without you realising, as they have a limited lifetime.
It's the same theory with passports, credit cards etc.
Note that Mac OS 10.6.8 is the most recent OS version for the Intel Core Duo Macs. Those are the first MacBook (early 2006), the first 2 MacBook Pros (January 2006, May 2006), two Mac Minis (February 2006, September 2006), and two iMacs (January 2006, July 2006).
It also affects people who keep Snow Leopard 10.6.8 for sentimental reasons. Apparently 1 in 5 Macs use Snow Leopard. Not being able to receive new app updates could be troublesome.
http://www.computerworld.com/article/2487996/malware-vulnera...