Different signerCert.pem Algorithm

[safonovklim]

Hi!

First of all, amazing work! Thank you

I spent a whole day trying to get the first valid pass, but no luck. The only thing I found is:

1. Your instruction: https://github.com/alexandercerutti/passkit-generator/wiki/Generating-Certificates#which-are-the-passtypeidentifier-and-teamidentifier-am-i-using (screenshot)

Signature Algorithm: sha1WithRSAEncryption and Issues has no "OU"

But after I followed your instruction (few times with brand new identifiers, CSR, etc) I always get

   Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=Apple Worldwide Developer Relations Certification Authority, OU=G4, O=Apple Inc., C=US

I also tried to use both:

• Worldwide Developer Relations - G1 (Expiring 02/07/2023 21:48:47 UTC)
• Worldwide Developer Relations - G4 (Expiring 12/10/2030 00:00:00 UTC)

but no luck. I always get:

I tried different templates and ended-up re-using existing one from my wallet + replace teamId and passTypeId. But I still see this issue

Do you have any insight into why this can happen? Why do I have sha256 by default instead of sha1 like yours?

thank you 🙏

[alexandercerutti]

Hello there @safonovklim, thanks for using passkit-generator!

First of all, let me say that when I wrote the guide, G4 wasn't available on the list, so I didn't have the chance of testing it. I'll do it as soon as I can.

As I stated in the guide, G1 is the correct one to be used, because that's (probably) the one being used by Apple when issuing signerCert. That's weird that you are not able to generate a pass using G1. Sha256 is probably related to the usage of G4.

What does Console.app say about this? Here's the wiki guide to debugging.

Which guide are you using for generating, Keychain Access or Terminal? Do you mind ensuring yourself you are converting G1 instead of G4 and that you are replacing correctly the issued files?

You might also want to check all the files manually through the commands I've written inside the guide, to check if data match among signerCert, signerKey, and WWDR. Things might have changed on Apple's side and I might not be aware of it (recently Apple updated some of its WWDR certificates 'cause their imminent - about a year from now - expiration), but I don't know if it actually involves also G1 (but I guess so).

Let me know!

[safonovklim]

@alexandercerutti I actually tried Keychain Access 🤔

Console.app says

Unable to load object dictionary: Error Domain=PKPassKitErrorDomain Code=1 "Failed to read data" UserInfo={NSLocalizedDescription=Failed to read data, NSUnderlyingError=0x600001424300 {Error Domain=NSCocoaErrorDomain Code=260 "The file “pass.json” couldn’t be opened because there is no such file." UserInfo={NSFilePath=/var/folders/98/1pl1bjm90b39bwb4p1s_12wm0000gn/T/com.apple.Pass-Viewer/com.apple.Passbook/2B030336-03B6-488D-A7F9-A945FA071F85.pkpass/pass.json, NSUnderlyingError=0x6000014240f0 {Error Domain=NSPOSIXErrorDomain Code=2 "No such file or directory"}}}}

for all signed passes (which is not true)

Also, I created 6 passes with different signcerts G1, G2, G3, G4, G5, G6. All of them failed with the same error (above)

[safonovklim]

Also my certs:

• signerCert.pem (Issuer: CN=Apple Worldwide Developer Relations Certification Authority, OU=G4, O=Apple Inc., C=US)

• original.cer downloaded from Apple Website Issuer: CN=Apple Worldwide Developer Relations Certification Authority, OU=G4, O=Apple Inc., C=US

[alexandercerutti]

Mmm, that's weird. Something probably changed in terms of certificates. I have to try to generate new certificates and check if I can make it work. I'll do it asap and let you know. Maybe some changes might be required in passkit-generator.

Also, the error about the missing pass.json is weird. That's one of the issues of closed and proprietary systems: you cannot know what's happening under the hood (if the documentation is not well-written).

[safonovklim]

Ok, I just grabbed a valid pkpass from apple and unzipped it.

Then I just zipped without any changes by using zip -vr EventOriginal.pkpass Event/ -x "*.DS_Store" and it didn't work too :/

Same if I compress and rename via UI

So, I guess it's a local issue :shrug:

[alexandercerutti]

Did you try perhaps to run examples? They should work. Which macOS version are you running on?

Let me know.

[safonovklim]

I'm on

Unfortunately, examples doesn't work for me due to weird TS issues (even if I installed additional @types/* dev dependencies)

>  node -v
v14.19.0

[alexandercerutti]

These errors are weird. I'll check with node 14, but the errors you reported seem to mean that you didn't install dependencies of passkit-generator but installed only the dependencies in the example folder 🤔

[safonovklim]

@alexandercerutti thank you, self-hosted example worked just fine!

http://localhost:8080/barcodes/examplePass.pass

[alexandercerutti]

Great, @safonovklim! So, I guess, there's something wrong with your flow that is out of my scope 😄.

I'm going to close this. If you have any questions about the library, I'm here 😉

May I ask you to leave a ⭐️ on the project? That would be very helpful for increasing project popularity (and to make my body release an additional dose of dopamine 😆)?

[alexandercerutti]

Oh, also, let me add that I'll still perform the checks I said before. If you find the issue, would you mind sharing it? So that others might benefit from it!

[safonovklim]

@alexandercerutti ok, so looks like I found a problem.

I added writeFile before serving it via HTTP server. Then I opened saved file (not downloaded one) and it worked just fine!

Looks like an issue with the way serverless, koa, serverless-http, and work with each other. I'll try to set up local and AWS s3 bucket and try uploading there first.

Appreciate your help 🙏

[alexandercerutti]

Thank you for your donation! ❤️

[alexandercerutti]

Hello there @safonovklim, I was verifying what we discussed about. I found an expiration notice: https://developer.apple.com/support/expiration/

Especially, it is written that:

Apple Push Notification Service SSL Certificates, including the Pass Type ID Certificate, were updated January 27, 2022, and associated with a new intermediate certificate focused on the Apple Push Notification service (APNs). If you plan to send notification requests or passes with certificates issued after January 27, 2022, you’ll need to download the Worldwide Developer Relations G4 sub CA, available for download. You can confirm that the correct intermediate certificate is installed by verifying that the expiration date is set to 2030 and the Organization field is set to G4.

I have to perform more checks about full compatibility. I'll also update the wiki asap.

[alexandercerutti]

@safonovklim Let me ask you: when you were able to generate a pass by using examples, did you use G4 signerCert + G4 WWDR or G1 signerCert + G1 WWDR? I was trying with a newly-issued G4 signerCert and a G4 WWDR and I'm having a few issues in generating a valid one 🤔

[safonovklim]

@safonovklim Let me ask you: when you were able to generate a pass by using examples, did you use G4 signerCert + G4 WWDR or G1 signerCert + G1 WWDR? I was trying with a newly-issued G4 signerCert and a G4 WWDR and I'm having a few issues in generating a valid one 🤔

Hey!

I used WWDR G1 and SignerCert G4

[alexandercerutti]

How the... what? 😄 I'm not quite sure how is it supposed to work ahahah, but I managed to make it work with both G1 and G4, thank you :D