search

tomasmcguinness / dotnet-passbook

A .Net Library for generating Apple Passbook (Wallet) files for iOS. Please get involved by creating pull requests and opening issues!
MIT License
318 stars 117 forks source link

WWDRCA G4 giving "Sorry, your pass cannot be installed to Passbook at this time" (but G1 still works OK) #152

Closed dylanbeattie closed 2 years ago

dylanbeattie commented 2 years ago

I've updated to the latest 3.0.1 release of dotnet-passbook, and noticed you've amended the docs to specify that you have to use the "G4" version of the certificate...

G4 isn't working for me, but the original G1 version still works fine:

public AppleWallet(IConfiguration config) {
  this.appleWWDRCACertificate = File.ReadAllBytes("AppleWWDRCA.cer"); ;
  this.certificate = File.ReadAllBytes(Path.Combine("keys", "passbook_ursatile_com.pfx"));
  this.certificatePassword = config["ApplePasses:CertificatePassword"];
  this.passTypeIdentifier = config["Apple:PassTypeIdentifier"];
  this.teamIdentifier = config["Apple:TeamIdentifier"];
}

public byte[] CreateTicket(Ticket ticket) {
  var request = new PassGeneratorRequest() {
    AppleWWDRCACertificate = new X509Certificate2(appleWWDRCACertificate),
    PassbookCertificate = new X509Certificate2(certificate, certificatePassword),
    PassTypeIdentifier = passTypeIdentifier,
    TeamIdentifier = teamIdentifier
  };
  //...
}

I'm now wondering if there's some undocumented dependency between the PFX file used as the passbook certificate and the version of the WWDRCA certificate you're using - because I'm assuming from the documentation updates that G4 is working just fine for you, even though it won't work for me.

PKPassValidator reports the same thing - here are two near-identical certificates generated from the same code, one using the G1 cert, the other using the G4 cert. PKPassvalidator says the G1 cert is OK, and reports a cert subject mismatch for the G4 cert version:

example-with-G1-WWDC-cert.pkpass.zip example-with-G4-WWDC-cert.pkpass.zip

tomasmcguinness commented 2 years ago

Hey,

Are you using an older pfx file, one that was generated before the G1 -> G4 change?

I suspect the wording of my documentation maybe at fault here.

dylanbeattie commented 2 years ago

Ah - yes, I am! That would explain it.

So the fix is to create a new PFX file, which will now be signed with the G4 cert from Apple because.... that's just a thing now?

tomasmcguinness commented 2 years ago

I presume Apple will honour the G1 until it expires next year.

You can just use G1 WWDR with your current PFX file and all should be right with the (passkit) world.

dylanbeattie commented 2 years ago

Yeah, that's what's working right now. I also discovered along the way that you get exactly the same (useless) error message "Sorry, your Pass cannot be installed to Passbook at this time" if you're serving PKPASS files over an HTTPS connection with an invalid certificate... ah, fun & games.

tomasmcguinness commented 2 years ago

I've update the README with guidance around which WWDR cert and the cutoff times. Glad it's working!