Starting around October 12, 2025 at 19:51 UTC, we're seeing intermittent failures when verifying StoreKit transaction JWTs. The issue appears to be related to certificate expiration in the x5c chain in the JWT tokens provided by Apple.
What We're Seeing
Some JWTs are being signed with different certificates. Some work, some fail certificate validation.
Old Certificate (Expired - causing failures):
Subject: Prod ECC Mac App Store and iTunes Store Receipt Signing
Issuer: Apple Worldwide Developer Relations Certification Authority (G6)
Serial: 166451396673336810269824643773700992094
Valid From: 2023-09-12 19:51:53 UTC
Valid To: 2025-10-11 19:51:52 UTC ❌ EXPIRED
New Certificate (Valid - working):
Subject: Prod ECC Mac App Store and iTunes Store Receipt Signing
Issuer: Apple Worldwide Developer Relations Certification Authority (G6)
Serial: 95385247725814954943813376527885434295
Valid From: 2025-09-19 19:44:51 UTC
Valid To: 2027-10-13 17:47:23 UTC ✓ VALID
Current Status
Most JWTs use the new valid certificate. Some JWTs still use the expired certificate. This appears inconsistent/random. I don't know if it's an issue with some of Apple's servers, or an issue with StoreKit on-device cache, but seems to me like a bug on Apple's side either way.
Are we missing something? Is this a known issue?
Any guidance or timeline from Apple would be greatly appreciated, as this is blocking legitimate paying users.