Doesn't work with the new Apple intermediate certificates

[mohamedhafez]

Hi, whenever I use this gem to create a push package using the old AppleWWDRCA.cer intermediate certs, everything works fine, but if I use the new AppleWWDRCAG3.cer intermediate certs, I always get {"logs":["Signature verification of push package failed"]} error (delivered via webhook) when a user tries to subscribe.

[adamvduke]

Unfortunately I don't currently have time to look into this. The code for this gem is fairly small. If you identify/fix the issue, I'm happy to merge pull requests and release a new version.

[mohamedhafez]

Taking a look at the code, I can't see anything in this gem that would cause it not to work with the new AppleWWDRCAG3.cer intermediate cert. Perhaps there is something about that new certfile that Ruby doesn't handle correctly? Or maybe it's an issue on Apple's end and Safari's push package downloader doesn't recognize the new intermediate cert yet? I'm stumped, the issue is still occurring as of today

EDIT: I just tried to generate the push package using this PHP script based on the PHP script Apple provides in their Configuring Safari Push Notifications Guide. Again, it works just fine with the old intermediate cert, but I get {"logs":["Signature verification of push package failed"]} if I use the new intermediate cert...

[mohamedhafez]

Ok so I noticed that the latest version of the 'Companion File' Apple provides in their Configuring Safari Push Notifications Guide (here in a gist for convenience) DOES NOT try to sign with any intermediate certificate! I tried this out, and everything works perfectly...

Perhaps the certificates that we download from the Apple developer portal already contain the intermediate certs now, and we no longer need to include them, and perhaps including them just adds duplicate signatures that messes things up or something? Or perhaps Apple removed the requirement they be signed with an intermediate cert at all? I'm unfortunately not versed enough in extracting information from certificates & signatures to answer those questions for myself, but perhaps if we removed the intermediate certificate signing from the ruby library it would work here too, if anyone comes across this and can't use the Apple PHP script and wants to take a crack at it

[mohamedhafez]

Ok! so it turns out that if we leave off the intermediate cert, this library still works as well! Before closing the issue though, I'd like verify that this is an ok solution, since the Apple guide explicitly says we have to sign with the intermediate cert...

[adamvduke]

Thanks for digging into this. I suspect the certificate that Apple is providing for you to sign with includes the intermediate. If they are in PEM format, you might be able to determine if that's the case by looking for distinct BEGIN CERTIFICATE and END CERTIFICATE sections or something similar. If there are multiple certificates in a single file, you can verify their contents by copying them into individual files and running something like openssl x509 -in /path/to/file.pem -text -noout

[mohamedhafez]

I converted the Certificates.p12 I got from Apple into a .pem, and there is only one BEGIN CERTIFICATE ... END CERTIFICATE block. Also, when I inspect the number of signatures generated using the code from the test suite, OpenSSL::PKCS7.new(signature).certificates().size, if I don't include the intermediate certificate it returns 1, and if I do it returns 2. Yet even with just one signature, the push package gets accepted just fine now. It really feels like Apple removed that requirement for signing with the intermediate certificate and just never told anyone 🤷‍♀️. Or did they never actually start enforcing it in the first place back in 2016?

(PS if you don't have time to deal with this that's totally understandable, just posting this here in case someone more knowledgable than myself runs up against this same issue!)

[mohamedhafez]

I recently got it to work with the new AppleWWDRCAG4.cer intermediate cert, with no changes or fixes at all. In fact it wasn't working with the old AppleWWDRCA.cer linked to in the TODO, my guess is that in the certificates Apple is issuing now, they are using the AppleWWDRCAG4 cert, and before when i made this ticket and it wouldnt work with the AppleWWDRCAG3.cer, it was probably because Apple was just still signing with the old intermediate certs. So, false alarm, closing this issue!