"“Test Apple Root CA - G3” certificate is not trusted" when verifying renewal info

Question

Following the sample code from the session, I received errors when verifying the renewal info:

[Default] [StoreKit] Failed to verify certificate chain due to client recoverable failure:
Error Domain=NSOSStatusErrorDomain Code=-67843 "“Test Apple Root CA - G3” certificate is not trusted" UserInfo={NSLocalizedDescription=“Test Apple Root CA - G3” certificate is not trusted, NSUnderlyingError=0x2800835d0 {Error Domain=NSOSStatusErrorDomain Code=-67843 "Certificate 2 “Test Apple Root CA - G3” has errors: Root is not trusted;" UserInfo={NSLocalizedDescription=Certificate 2 “Test Apple Root CA - G3” has errors: Root is not trusted;}}}
[Default] [StoreKit] Failed to verify signature for subscription status, will assume invalid:
failedToVerifyCertificateChain

Here's the code I'm using for getting subscription status

@MainActor
func subscriptionStatus() async -> (Product, Product.SubscriptionInfo.Status)? {
  do {
    // This app has only one subscription group so products in the subscriptions
    // array all belong to the same group. The statuses returned by
    // `product.subscription.status` apply to the entire subscription group.
    guard let product = subscriptions.first,
       let statuses = try await product.subscription?.status else {
         return nil
       }
    var highestSubscriptionStatus: (product: Product, status: Product.SubscriptionInfo.Status)?
    for status in statuses {
      switch status.state {
      case .expired, .revoked:
        continue
      default:
        let renewalInfo = try checkVerified(status.renewalInfo)
        guard let newSubscription = subscriptions.first(where: { $0.id == renewalInfo.currentProductID }) else {
          continue
        }
        guard let currentProduct = highestSubscriptionStatus?.product else {
          highestSubscriptionStatus = (newSubscription, status)
          continue
        }
        let highestTier = tier(for: currentProduct.id)
        let newTier = tier(for: renewalInfo.currentProductID)
        if newTier > highestTier {
          highestSubscriptionStatus = (newSubscription, status)
        }
      }
    }
    return highestSubscriptionStatus
  } catch {
    print("Could not update subscription status \(error)")
    return nil
  }
}

I'm running this on a real device without the storekit configuration file. Is this a known issue or am I missing something to get this working?

Thanks

2.2k

Posted by

nosedive

Reply

FB9142670

—
nosedive

Add a Comment

Answer 1

This issue has been addressed. If you are still seeing this error while using StoreKit 2 and Sandbox, we recommend that you delete and reinstall your app. Please file a bug report with feedback assistant from the device running your app, if you continue to have issues.

Posted by

Frameworks Engineer

Add a Comment

Answer 2

Thank you for filing the feedback, we will look into this. Does this behavior reproduce regularly, or did you just notice it this one time?

Posted by

Frameworks Engineer

Add a Comment

Answer 3

We looked into this issue some more and have an update:

This will impact all users testing StoreKit 2 in the sandbox environment at the moment. That is, Product.SubscriptionInfo.RenewalInfo and Transaction will always result as VerificationResult.unverified(_:). In the meantime, if you want to test successfully verified transaction and renewal information, you can use StoreKit Testing in Xcode which will not be impacted by this issue.

Posted by

Frameworks Engineer

Add a Comment

Answer 4

I'm seeing the same thing here! Works fine with Xcode testing, just not in TestFlight/Sandbox.

Posted by

ryannn

Add a Comment

Answer 5

Since sandbox purchases do not pass validation, they can not be finalized either. This makes it impossible to test the rest of the purchase flow.

I am wondering if Apple can provide updates on this. Should we expect the sandbox transactions to pass validation once iOS15 is officially released?

Posted by

gokcekinay

You should still call finish() on any transaction in which you grant content to the user, regardless of the case of the VerificationResult. Whether you grant content to the user for unverified(_:_:) transactions is up to your business model.

—
Frameworks Engineer
That makes sense. Thanks! I was not expecting the .unverified enum case to also contain the decoded transaction.

—
gokcekinay

Add a Comment

Answer 6

I'm also seeing this issue so just +1ing the issue.

Also curious if there is a technical reason why promotional offers are not signed/validated automatically by StoreKit2 the same way purchases can now be signed by the framework itself? Thanks

Posted by

robert-nyt

Promotional offers signatures are meant to be generated off-device, via a secure connection to a server you control. This is so the App Store can validate the app's developer intended to apply the promotional offer. StoreKit can not provide a secure API to create signatures for promotional offers because the developer does not necessarily have control over the device which the app is running on.

See Implementing Promotional Offers in Your App for more information.

—
Frameworks Engineer

Add a Comment

Answer 7

Hi so we already have a release candidate, the whole time I test it with StoreKit testing but now we are testing before release and still get Failed to verify the signature for Transaction, will assume invalid Is there something that I'm missing or does the in-App purchase have to be approved on Appstore Connect?

Posted by

WeddMate

Add a Comment

Answer 8

This issue has been addressed. If you are still seeing this error while using StoreKit 2 and Sandbox, we recommend that you delete and reinstall your app. Please file a bug report with feedback assistant from the device running your app, if you continue to have issues.

Posted by

Frameworks Engineer

Add a Comment

"“Test Apple Root CA - G3” certificate is not trusted" when verifying renewal info

Apple Recommended

Replies