Pkpass generated with jpasskit is different than generated with signpass

[kienvaser]

Hi, I'm having a problem generating pkpass with jpasskit. I use Linux to develop and don't have an iPhone so my friend is the one who tests the pkpass. When he tries to load the generated pkpass on his passbook the system log says:

Invalid data error reading pass pass.com.mycompany.passbook/kLGnVMHK. The passTypeIdentifier or teamIdentifier provided may not match your certificate, or the certificate trust chain could not be verified.

But if he takes the generated pkpass, removes signature and signs it with signpass the new pkpass is valid. Any idea about why is this happening?

PS: I'm generating the pkpass files from a Glassfish Server over Linux.

The code I'm using:

PKSigningInformation pkSigningInformation = null; byte[] passZipAsByteArray = null; try { pkSigningInformation = PKSigningUtil.loadSigningInformationFromPKCS12FileAndIntermediateCertificateFile(keyStorePath, keyStorePassword, appleWWDRCACertificatePath);

      passZipAsByteArray = PKSigningUtil.createSignedAndZippedPkPassArchive(pass, pathToTemplateDirectory, pkSigningInformation);
  }

Thanks.

[drallgood]

Sounds like the certificate and/or chain is invalid.

Are you using the correct pass certificate and intermediate certificate? If you like, you can send me one of your passes so I can check them myself (you can email it to me, if it contains confidential information)

[woolfel]

I'm having a similar issue with signatures. I create a pass in XCode using the stock example and then I also create a pass using jpasskit. The pass.json is exactly the same, the manifest created by xcode uses indents so it's crc32 is a different but that shouldn't matter since the content is the same. The hashes for the files images and pass.json match. The signature produce by jpasskit is different than what xcode produces. I can step through and see private key and cert in eclipse, and it "appears" correct. I double checked my p12 and cer file, both look ok.

[woolfel]

when I look at the error on the phone through xcode, the error I see is this.

The passTypeIdentifier or teamIdentifier provided may not match your certificate, or the certificate trust chain could not be verified.

I double checked the passTypeIdentifier and teamIdentifier and both are correct. So I'm guessing it is the certificate trust that couldn't be verified in the signature.

[woolfel]

I figured it out. In case anyone else has the same problem. I was using the .cer the portal created for me to sign the pass. When I downloaded AppleWWDRCA.cer from http://www.apple.com/certificateauthority/ and used that to certificate to sign, everything worked. the cert you want is Worldwide Developer Relations Certificate.

[woolfel]

I wrote a quick tutorial on how to get started with jpasskit on my blog. Hopefully others will find it useful http://whataboutcassandra.blogspot.com/2015/08/this-has-nothing-to-do-with-cassandra.html

[drallgood]

Yep. That's a common issue. So common that Apple even mentions it in their docs ;)

[woolfel]

funny thing is, when I searched on developer.apple.com I didn't come across that in their docs. it's probably just me, but I find the formatting and structure of apple docs difficult to read and search. Atleast compared to Sun's javadocs, but I'm bias :)

[drallgood]

It's mentioned in "Debugging passes": https://developer.apple.com/library/ios/documentation/UserExperience/Conceptual/PassKit_PG/Chapters/Creating.html#//apple_ref/doc/uid/TP40012195-CH4-SW21

[woolfel]

LOL, that description is poorly worded, confusing and not very helpful. They should have included the error message XCode displays when you use the wrong cert.

[drallgood]

@woolfel Would you mind improving the documentation for jPasskit? I'd really appreciate your help since I don't really have much time to work on it right now...

[woolfel]

Yes, I can take my mini-tutorial and expand it.

[drallgood]

Thanks