Currently, 'Get Transaction History', 'Get Transaction Info', 'Get All Subscription Statuses' and 'Notifications V2' are being used in the App store Server API.
When I decoded the JWS received in response and checked the root certificate, it was always 'AppleRootCA-G3'.
Are there cases where the root certificate is not 'AppleRootCA-G3'?
Hello, our recommendation it to use all certs under the Root Certificates section of https://www.apple.com/certificateauthority, this is why when decoding and verifying with the App Store Server Library we accept an array of root certificates. Also, remember to check the appropriate OID values when verifying the certificates in the chain. The full process is described here https://developer.apple.com/videos/play/wwdc2023/10143?time=614
Last Process 'make sure the root certificate authority is one of the certificates you stored as an Apple Root Certificate Authority.' Can I just verify it with the SHA-256 thumbprint of the root certificate?
Presumably, in the Java version of the library, for example, we basically ignore the root cert in the chain provided in the JWS and directly validate against our root CAs as the trust anchors https://github.com/apple/app-store-server-library-java/blob/main/src/main/java/com/apple/itunes/storekit/verification/ChainVerifier.java
Thank you for your answer. I checked the link source, but when checking the certificate chain, except for the root certificate, I didn't see any direct checking of the root certificate. For the value of the 'performanceRevocationChecking' parameter, should I set the 'true' value if the root certificate of 'trustAnchors' includes 'Apple Inc. Root' and 'Apple Computer, Inc. Root'?
