Monday, May 29, 2023

Receipt Validation With SHA-256

TN3138:

Apple is updating the App Store receipt signing intermediate certificate with one that uses the SHA-256 algorithm in the sandbox, TestFlight, and App Store environments, on the dates shown below[…]

[…]

If your app verifies App Store receipts on the device, follow the instructions outlined in this document to ensure that your receipt validation code is compatible with this change.

[…]

If your app follows the instructions in Validating receipts on the device, the new certificate affects step 2, which involves verifying the certificate chain. Be sure your app uses the latest certificates from Apple PKI.

Previously:

Update (2023-06-26): Anders Borum:

Any developers that have successfully validated receipts in the sandbox using StoreKit1 methods after June 20?

The docs do not mention where to get the SHA256 value and ASN.1 Field Type 5 is 20 bytes and not the 32 bytes expected for SHA256.

Update (2024-11-04): Apple:

Starting January 24, 2025, if your app performs on-device receipt validation and doesn't support a SHA-256 algorithm, your app will fail to validate the receipt.

[…]

If your app performs on-device receipt validation, update your app to support certificates that use the SHA-256 algorithm; alternatively, use the AppTransaction and Transaction APIs to verify App Store transactions.

Comments RSS · Twitter · Mastodon

Leave a Comment