We are currently managing four root certificates. Checked the ChainVerifier class code in 'App Store Server Library'. I checked that the root certificate was excluded when I called the CertPathValidator.validate method. So the root certificate is not falsified? Is it okay if I don't even check my fingerprints?
Could you please provide some more information about what your question is, the issues you are seeing?
When validating the certificate chain, it was verified that the root certificate was removed. Is it safe not to verify the root certificate?
There are two steps to validating a signed JWS format object.
Verify the leaf certificate is from Apple, and two, verify the JWS is signed by that leaf certificate. For the first piece, you generally don't verify the root certificate, as you already have the root certificate, so there is nothing to verify, it is simply part of the process to determine the signing/leaf certificate is from Apple and valid for its purpose.
