For those wondering why this is a big deal it means that every developers attempting to run a development version of an iPhone, iPad or MacOS app cannot run their apps right now.
This is worse than Github being down and Apple Developers who pay 99$ a year for the privilege of writing software on this ecosystem aren't event getting a status page update: https://developer.apple.com/system-status/
Can confirm. Spent over an hour trying to figure out why I couldn't build to devices just to get frustrated, browse to HN, and here we are.
I'm looking for a job shoveling pig shit as we speak.
What genuinely pisses me off is that this isn't noted on their status page, nor is it indicated at all when you, I dunno, revoke and generate certs repeatedly trying to solve a problem you didn't fucking cause.
Here was the developer thread https://developer.apple.com/forums/thread/818403 I found with lots of other reports of "Unable to Verify App - An internet connection is required to verify the trust of the developer".
Enterprise apps distributed via MDM & signed using in-house distribution certificates are dead in the water too with the error message "Unable to Verify App" showing on start-up.
Apple's status page is showing no problems (all green).
OMG my app just got rejected because I didn't have the right screenshots to their liking... an app specifically made to remember stuff like this LOL the irony!
Invalid certs according to what? Quoth Claude Code:
OpenSSL can't validate the cert because it contains a critical extension it doesn't recognize — specifically 1.2.840.113635.100.6.27.3.2, which is an Apple-proprietary OID marked as critical. Per X.509 rules, if a client encounters an unrecognized critical extension, it must reject the cert.
That said, this is likely intentional on Apple's part — browsers and Apple's own TLS stack (SecureTransport/Network.framework) almost certainly know how to handle this extension. It's a private Apple CA (Apple Server Authentication CA) signing an Apple-internal service endpoint, so it's designed to work within Apple's ecosystem rather than with generic OpenSSL.
In practice:
- Works fine in Apple clients (Safari, curl on macOS using the system TLS stack, iOS apps)
- Fails with raw OpenSSL or other non-Apple TLS implementations
- Not a misconfiguration — it's Apple intentionally using a proprietary critical extension on their private PKI
Any other services down for anyone? I've had a credit service portal fail for hours today with a notice of server issues. As well as a credit union login with a similar message. These are all first times for me. Some big black cape / hat pressure testing?
The Apple status pages (both of them) are some of the worst of the big league offenders, perhaps second only to Microsoft.
Full disclosure, I operate a product that compares official outage acknowledgment to actual outage impact times. (Which I won't mention to avoid self-promotion.)
For this specific incident, I saw the alert come across my Slack at 19:02 UTC. We received over 100 reports of this outage before the official acknowledgement was posted by Apple on their status page at 21:37 UTC.
Shortly after their acknowledgment, the reports fizzled out and then Apple marked the incident as resolved about 20 minute later.
The whole outage lasted about 4 hours from first report to last and wasn't acknowledged by Apple until 3.5 hours into it.
Bro im tryin to sideload and everytime i try to verify my app it doesnt let me what is even going on like i need my spotify back when will the certificates be back up what else can i use to sideload
For those wondering why this is a big deal it means that every developers attempting to run a development version of an iPhone, iPad or MacOS app cannot run their apps right now.
This is worse than Github being down and Apple Developers who pay 99$ a year for the privilege of writing software on this ecosystem aren't event getting a status page update: https://developer.apple.com/system-status/
It's definitely not worse than GitHub being down...
Depends on your priorities. Many developers don't pay for github access, and no one pays github 15-30% of gross sales.
Can confirm. Spent over an hour trying to figure out why I couldn't build to devices just to get frustrated, browse to HN, and here we are.
I'm looking for a job shoveling pig shit as we speak.
What genuinely pisses me off is that this isn't noted on their status page, nor is it indicated at all when you, I dunno, revoke and generate certs repeatedly trying to solve a problem you didn't fucking cause.
Here was the developer thread https://developer.apple.com/forums/thread/818403 I found with lots of other reports of "Unable to Verify App - An internet connection is required to verify the trust of the developer".
Although https://developer.apple.com/system-status/ was green for most of the 3-4 hour outage, the page now at least acknowledges two minutes of downtime:
Not a great developer experience.Enterprise apps distributed via MDM & signed using in-house distribution certificates are dead in the water too with the error message "Unable to Verify App" showing on start-up.
Apple's status page is showing no problems (all green).
This is a really bad look for Apple.
I'm getting invalid certificates from https://ppq.apple.com. I think that's probably the root cause?
Hilarious... their provisioning profile query server has an expired SSL certificate?
Are you serious Apple?
It doesn't look expired per se:
What I get is: net::ERR_CERT_AUTHORITY_INVALIDHas some undisclosed error.
Says cannot be trusted when validating via SSL checker
https://decoder.link/sslchecker/ppq.apple.com/443
SSL Error: Verify return code: 34 (unhandled critical extension)
OMG my app just got rejected because I didn't have the right screenshots to their liking... an app specifically made to remember stuff like this LOL the irony!
Invalid certs according to what? Quoth Claude Code:
OpenSSL can't validate the cert because it contains a critical extension it doesn't recognize — specifically 1.2.840.113635.100.6.27.3.2, which is an Apple-proprietary OID marked as critical. Per X.509 rules, if a client encounters an unrecognized critical extension, it must reject the cert.
That said, this is likely intentional on Apple's part — browsers and Apple's own TLS stack (SecureTransport/Network.framework) almost certainly know how to handle this extension. It's a private Apple CA (Apple Server Authentication CA) signing an Apple-internal service endpoint, so it's designed to work within Apple's ecosystem rather than with generic OpenSSL.
In practice:
That's fair. I've never attempted to reach this before so I can't compare and the explanation makes sense.
The intermittent 502s on the other hand are an issue.
And I was surprised why nothing worked, now I know. read comments here system is down hard.
Any other services down for anyone? I've had a credit service portal fail for hours today with a notice of server issues. As well as a credit union login with a similar message. These are all first times for me. Some big black cape / hat pressure testing?
[edit] And FreeUSATax portal. Solar cone today?
Finally WORKING!!
Confirmed! Damn that was annoying.
Why is all green in the status page? Really really annoying.
The Apple status pages (both of them) are some of the worst of the big league offenders, perhaps second only to Microsoft.
Full disclosure, I operate a product that compares official outage acknowledgment to actual outage impact times. (Which I won't mention to avoid self-promotion.)
For this specific incident, I saw the alert come across my Slack at 19:02 UTC. We received over 100 reports of this outage before the official acknowledgement was posted by Apple on their status page at 21:37 UTC.
Shortly after their acknowledgment, the reports fizzled out and then Apple marked the incident as resolved about 20 minute later.
The whole outage lasted about 4 hours from first report to last and wasn't acknowledged by Apple until 3.5 hours into it.
updated that there was an outage on app store connect https://developer.apple.com/system-status/
edit: working now
Bro im tryin to sideload and everytime i try to verify my app it doesnt let me what is even going on like i need my spotify back when will the certificates be back up what else can i use to sideload