How long are Apple certificates valid?

[Markus Krause]

I got some questions:

1) How long are Apple certificates (code signing & installer signing) valid? Do they expire?

2) Do I also need to replace the certificate in the keychain when I renew the Apple developer subscription? Will I loose expiration time when I use the existing one which still works?

3) When an installer has passed the notarisation with how long will it remain valid? Will the installer fail with gatekeeper after some years?

4) Does renewing the Apple developer subsription extend the time where a notarised installer passes gatekeeper?

Thanks

[BertKoor]

If you google for the expiration term of Apple Developer Certificates, it states "3 years". But that is for "Enterprise".

If the certificate is of type X509 (and why not, it's the industry standard) you can inspect it yourself with some simple lines of code. It does hold the expiration date as "not valid after". Any keystore management tool worth its salt should be able to print it out. But since you're a programmer, you can make such things yourself. You have the Gift of Creation

I'm sure you have read this: https://developer.apple.com/support/certificates/
There's some conflicting information:

Developer ID Installer Certificate (Mac applications)
If your certificate expires, users can no longer launch installer packages for your Mac applications that were signed with this certificate. Previously installed apps will continue to run however new installations won't be possible until you have re-signed your installer package with a valid Developer ID Installer certificate. If your certificate is revoked, users will no longer be able to install applications that have been signed with this certificate.
[...]
What happens to my applications signed with Developer ID if my Apple Developer Program membership expires?
If your membership expires, users can still download, install, and run your applications that are signed with Developer ID. However, once your Developer ID certificate expires, you must be an Apple Developer Program member to get new Developer ID certificates to sign updates and new applications.

[Markus Krause]

Thanks Bert.

So do need to replace the certificate in the keychain when I renew the Apple developer subscription? Will I loose expiration time when I don't do this?

[BertKoor]

Logically a certificate and a subscription are two different things.

Once a certificate is issued, it can expire by the passing of time, or it can be actively revoked by the issuing Certificate Authority. Usually this is only done in case the certificate itself got compromised (eg fell into the wrong hands)

Your Apple Developer subscription needs renewal each year. Since you can renew even after you failed to do so timely, I don't think your certificate gets revoked automatically when you did not renew the subscription.

I guess you're worried about the overlap period. Suppose you started subscription originally first of June. 11 months later you get an email: there's only 30 days left, renew now! And suppose you do that immediately, will you get the next renewal email next April already? Then in effect you have paid for only 11 months, not the full 12 months.

If that is the case indeed, then you have all reason to send your lawyers to Apple, because you are not getting what you paid for. And you would have seen other developers & companies complain about it. And according to their own info this should not happen:

If your membership is still active when you renew, your new membership will activate as soon as your current membership expires

[Markus Krause]

Sorry if I did not express myself clear enough:
Will I loose expiration time when I don't issue a new certificate and replace the existing one in th keychain?
I try to avoid messing around too much here as I made bad experiences in the past.

[BertKoor]

It's not about what's in your keychain. Nobody except you has access to that.

It's about the certificate used to sign your installer. Once that certificate has expired, the installer supposedly no longer works. You then need to re-sign it and upload to wherever your clients download it from.

[kerfuffle]

I'm sure you have read this: https://developer.apple.com/support/certificates/
There's some conflicting information:

The first bit you quoted applies to the installer, the second to the application.

[kerfuffle]

https://developer.apple.com/support/developer-id/ says the Developer ID certificate (which is not the same as your regular development cert) is valid for 5 years.

Here's the full list of certificate types: https://developer.apple.com/help/accoun ... cate-types

[Markus Krause]

Thanks.
"Developer ID certificates are valid for 5 years from the date of creation".
If i understand it correctly this means in practise that you should create new certificates each time before your Apple developer subscription ends. If you don't do this your installers might get invalid earlier than the 5 years.
?

[Fender19]

Once that certificate has expired, the installer supposedly no longer works. You then need to re-sign it and upload to wherever your clients download it from.

Does that mean if a developer goes out of business and/or doesn't renew the cert then software sold by them before that time can no longer be installed/re-installed - i.e., the customer is SOL?

"Developer ID certificates are valid for 5 years from the date of creation".

This was clear as mud from Apple. I understood it meant that a developer could sign new apps with that cert for 5 years from that date - not that the app signed WITH IT stopped working after 5 years from that date. What if the developer signs his new apps in the last month of that cert - and you bought it in December - can you not install it in January?

[BertKoor]

Yes, Apple software apparently has a limited shelf life.
See https://developer.apple.com/support/certificates/

What exactly happens after expiry is up to the policy of the OS the user then runs. Perhaps there is an "Ignore" button. Who knows...

Currently:

If your certificate expires, users can still download, install, and run versions of your Mac applications that were signed with this certificate.

[quikquak]

Currently:

If your certificate expires, users can still download, install, and run versions of your Mac applications that were signed with this certificate.

So all the dates are about the creation of software, not the end user? Useful.
They know they'll probably change the OS so drastically that nothing will install in 3 years time anyway.

[Kraku]

I don't want to hijack this thread but I have a related question:

If you don't plan to sell your software via the AppStore, I assume there's no real need for certifications from Apple? macOS seems to say, when running the software for the first time, that it has been downloaded from the internet, etc. and would you like to run it or not? Then the user can choose to trust the software and then everything is fine again.

[kerfuffle]

Then the user can choose to trust the software and then everything is fine again.

For apps that are not signed in any way, the user is not given this option. They can only choose to cancel or move the app into the trashcan. Users need to give explicit permission in the Security settings panel to run this app. And for plug-ins that usually doesn't work very well.

[Kraku]

Then the user can choose to trust the software and then everything is fine again.

For apps that are not signed in any way, the user is not given this option. They can only choose to cancel or move the app into the trashcan. Users need to give explicit permission in the Security settings panel to run this app. And for plug-ins that usually doesn't work very well.

Isn't the Security settings option always available for non signed applications? I'm not referring to plugins, but proper apps.