tschoffelen / php-pkpass

💳 PHP class for creating passes for Wallet on iOS.
https://includable.com
MIT License
916 stars 187 forks source link

Invalid data error reading pass. The passTypeIdentifier or teamIdentifier provided may not match your certificate, or the certificate trust chain could not be verified. Because of WWDR Certificate #118

Closed sokolx1 closed 2 years ago

sokolx1 commented 2 years ago

Well, i did everything in order from readme, created .p12 file, which is valid. Spent 2 days to understand why i keep getting this error

Invalid data error reading pass. The passTypeIdentifier or teamIdentifier provided may not match your certificate, or the certificate trust chain could not be verified.

And suddenly i found this website https://pkpassvalidator.azurewebsites.net/ (BTW, this website worth mentionind in readme IMO)

Which says that ONLY G4 wwdr is valid for generating pkpass files. I'm not sure if i'm an idiot or not, did i miss something important or not, BUT, now it works perfectly fine.

I'm not sure, what you gonna do with this info. Just trying to save somebody from 3 days of disaster

If you face same issue, try exporting this wwdr into pem via keychain. Use it in your code for generation like this

$pass->setWwdrCertificatePath('Certificate/wwdr4.pem');

it might save your day

AppleWWDRCAG4.zip

tschoffelen commented 2 years ago

This is very helpful knowledge for sure! Turns out the reason I or anyone else hasn't run into this yet is probably because we were signing our pass certificates with developer keys that have existed for a while:

The renewed version is used to sign new software signing certificates issued after January 28, 2021

https://developer.apple.com/support/expiration/

tschoffelen commented 2 years ago

I've updated the WWDR to version 6 in #119. Any specific reason you went for version 4?

Kai-Luo commented 2 years ago

Hello @tschoffelen

I'm facing this same problem. So after getting information from different places, I think I understood this:

Version 6 isn't compatible with wallet, the validation will fail. The WWDR (Apple WorldWide Developer Relations) G1/G4 Certificates would be the good ones.

In https://developer.apple.com/support/expiration/ they mention this: If you plan to send notification requests or passes with certificates issued after January 27, 2022, you’ll need to download the Worldwide Developer Relations G4 sub CA, available for download. You can confirm that the correct intermediate certificate is installed by verifying that the expiration date is set to 2030 and the Organization field is set to G4.

I think would be a better option to force users of the package to set the path for the WWDR certificate instead of having it hard coded, I believe that will prevent future headaches.

This package has a good wiki about the subject

I hope it helps Thanks

razvanphp commented 12 months ago

Indeed, why do you bundle this in the library? It should be a configuration setting like in any other lib....

Here is the relevant documentation that @Kai-Luo is mentioning: https://developer.apple.com/help/account/reference/wwdr-intermediate-certificates/

G6 is for Swift app signing, we need G4.

tschoffelen commented 11 months ago

Good point! Happy to accept a PR that adds a method to override the default cert, I was just looking for ways to make the library as plug & play as possible.

razvanphp commented 11 months ago

My understanding from your comment is that this is possible already with setWwdrCertificatePath() function, sorry: https://github.com/includable/php-pkpass/blob/master/src/PKPass.php#L146

tschoffelen commented 11 months ago

You're totally right, apologies!

And I've merged PR #132 that switched to the correct default cert. Thanks everyone for your help!