As the director of IT at Small Dog, I manage a lot of accounts. It’s not feasible to remember each of the passwords and logins, so I use a piece of software called 1Password. There are iOS, macOS and Windows versions of the app and it can be added as an extension or add-on into most modern browsers.
On Monday this week, I needed to edit one of the records in my 1Password. I usually have the mini app running in my toolbar, but I noticed it wasn’t there. So I tried to launch it from my apps folder. It did a bunch of thinking, but ultimately failed to launch. I tried to launch the mini app myself. This also failed. I rebooted my machine. No luck.
As it turns out, 1Password had fallen victim to a change in developer signing certificates policy by Apple. When you create an app to run on iOS or macOS, Apple allows you to sign the app cryptographically. This signature allows the operating system to verify that the app is authentic, and hasn’t been modified maliciously before it runs on your device. Apps purchased from the app store are “pre-approved” by Apple, so there’s no need to verify them before running, but apps downloaded from the internet generally don’t have that pre-approval. That’s where the developer signing comes into play. You’ve probably encountered this before when macOS pops up a warning saying that the app cannot be launched because it comes from an unknown source. This system, built into all versions of macOS, is called “Gatekeeper”. It can be bypassed, but it’s always best to let it do its job so that you know software running on your device won’t do anything malicious.
This is what happened with 1Password. Previously, when an app was signed with a developer certificate, it was good to go…indefinitely, even if the developer certificate expired. Apple made a change to this policy though. Apps also have something else called a provisioning profile. The provisioning profile is basically a list of things that the app has been approved to do. Common things might be: accessing iCloud data, sending push notifications, or reading photos and contact data among many others. These profiles are also signed by the developer certificate, and unlike the app, when the certificate expires, the profile is no longer valid. Depending on how the app works, this could mean it would fail to launch entirely, as was the case with 1Password. The certificate that was used to sign the provisioning profile for 1Password expired over this past weekend. The 1Password team was unaware of the change that provisioning profiles could expire.
Fortunately, the fix is pretty simple if you’re using 1Password. Just go to their site and re-download the application. This will contain the newly signed provisioning profile and the app will be able to launch correctly. While all of this might seem like an unnecessary headache, these policies and procedures help to insure that no malicious software runs on your devices. They help to keep your iCloud and other personal data safe from apps that could exploit that information. So even when there are hiccups like this, ultimately it’s all about keeping you safe.