Which key to use to validate the Server-Side Notifications v2 JWTs?

I am looking at using the v2 in-app subscriptions server-side notifications. I have got this working by decoding and validating the token using the x5c and alg properties in the header.

However, I don't know how to validate that this certificate was issued by Apple. The docs don't really seem to say anything about this.

Does anyone know how I do this? At the moment, my code is a bit pointless as the jwt could have been signed by anyone.

The only other thing I can think of is to ignore the JWT altogether and just use the API to query every time which seems to defeat the object.

Post not yet marked as solved Up vote post of johncp Down vote post of johncp
3.0k views
Posted by
johncp
Reply
Add a Comment

Replies

Please see this page with resources so you can verify its authenticity: https://www.apple.com/certificateauthority/

Posted by
App Store Commerce Engineer
Up vote reply of App Store Commerce Engineer Down vote reply of App Store Commerce Engineer

  • Thanks - that's helpful. I can see the G6 certificate that I think issued the one in the JWT (still working on that...).

    But I'm still pretty unclear about what I'm expected to do with this. I'm guessing I won't always get a JWT signed by G6. There were some PDFs linked from that page, but they all read like T&C's, and I'm not convinced that I am the target audience for them.

    I'm surprised that there doesn't seem to be anywhere that Apple spells out what it expects you to do to validate the token. The more complicated and ambiguous it is, the more chance that laods of insecure implementations are going to crop up across the cloud which can't be good for anyone.

    johncp

  • I'm working through this process myself. I've gotten as far as validating the certificate chain contained in the x5c header property, but am failing to validate the signature of the JWT using the public key extracted from the first certificate in that chain.

    sjmadsen

  • Hey there, thanks for sharing! I've faced the same issue implementing signature validation. How do you approach it?

    ollevche

I am trying to implement this and it is not working. I don't know which certificate(s) I am supposed to use, and I'm having a hard time believing that there isn't some page of documentation we're all missing that properly addresses the intended best practices here.

For example: https://developer.apple.com/documentation/sign_in_with_apple/fetch_apple_s_public_key_for_verifying_token_signature Here it is much more clear what we are intended to do. I've actually implemented this and it works. I see other posts here and elsewhere on the internet on this same topic and in most cases, people aren't really sure what to do, and most of the answers are misunderstanding the basic issue. There are one or two who say they've gotten something working in Golang or something, but I wonder how reliable those solutions are.

  • Please provide better documentation on securing appstore server notifications (with the REST api this is less of an issue for obvious reasons)
  • Please provide a specific endpoint to fetch a public key for this, and document it clearly.
  • Please do not respond with a link to https://www.apple.com/certificateauthority/. That link is already available, I get the urge to save time by reusing an existing page as the solution for how to implement this new feature but it's not helpful.

Thanks

Posted by
pnicoFP
Post not yet marked as solved Up vote reply of pnicoFP Down vote reply of pnicoFP
Add a Comment

as always apple giving no shit about how developers can do shit

Posted by
JhonSabowsla
Up vote reply of JhonSabowsla Down vote reply of JhonSabowsla
Add a Comment