[Resolved] January 2025: Upcoming Changes to the App Store Receipt Signing Intermediate Certificate

[yellow8-vom]

From Apple:

As part of ongoing efforts to improve security and privacy on Apple platforms, the App Store receipt signing intermediate certificate is being updated to use the SHA-256 cryptographic algorithm. This certificate is used to sign App Store receipts, which are the proof of purchase for apps and In-App Purchases.
This update is being completed in multiple phases and some existing apps on the App Store may be impacted by the next update, depending on how they verify receipts.
Starting January 24, 2025, if your app performs on-device receipt validation and doesn't support a SHA-256 algorithm, your app will fail to validate the receipt. If your app prevents customers from accessing the app or premium content when receipt validation fails, your customers may lose access to their content.
If your app performs on-device receipt validation, update your app to support certificates that use the SHA-256 algorithm; alternatively, use the AppTransaction and Transaction APIs to verify App Store transactions.

For more details, view TN3138: Handling App Store receipt signing certificate change.

Will we be safe if using AppReceiptValidator?

Thanks a lot!

[hannesoid]

It looks like this is the last step of the multi-step rollout described in https://developer.apple.com/documentation/technotes/tn3138-handling-app-store-receipt-signing-certificate-changes

We haven't had problems in the first two steps of the rollout, so I'd be optimistic that the last step will be ok.

That said, Apple is pushing quite hard to use the StoreKit2 Transactions API, and that's the long-term way to go for the future.