Receipt Validation With SHA-256
Apple is updating the App Store receipt signing intermediate certificate with one that uses the SHA-256 algorithm in the sandbox, TestFlight, and App Store environments, on the dates shown below[…]
[…]
If your app verifies App Store receipts on the device, follow the instructions outlined in this document to ensure that your receipt validation code is compatible with this change.
[…]
If your app follows the instructions in Validating receipts on the device, the new certificate affects step 2, which involves verifying the certificate chain. Be sure your app uses the latest certificates from Apple PKI.
Previously:
Update (2023-06-26): Anders Borum:
Any developers that have successfully validated receipts in the sandbox using StoreKit1 methods after June 20?
The docs do not mention where to get the SHA256 value and ASN.1 Field Type 5 is 20 bytes and not the 32 bytes expected for SHA256.
Update (2024-11-04): Apple:
Starting January 24, 2025, if your app performs on-device receipt validation and doesn't support a SHA-256 algorithm, your app will fail to validate the receipt.
[…]
If your app performs on-device receipt validation, update your app to support certificates that use the SHA-256 algorithm; alternatively, use the AppTransaction and Transaction APIs to verify App Store transactions.
1 Comment RSS · Twitter · Mastodon
I find it difficult to verify that I handle this right after rewriting my code not to use exit(173) any more. I seem to need a clean macOS that has never seen the app before.
The problem is that I have trouble setting up a fresh VM for this test. Even using Sequoia as host and VM, I can use iClip but not the App Store and therefore TestFlight neither. Makes testing rather difficult, unless I install a fresh system on my Mac. Or dig up an older x86 Mac and run a VM on that.