Software Update for system components on my home Mac Pro has not worked in a while, and I have had to resort to manually downloading and applying updates. The updates just wouldn’t appear in the Mac App Store app where they normally should.

After upgrading to Mavericks, I finally figured out why. Instead of silently ignoring the updates, Mavericks displays a not-so-helpful error message “NSURLErrorDomain Error -1012”. On inspecting network traffic from the App Store app, I noticed it connects using TLS 1.2 to swdist.apple.com, then aborts. It then hit me – in 2011, after Comodo was hacked, apparently by elements affiliated with the Iranian government, I revoked the trust setting on their root certificates. The certificate for swdist.apple.com is signed by Comodo, and thus Software Update could no longer establish a secure connection to Apple and that’s why it was failing.

This is not the only time a Certificate Authority was hacked. Dutch CA Diginotar, which included the Dutch government among its clients, suffered a breach, apparently also involving Iran. Microsoft, Mozilla, Google and Apple promptly revoked Diginotar’s root CA certificates, which quickly led to the company going out of business. I guess Comodo is larger (the EFF calls them “too big to fail”) and better politically connected (it helps when you have people like Phillip Hallam-Baker on the payroll), and managed to elude the same punishment it richly deserved.

Apple should really step up its game and ditch a security provider which demonstrated incompetence at its alleged core competency, and I filed Radar bug report 15328323 to urge them to do so. In the meantime, the way to fix the error message is to temporarily reinstate trust in the Comodo root CA.

Update (2015-10-29)

At some point in the last 2 years they switched from Comodo to Symantex (probably 2014-04-13 when the current certificate was issued). Unfortunately, Symantec has its own problems.