Hello, App Attestation API "attest key" stopped working it returns "DCErrorServerUnavailable 4" error all the time, but It is working fine when we install the build from TestFligh.

Hello, for some reason all implemented (and working before) App Attestation code stopped working. iOS is unable to get attestation returning com.apple.devicecheck.error error 4. (serverUnavailable). On https://developer.apple.com/system-status/ I can see green dot but I suspect that infrastructure is not OK. Can anyone confirm these problems or know whether it is strictly connected to App Attest service availability? I just don't want to look for a problem in code for hours when it can lay in 3rd party...

I've been getting 500 error responses from the https://data.appattest.apple.com/v1/attestationData server for the last few hours. About half of requests complete OK and half fail. Anyone else seeing this?

Hello. When running the app with AppAttest on the simulator, I get false when executing DCAppAttestService.shared.isSupported. How can I get approval and test the framework locally? It is possible?

Dear All, I have working code that talks to the App Attest receipt refresh API using JWT authorization. I'm now trying to talk to the App Store Connect API, and I'm trying to use essentially the same code for the JWT generation - but it doesn't work. It's frustrating that the API just returns a non-specific 401 "Not Authorized" response, without giving any further clue about what's wrong. I am creating a JWT as follows for App Store Connect; yes I'm aware that the required fields are slightly different for the two APIs: header = {"alg":"ES256","kid":"12345YZSX8","typ":"JWT"} payload = {"iss":"1234567-1234-1234-1234-123456789012","iat":1687379230,"exp":1687379530,"aud":"appstoreconnect-v1"} Using the resulting encoded token, with my own code or with curl, fails with a 401 error: Status: 401 { "errors": [{ "status": "401", "code": "NOT_AUTHORIZED", "title": "Authentication credentials are missing or invalid.", "detail": "Provide a properly configured and signed bearer token, and make sure that it has not expired. Learn more about Generating Tokens for API Requests https://developer.apple.com/go/?id=api-generating-tokens" }] } Doing essentially the same thing, with the slightly different JSON fields and a different .p8 key file, does work with the App Attest API - so I'm probably not creating complete garbage. I've wasted hours on this now. Does anyone have any debugging hints?

I'm trying to prevent my App from running on jailbroken devices. For React Native apps, there is Firebase App Check, wich integrates with App Attest and DeviceCheck. I wonder, is App Attest with DeviceCheck able to detect that my App is running on a jailbroken device? I see other posts about jailbeaking on this forum, but they are mostly (or perhaps all of them) older than DeviceCheck. Which is why I'm repeating the question but asking specifically about DeviceCheck and App Attest.

Hi! I'm generating assertions using DCAppAttestService.shared.generateAssertion. It's running for almost one and a half years and has the following issue. Approx 6% of our users trying to generate assertions have issues and according to our analytics about half of them have invalid_input error during assertion process). I've managed to reproduce this issue on test device and noticed some weird scenario: (first app run) The AppAttest key generated and attested at Apple side successfully. Key Identifier persisted. Attestation object verification on backend and public key extraction is ok Unlimited number of assertion can be generated this time (second app run) Key Identifier persisted on previous app run is read and passed to DCAppAttestService.shared.generateAssertion Invalid input error received. Regeneration of key and attestation works fine. So looks like there is a kinda state in assertion process - it works well after key generation on first run, but fails with invalid_input on second run. As invalid_input error cannot say much about the issue, I've swizzled some methods of DCAppAttestService (https://developer.limneos.net/index.php?ios=15.2.1&framework=DeviceCheck.framework&header=DCAppAttestService.h) - _rewrapAsDCError, _loadAppUUID, _saveAppUUID. Swizzling implementation attached (swizzling.swift). As the swizzling logs show - when invalid_input raises, a strange error is printed (Error Domain=com.apple.appattest.error Code=-2 "Invalid appUUID" UserInfo={NSLocalizedDescription=Invalid appUUID}). What can be the issue? In another app this behaviour isn't reproducible but they share similar dependency with App Attest - wrapping logic I've filed bug report no FB12205670. Thanks. Logs: ok case: key generation: swizzleLoadAppID swizzleSaveAppID EDA165DC-0781-4891-A16D-0979FC4FEB84 swizzleRewrap key attestation: (key_id: "XzTjW3V7944\/ljQ2C8LTpqug0t0gslVyhdWGUCnJXfY=") swizzleLoadAppID EDA165DC-0781-4891-A16D-0979FC4FEB84 swizzleRewrap key assertion: (input key_id = "XzTjW3V7944\/ljQ2C8LTpqug0t0gslVyhdWGUCnJXfY=" clientDataHash = "zUwl\/jiunewwd1ofhEOmgNGWM+oD7LmUGe6Te5Iv9pc=") swizzleLoadAppID EDA165DC-0781-4891-A16D-0979FC4FEB84 swizzleRewrap issue case (DCError.invalid_input): key assertion: (input key_id = "XzTjW3V7944\/ljQ2C8LTpqug0t0gslVyhdWGUCnJXfY=" clientDataHash = "F8o5i+8PsZ5cTuyjlZoMe+kcbTG0\/R8Vw6tmjPlzlLc=") swizzleLoadAppID swizzleRewrap Error Domain=com.apple.appattest.error Code=-2 "Invalid appUUID" UserInfo={NSLocalizedDescription=Invalid appUUID} Swizzling logic: @objc func swizzleRewrap(obj: NSObject) -> NSObject { let returnValue = swizzleRewrap(obj: obj) print("swizzleRewrap \(obj)") return returnValue } @objc func swizzleLoadAppID() -> NSObject { let returnValue = swizzleLoadAppID() print("swizzleLoadAppID \(returnValue.debugDescription)") return returnValue } @objc func swizzleSaveAppID(app_id: NSObject) { swizzleSaveAppID(app_id: app_id) print("swizzleSaveAppID \(app_id)") } static func makeSwizzling() { let sel = NSSelectorFromString("_rewrapAsDCError:") DCAppAttestService.swizzleInstanceMethod(sel, #selector(DCAppAttestService.swizzleRewrap(obj:))) let sel1 = NSSelectorFromString("_loadAppUUID") DCAppAttestService.swizzleInstanceMethod(sel1, #selector(DCAppAttestService.swizzleLoadAppID)) let sel2 = NSSelectorFromString("_saveAppUUID:") DCAppAttestService.swizzleInstanceMethod(sel2, #selector(DCAppAttestService.swizzleSaveAppID(app_id:))) } } public extension NSObjectProtocol { static func swizzleInstanceMethod(_ origin: Selector, _ replace: Selector) { let origin = class_getInstanceMethod(self, origin) let replace = class_getInstanceMethod(self, replace) if let origin = origin, let replace = replace { method_exchangeImplementations(origin, replace) } } }

I am using DCAppAttestService for attestation , need to perform crypto operations using private key generated during attestation .

Hello, I've already made a previous similar post but it's getting a bit old so I'm re-launching it. I am currently developing an iOS application using AppCheck with AppAttest. I have read Apple's documentation on AppAttest to understand how it works. However, there is a part I didn't understand. When the public key is to be shared, Apple will create a certificate to attest that this public key belongs to an official instance of my application. Here is what it says about this verification on the official website : How does the Apple server identify that the key comes from an official instance of my application ? I can also rephrase my question as follows: How does the apple server detect an unofficial instance of my application if the data it receives for this check comes from it directly (I assume and I am probably wrong) and can therefore be falsified ? Is this a secret process to which I cannot have access, this answer would also suit me ? Thanks for your attention !

Unable To Install 'app'. This app cannot be installed because its integrity cannot be verified. I released an enterprise app for my organization. App worked well, but suddenly app not opened. When I reinstall and open this error showing.

Hello, I'm trying to submit my game to the app store, but I get rejected with the message: The package I use is iOS 14 Advertising Support package: I use the sample scene from the package with little adjustments: [ContextScreenManager.cs] using UnityEngine; using System; using System.Collections.Generic; #if UNITY_IOS using UnityEngine.iOS; #endif using System.Collections; using UnityEngine.SceneManagement; namespace Unity.Advertisement.IosSupport.Samples { /// <summary> /// This component will trigger the context screen to appear when the scene starts, /// if the user hasn't already responded to the iOS tracking dialog. /// </summary> public class ContextScreenManager : MonoBehaviour { /// <summary> /// The prefab that will be instantiated by this component. /// The prefab has to have an ContextScreenView component on its root GameObject. /// </summary> public ContextScreenView contextScreenPrefab; void Start() { #if UNITY_IOS Debug.Log("IOS detected"); // check with iOS to see if the user has accepted or declined tracking var status = ATTrackingStatusBinding.GetAuthorizationTrackingStatus(); Version currentVersion = new Version(Device.systemVersion); Version ios14 = new Version("14.5"); if (status == ATTrackingStatusBinding.AuthorizationTrackingStatus.NOT_DETERMINED && currentVersion >= ios14) { var contextScreen = Instantiate(contextScreenPrefab).GetComponent<ContextScreenView>(); // after the Continue button is pressed, and the tracking request // has been sent, automatically destroy the popup to conserve memory contextScreen.sentTrackingAuthorizationRequest += () => Destroy(contextScreen.gameObject); } #else Debug.Log("Unity iOS Support: App Tracking Transparency status not checked, because the platform is not iOS."); #endif StartCoroutine(LoadNextScene()); } private IEnumerator LoadNextScene() { #if UNITY_IOS var status = ATTrackingStatusBinding.GetAuthorizationTrackingStatus(); while (status == ATTrackingStatusBinding.AuthorizationTrackingStatus.NOT_DETERMINED) { status = ATTrackingStatusBinding.GetAuthorizationTrackingStatus(); yield return null; } #endif SceneManager.LoadScene(1); yield return null; } } } and [ContextScreenView.cs] using UnityEngine; namespace Unity.Advertisement.IosSupport.Components { /// <summary> /// This component controls an iOS App Tracking Transparency context screen. /// You should only have one of these in your app. /// </summary> public sealed class ContextScreenView : MonoBehaviour { /// <summary> /// This event will be invoked after the ContinueButton is clicked /// and after the tracking authorization request has been sent. /// It's a good idea to subscribe to this event so you can destroy /// this GameObject to free up memory after it's no longer needed. /// Once the tracking authorization request has been sent, there's no /// need for this popup again until the app is uninstalled and reinstalled. /// </summary> public event Action sentTrackingAuthorizationRequest; public void RequestAuthorizationTracking() { #if UNITY_IOS Debug.Log("Unity iOS Support: Requesting iOS App Tracking Transparency native dialog."); ATTrackingStatusBinding.RequestAuthorizationTracking(AuthorizationTrackingReceived); sentTrackingAuthorizationRequest?.Invoke(); #else Debug.LogWarning("Unity iOS Support: Tried to request iOS App Tracking Transparency native dialog, " + "but the current platform is not iOS."); #endif } private void AuthorizationTrackingReceived(int status) { Debug.LogFormat("Tracking status received: {0}", status); } } } Why do I get rejected? Is it because I display the example screens from the package? Anyone had similar problems? Glad for any help, thanks!

Can the new ACME payload work on macOS 13 seed builds as well ? Is there anything that stops a ACME payload for macOS ? This will be an awesome support for Macs in the enterprises with DEP/MDM.

Hello All, We are looking to implement the ACME protocol for our organization PKI and as of now, we are trying out the demo ACME server hosted here. So far, we had a minor piece of luck in getting it to work properly twice, but after that, it errors out every time. This is the payload we are using: &amp;amp;lt;?xml version="1.0" encoding="UTF-8"?&amp;amp;gt; &amp;amp;lt;!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"&amp;amp;gt; &amp;amp;lt;plist version="1.0"&amp;amp;gt; &amp;amp;lt;dict&amp;amp;gt; &amp;amp;lt;key&amp;amp;gt;PayloadContent&amp;amp;lt;/key&amp;amp;gt; &amp;amp;lt;array&amp;amp;gt; &amp;amp;lt;dict&amp;amp;gt; &amp;amp;lt;key&amp;amp;gt;ClientIdentifier&amp;amp;lt;/key&amp;amp;gt; &amp;amp;lt;string&amp;amp;gt;123123123123123123123&amp;amp;lt;/string&amp;amp;gt; &amp;amp;lt;key&amp;amp;gt;ExtendedKeyUsage&amp;amp;lt;/key&amp;amp;gt; &amp;amp;lt;array&amp;amp;gt; &amp;amp;lt;string&amp;amp;gt;1.3.6.1.5.5.7.3.2&amp;amp;lt;/string&amp;amp;gt; &amp;amp;lt;/array&amp;amp;gt; &amp;amp;lt;key&amp;amp;gt;HardwareBound&amp;amp;lt;/key&amp;amp;gt; &amp;amp;lt;true/&amp;amp;gt; &amp;amp;lt;key&amp;amp;gt;KeySize&amp;amp;lt;/key&amp;amp;gt; &amp;amp;lt;integer&amp;amp;gt;384&amp;amp;lt;/integer&amp;amp;gt; &amp;amp;lt;key&amp;amp;gt;KeyType&amp;amp;lt;/key&amp;amp;gt; &amp;amp;lt;string&amp;amp;gt;ECSECPrimeRandom&amp;amp;lt;/string&amp;amp;gt; &amp;amp;lt;key&amp;amp;gt;KeyUsage&amp;amp;lt;/key&amp;amp;gt; &amp;amp;lt;integer&amp;amp;gt;5&amp;amp;lt;/integer&amp;amp;gt; &amp;amp;lt;key&amp;amp;gt;PayloadIdentifier&amp;amp;lt;/key&amp;amp;gt; &amp;amp;lt;string&amp;amp;gt;com.example.test&amp;amp;lt;/string&amp;amp;gt; &amp;amp;lt;key&amp;amp;gt;PayloadType&amp;amp;lt;/key&amp;amp;gt; &amp;amp;lt;string&amp;amp;gt;com.apple.security.acme&amp;amp;lt;/string&amp;amp;gt; &amp;amp;lt;key&amp;amp;gt;PayloadUUID&amp;amp;lt;/key&amp;amp;gt; &amp;amp;lt;string&amp;amp;gt;sdf-feec-4171-878d-34e576bbb813&amp;amp;lt;/string&amp;amp;gt; &amp;amp;lt;key&amp;amp;gt;PayloadVersion&amp;amp;lt;/key&amp;amp;gt; &amp;amp;lt;integer&amp;amp;gt;1&amp;amp;lt;/integer&amp;amp;gt; &amp;amp;lt;key&amp;amp;gt;Subject&amp;amp;lt;/key&amp;amp;gt; &amp;amp;lt;array&amp;amp;gt; &amp;amp;lt;array&amp;amp;gt; &amp;amp;lt;array&amp;amp;gt; &amp;amp;lt;string&amp;amp;gt;C&amp;amp;lt;/string&amp;amp;gt; &amp;amp;lt;string&amp;amp;gt;US&amp;amp;lt;/string&amp;amp;gt; &amp;amp;lt;/array&amp;amp;gt; &amp;amp;lt;/array&amp;amp;gt; &amp;amp;lt;array&amp;amp;gt; &amp;amp;lt;array&amp;amp;gt; &amp;amp;lt;string&amp;amp;gt;O&amp;amp;lt;/string&amp;amp;gt; &amp;amp;lt;string&amp;amp;gt;Example Inc.&amp;amp;lt;/string&amp;amp;gt; &amp;amp;lt;/array&amp;amp;gt; &amp;amp;lt;/array&amp;amp;gt; &amp;amp;lt;array&amp;amp;gt; &amp;amp;lt;array&amp;amp;gt; &amp;amp;lt;string&amp;amp;gt;CN&amp;amp;lt;/string&amp;amp;gt; &amp;amp;lt;string&amp;amp;gt;test&amp;amp;lt;/string&amp;amp;gt; &amp;amp;lt;/array&amp;amp;gt; &amp;amp;lt;/array&amp;amp;gt; &amp;amp;lt;/array&amp;amp;gt; &amp;amp;lt;key&amp;amp;gt;SubjectAltName&amp;amp;lt;/key&amp;amp;gt; &amp;amp;lt;dict&amp;amp;gt; &amp;amp;lt;key&amp;amp;gt;dNSName&amp;amp;lt;/key&amp;amp;gt; &amp;amp;lt;string&amp;amp;gt;site.example.com&amp;amp;lt;/string&amp;amp;gt; &amp;amp;lt;/dict&amp;amp;gt; &amp;amp;lt;key&amp;amp;gt;DirectoryURL&amp;amp;lt;/key&amp;amp;gt; &amp;amp;lt;string&amp;amp;gt;https://ca.attestation.dev/acme/acme/directory&amp;amp;lt;/string&amp;amp;gt; &amp;amp;lt;/dict&amp;amp;gt; &amp;amp;lt;/array&amp;amp;gt; &amp;amp;lt;key&amp;amp;gt;PayloadDisplayName&amp;amp;lt;/key&amp;amp;gt; &amp;amp;lt;string&amp;amp;gt;ACME&amp;amp;lt;/string&amp;amp;gt; &amp;amp;lt;key&amp;amp;gt;PayloadIdentifier&amp;amp;lt;/key&amp;amp;gt; &amp;amp;lt;string&amp;amp;gt;com.example.test&amp;amp;lt;/string&amp;amp;gt; &amp;amp;lt;key&amp;amp;gt;PayloadType&amp;amp;lt;/key&amp;amp;gt; &amp;amp;lt;string&amp;amp;gt;Configuration&amp;amp;lt;/string&amp;amp;gt; &amp;amp;lt;key&amp;amp;gt;PayloadUUID&amp;amp;lt;/key&amp;amp;gt; &amp;amp;lt;string&amp;amp;gt;ce876f81-abf0-46f9-9e68-9b3a7ede8097&amp;amp;lt;/string&amp;amp;gt; &amp;amp;lt;key&amp;amp;gt;PayloadVersion&amp;amp;lt;/key&amp;amp;gt; &amp;amp;lt;integer&amp;amp;gt;1&amp;amp;lt;/integer&amp;amp;gt; &amp;amp;lt;/dict&amp;amp;gt; &amp;amp;lt;/plist&amp;amp;gt; We get the below errors from the ACME server: order status is "pending", not yet "valid" order status is "ready", not yet "valid" Any insights on what we are doing wrong could be helpful. Thanks in advance.

Hi, I am new to iOS development and currently studying App Attest functionality. Can someone confirm why the counter value be 0 during attestation validation at the server side. And also, can this value be reset to 0 at any point of time? Do we need to do code signoff as well for using App Attest?

Hi! Sometimes when calling DCAppAttestService.shared.generateAssertion(key.id, clientDataHash: hash) I'm getting DCError.Code.invalidInput. I am formatting clientDataHash usingSHA256.hash - so it is always 32 bytes long. As I found out - this error depends on hash that I pass to generateAssertion method. But I could not find any system - which hashes are good and which are not. Keys are always correct, otherwise invalidKey error would be risen. What can cause the issue? I'm testing on iPhone 11, iOS 15.2.1

my app is available on app store. i new to release an update but with older version is this possible? please guide me

Hi All I am asking a solution to project my application is stolen by re-compile source or something like that. Is there any way to verify Developer certificate or Profile to make sure that the App is installed from correct Developer account? I saw that we can receive some useful information from embedded.mobileprovision. However, it looks this file does not exist when we install app from AppStore.

I have an App Attest server implementation which is generally functioning well. From time to time, however, I get receipts which do not refresh when I send them to Apple's server; I get a 404 response. The docs (https://developer.apple.com/documentation/devicecheck/assessing_fraud_risk?language=objc - "Understanding HTTP Response Codes") say this means "No data available for the supplied receipt". Once a receipt is in this state it seems "stuck" i.e. it will never return a new receipt. I have seen this for both the development and production environments. Does anyone know what this means, and what I should do?

If I delete an integrity in my settings on my phone can I re verify the integrity? I have tried to re-get the app and try to verify it again but it just won’t pop up to where I can verify the integrity again.

Hi, Is there a default timeout for the attestKey method? From doc: If the method’s completion handler returns the serverUnavailable error — typically due to network connectivity issues — it means that the framework failed to reach the App Attest service to complete the attestation Br, Johan