Including Intermediate Certificate to sign when generating push package

[deepakc]

Is there an option to pass the intermediate certificate for signing?

package = PushPackage.new(website_params, iconset_path, certificate, 'optional cert password')

Or if i have the intermediate certificate in my p12 will that all be used while signing?

[adamvduke]

@deepakc I'm not familiar with using the intermediate certificate for signing. Pull requests are welcomed.

[deepakc]

@adamvduke Thanks! let me take a look - And this is required because of this Apple's announcement that their intermediate certs are expiring - https://developer.apple.com/support/certificates/expiration/index.html

[adamvduke]

Hi @deepakc, support for intermediates was added by @kyle30312 and is available in rubygems as version 0.2.0.

[kyle30312]

More background:

To summarize the certificate chain for verifying a push package: (A) Apple Root CA - expires 2/9/2035 (see Keychain Access > System Roots > Certificates) (B) Apple Worldwide Developer Relations Certification Authority - expires 2/14/2016 (old one), 2/7/2023 (new one) (C) Website Push ID: web.com.example.www - this is the certificate issued by Apple for your site, typically expires after one year.

• Presently, the 'signature' file in the push package contains certificate (C) and the signature bytes.
• Intermediate cert (B) is being renewed and the user's machine might not have the installed the update yet from (B-old) to (B-new).
• Including the intermediate cert (B-new) in the signature file in the push package allows Safari to verify the chain even if the machine doesn't have (B-new) installed.
• Therefore, the Apple support page says the 'signature' file should now contain (B-new), (C), and the signature bytes.
• Note the root cert is never included in the signature file. As a trust anchor, it must always be installed on the machine so that it's always coming from a trusted location.