Apple recently invalidated thousands of signing certificates owing to a major SSL bug. Here’s all you need to know about it and more.
Table of Contents
SSL Certificate issue results in thousands of certificates being invalidated
On March 3, 2019, Apple determined that they were issuing TLS Server and S/MIME certificates with non-compliant serial numbers
According to an Apple representative, Apple first became aware of the issue while reviewing an updated version of the CA (Certificate Authority) software used for issuing SSL certificates.
Since this incident was detected, more than 878,000 certificates have been affected, out of which Apple has already invalidated 355,000 certificates.
This causes new Mobile Provisioning files to not include application-identifier and keychain-access-groups entitlement entries.
This bug only affects tools that use a new profile each time they build or sign an app.
Which tools and certificates are affected?
Since both XCode and Cydia Impactor rely on profiles, they can’t build or sign apps anymore using a free or paid developer certificate. XCode simulator, on the other hand, continues to work as expected.
Apple users are not alone, however. Google, GoDaddy, Instagram, and Facebook (which is why it went down for maintenance yesterday) users are affected as well.
Surprisingly, this bug doesn’t seem to affect enterprise-grade certificates.
This explains how users are still able to utilize signing services like Panda Helper that distribute jailbreak tools and hacked apps signed with an enterprise certificate.
When will Apple patch this bug?
Apple has stopped issuing signing certificates with non-compliant serial numbers and intends to roll out a patch soon.
Though some users have reported success with several XCode tweaks, there’s no single solution that works for all users.
If you own a jailbroken device, there’s a pretty straightforward workaround to this bug.
Just go ahead and install ReProvision signing tool, which works with both free and paid certificates. However, it will only work for apps or IPA files that were installed yesterday or before.
Cydia Impactor signing utility will remain defunct for the time being. Thankfully, Saurik is in the know and will push a patch, if need be, once the dust settles.