Expired certificate breaks macOS Logitech apps

https://arstechnica.com/gadgets/2026/01/expired-certificate-completely-breaks-macos-logitech-apps-user-customizations/

34•worik•18h ago

Comments

Neywiny•17h ago

The downside of ridiculously overcomplicating the task. Certificates for IPC? So if somebody runs a virus on the computer they can't tell that one program told the other that you want your RGB to be brighter?

simulator5g•16h ago

The point of certificates is that they prevent things like MITM attacks on updates that replace the legitimate app with a malicious version. They also prevent you from installing fake software if you know how to use them, e.g from a malicious ad that looked just like the real Logitech site. They're also requited for all mac app store apps, it's not really about the specific use case of the app.

Neywiny•16h ago

I'm not understanding the relevance to IPC. What do updates and the app store have to do with inter process communication?

danpalmer•16h ago

Or they can't write a piece of software that sees your keypresses in the background?

Neywiny•16h ago

Key loggers do not need to attack Logitech software to work, so I don't see the relevance

danpalmer•15h ago

Maybe? Maybe not? My point was that there are perfectly legitimate reasons to have tight security on software that deals with input devices. In the age of sandboxed software I wouldn't be surprised if you can't just get all key presses as non-interactive background software, or if you could get them by reading them from Logi Options.

basilikum•17h ago

They say on Reddit: https://old.reddit.com/r/logitech/comments/1q66q1l/just_real...

> There is no need for an online connection. There is some misunderstanding of what the certificate is. It has no online connection dependency. It is a developer certification that is extremely common on macOS apps. The cert only caused an issue because we let it expire. We now have strict processes in place to maintain the certification

The article also says that the expired certificate breaks auto updates. What kind of certificate is this exactly?

cweagans•17h ago

It's probably the dev cert for macOS.

heartbreak•16h ago

The code signing certificate for macOS apps.

spondyl•16h ago

This will be a standard Apple Developer code-signing certificate used in the signing and notarision process: https://support.apple.com/en-nz/guide/security/sec3ad8e6e53/...

Without a signature, Gatekeeper will throw up a dialog saying "This app could contain malware" or something to that effect.

If you're using other libraries, such as the Sparkle Framework (a popular macOS Objective-C(?) library for updater logic), I believe you have to sign those as well.

That said, the autoupdater may have technically been a second .app bundled within the main one and trying to launch it resulted in a failure to recognise the certificate.

As far as I understand, certain compilers such as Go are signed themselves and technically fiddle with created binaries in an above-board way that they pass Apple's requirements, otherwise you would have to explicitly allow them to run every time.

Having signed some open-source apps myself though, I didn't realise that certificates could retroactively expire. I haven't tried but I assumed that you would just be unable to sign new versions.

fingerlocks•11h ago

This is only applies to App Store published .app bundles. Does not apply to binaries you compile yourself or non-app binaries like cli tools

spondyl•11h ago

Just to be clear, you're saying that .app bundles (and CLI tools) distributed outside of the App Store (and CLI tools) will continue to operate once the expiration date of the signing certificate has passed?

fingerlocks•8h ago

No, sorry. That's not what I'm saying.

If you compile hello-world.c into a binary then it will have a placeholder (ad-hoc) signature that was signed by an "empty" key that can never expire. The Go compiler isn't doing anything special. By default all binaries are signed this way unless they were compiled with the explicit intention of App Store distribution.

And the above does not apply to .app bundles.

lapcat•5h ago

Yes of course apps will continue to operate after the signing cert expires, and this is documented by Apple in several places. It would be absolutely insane if apps stopped working, because all Developer ID signing certs expire after 5 years.

The valid dates for code signing certificates apply, naturally, to signing. You can't sign an app anymore with an expired certificate, but if an old app was signed with a cert that was valid at the time of signing, then the app will continue functioning forever.

This issue was just a dumb screwup by Logitech. If apps stopped functioning when the signing cert expired, you'd see Mac apps dying all the time.

fingerlocks•3h ago

This only applies to distribution certificate signed apps, not true in the general sense.

lapcat•2h ago

> not true in the general sense.

What does that even mean? What exactly are you saying is not true?

It's not at all helpful or informative to keep saying "does not apply," as if that meant anything by itself.

fingerlocks•1m ago

[delayed]

frizlab•17h ago

hoss1474489•17h ago

Always hated Logitech Options bloatware, why should the software drain my battery, phone home, and require screen recording permission just to emulate a keystroke when I push a button on the mouse?

I enjoyed my trip to Micro Center today to finally ditch Logitech after those buttons stopped working. Put up with Options for over a decade because at least it did the one thing I needed.

cweagans•17h ago

I love the hardware. Software sucks. When this broke today, I just downloaded SteerMouse and updated my license. Never going back to the Logitech software.

hoss1474489•16h ago

In my frustration I didn’t even think to look if there was a third party solution.

Looks like that would do the one thing I need, and I’m finding the grass to be just as brown with Razer Synapse is it is with LogiOptions.

freefaler•15h ago

Just install something like "Better touch tool" you'll get the functionality (and more) without the bloat.

coumbaya•11h ago

To be fair, it lack some functionality, like mapping a single modifier to a button

Show HN: I made a memory game to teach you to play piano by ear

The Vietnam government has banned rooted phones from using any banking app

Why is SendGrid emailing me about supporting ICE?

London–Calcutta Bus Service

Mathematics for Computer Science (2018) [pdf]

Cloudspecs: Cloud Hardware Evolution Through the Looking Glass

Replit (YC W18) Is Hiring

When Kitty Litter Caused a Nuclear Catastrophe

Linux Runs on Raspberry Pi RP2350's Hazard3 RISC-V Cores (2024)

Show HN: Similarity = cosine(your_GitHub_stars, Karpathy) Client-side

How Will the Miracle Happen Today?

Kagi releases alpha version of Orion for Linux

How to Code Claude Code in 200 Lines of Code

Sorted string tables (SST) from first principles

Latest SteamOS Beta Now Includes Ntsync Kernel Driver

73% People Detained by ICE Have No Convictions

Developers Are Solving the Wrong Problem

Cloudflare CEO on the Italy Fines

Hacking a Casio F-91W digital watch (2023)

Sopro TTS: A 169M model with zero-shot voice cloning that runs on the CPU

Embassy: Modern embedded framework, using Rust and async

Bose has released API docs and opened the API for its EoL SoundTouch speakers

Richard D. James aka Aphex Twin speaks to Tatsuya Takahashi (2017)

What happened to WebAssembly

How Samba Was Written (2003)

The Jeff Dean Facts

AI coding assistants are getting worse?

The unreasonable effectiveness of the Fourier transform

Show HN: Executable Markdown files with Unix pipes

Photographing the hidden world of slime mould