Expired certificate breaks macOS Logitech apps

https://arstechnica.com/gadgets/2026/01/expired-certificate-completely-breaks-macos-logitech-apps-user-customizations/

34•worik•16h ago

Comments

Neywiny•15h ago

The downside of ridiculously overcomplicating the task. Certificates for IPC? So if somebody runs a virus on the computer they can't tell that one program told the other that you want your RGB to be brighter?

simulator5g•15h ago

The point of certificates is that they prevent things like MITM attacks on updates that replace the legitimate app with a malicious version. They also prevent you from installing fake software if you know how to use them, e.g from a malicious ad that looked just like the real Logitech site. They're also requited for all mac app store apps, it's not really about the specific use case of the app.

Neywiny•14h ago

I'm not understanding the relevance to IPC. What do updates and the app store have to do with inter process communication?

danpalmer•14h ago

Or they can't write a piece of software that sees your keypresses in the background?

Neywiny•14h ago

Key loggers do not need to attack Logitech software to work, so I don't see the relevance

danpalmer•13h ago

Maybe? Maybe not? My point was that there are perfectly legitimate reasons to have tight security on software that deals with input devices. In the age of sandboxed software I wouldn't be surprised if you can't just get all key presses as non-interactive background software, or if you could get them by reading them from Logi Options.

basilikum•15h ago

They say on Reddit: https://old.reddit.com/r/logitech/comments/1q66q1l/just_real...

> There is no need for an online connection. There is some misunderstanding of what the certificate is. It has no online connection dependency. It is a developer certification that is extremely common on macOS apps. The cert only caused an issue because we let it expire. We now have strict processes in place to maintain the certification

The article also says that the expired certificate breaks auto updates. What kind of certificate is this exactly?

cweagans•15h ago

It's probably the dev cert for macOS.

heartbreak•15h ago

The code signing certificate for macOS apps.

spondyl•14h ago

This will be a standard Apple Developer code-signing certificate used in the signing and notarision process: https://support.apple.com/en-nz/guide/security/sec3ad8e6e53/...

Without a signature, Gatekeeper will throw up a dialog saying "This app could contain malware" or something to that effect.

If you're using other libraries, such as the Sparkle Framework (a popular macOS Objective-C(?) library for updater logic), I believe you have to sign those as well.

That said, the autoupdater may have technically been a second .app bundled within the main one and trying to launch it resulted in a failure to recognise the certificate.

As far as I understand, certain compilers such as Go are signed themselves and technically fiddle with created binaries in an above-board way that they pass Apple's requirements, otherwise you would have to explicitly allow them to run every time.

Having signed some open-source apps myself though, I didn't realise that certificates could retroactively expire. I haven't tried but I assumed that you would just be unable to sign new versions.

fingerlocks•10h ago

This is only applies to App Store published .app bundles. Does not apply to binaries you compile yourself or non-app binaries like cli tools

spondyl•10h ago

Just to be clear, you're saying that .app bundles (and CLI tools) distributed outside of the App Store (and CLI tools) will continue to operate once the expiration date of the signing certificate has passed?

fingerlocks•6h ago

No, sorry. That's not what I'm saying.

If you compile hello-world.c into a binary then it will have a placeholder (ad-hoc) signature that was signed by an "empty" key that can never expire. The Go compiler isn't doing anything special. By default all binaries are signed this way unless they were compiled with the explicit intention of App Store distribution.

And the above does not apply to .app bundles.

lapcat•3h ago

Yes of course apps will continue to operate after the signing cert expires, and this is documented by Apple in several places. It would be absolutely insane if apps stopped working, because all Developer ID signing certs expire after 5 years.

The valid dates for code signing certificates apply, naturally, to signing. You can't sign an app anymore with an expired certificate, but if an old app was signed with a cert that was valid at the time of signing, then the app will continue functioning forever.

This issue was just a dumb screwup by Logitech. If apps stopped functioning when the signing cert expired, you'd see Mac apps dying all the time.

fingerlocks•1h ago

This only applies to distribution certificate signed apps, not true in the general sense.

lapcat•1h ago

> not true in the general sense.

What does that even mean? What exactly are you saying is not true?

It's not at all helpful or informative to keep saying "does not apply," as if that meant anything by itself.

frizlab•15h ago

hoss1474489•15h ago

Always hated Logitech Options bloatware, why should the software drain my battery, phone home, and require screen recording permission just to emulate a keystroke when I push a button on the mouse?

I enjoyed my trip to Micro Center today to finally ditch Logitech after those buttons stopped working. Put up with Options for over a decade because at least it did the one thing I needed.

cweagans•15h ago

I love the hardware. Software sucks. When this broke today, I just downloaded SteerMouse and updated my license. Never going back to the Logitech software.

hoss1474489•15h ago

In my frustration I didn’t even think to look if there was a third party solution.

Looks like that would do the one thing I need, and I’m finding the grass to be just as brown with Razer Synapse is it is with LogiOptions.

freefaler•14h ago

Just install something like "Better touch tool" you'll get the functionality (and more) without the bloat.

coumbaya•9h ago

To be fair, it lack some functionality, like mapping a single modifier to a button

Constant real wages can hide a lot of pain

We Raised $15B. Why?

The Average American Spends $748 per Month to Finance a New Car

Inside the women's prison where violent male inmates have their way

Meta Announces Nuclear Energy Projects, Unlocking Up to 6.6 GW

Using AI is no longer optional

Trump Leaked This Morning's Payroll Numbers

Show HN: Interactive Maxwell's Demon

Meta lines up supply of nuclear power to energize AI data centers

Why is SendGrid emailing me about supporting ICE?

AirsSpec – Agentic Spec Driven Framework – Developed from Zero Code

How women are defying the Taliban's brutal crackdown on protest

Making Tools Developers Actually Use – Michiel Borkent [video]

Ask HN: Why is Claude Code so cheap?

My Blessed Setup for Public Bookmarks

Ask HN: How to stay relevant in the age of AI?

Google Guys Say Bye to California

Latest SteamOS Beta Now Includes Ntsync Kernel Driver

By 2030, 80% of Internet Traffic Will Be Agent-to-Service

Cloudspecs: Cloud Hardware Evolution Through the Looking Glass

Boston Dynamics and Google DeepMind partners on AI-powered Atlas robots

Ask HN: How do you handle the quantity of AI content in your feeds?

Research finds women use generative AI less, due to moral concerns

Show HN: I built a free platform for calculators, generators and quizzes

DHS Invokes Immigration Enforcement to Justify Gathering Americans' DNA

Show HN: BuildFix– Semantic feature-extraction transfer between TypeScript repos

Chemics – Python package for chemical engineering

Sodium-Ion Batteries Can Charge Faster Than Lithium-Ion Ones

Dyalog and AI // Stefan Kruger // DYNA Fall 2025 [video]

Show HN: CLIs Are All You Need for Agents