Closed sokolx1 closed 1 year ago
tschoffelen
commented
1 year ago This is very helpful knowledge for sure! Turns out the reason I or anyone else hasn't run into this yet is probably because we were signing our pass certificates with developer keys that have existed for a while:
The renewed version is used to sign new software signing certificates issued after January 28, 2021
tschoffelen
commented
1 year ago I've updated the WWDR to version 6 in #119. Any specific reason you went for version 4?
Kai-Luo
commented
1 year ago Hello @tschoffelen
I'm facing this same problem. So after getting information from different places, I think I understood this:
Version 6 isn't compatible with wallet, the validation will fail. The WWDR (Apple WorldWide Developer Relations) G1/G4 Certificates would be the good ones.
In https://developer.apple.com/support/expiration/ they mention this: If you plan to send notification requests or passes with certificates issued after January 27, 2022, you’ll need to download the Worldwide Developer Relations G4 sub CA, available for download. You can confirm that the correct intermediate certificate is installed by verifying that the expiration date is set to 2030 and the Organization field is set to G4.
I think would be a better option to force users of the package to set the path for the WWDR certificate instead of having it hard coded, I believe that will prevent future headaches.
This package has a good wiki about the subject
I hope it helps Thanks
razvanphp
commented
7 months ago Indeed, why do you bundle this in the library? It should be a configuration setting like in any other lib....
Here is the relevant documentation that @Kai-Luo is mentioning: https://developer.apple.com/help/account/reference/wwdr-intermediate-certificates/
G6 is for Swift app signing, we need G4.
tschoffelen
commented
7 months ago Good point! Happy to accept a PR that adds a method to override the default cert, I was just looking for ways to make the library as plug & play as possible.
razvanphp
commented
7 months ago My understanding from your comment is that this is possible already with setWwdrCertificatePath() function, sorry: https://github.com/includable/php-pkpass/blob/master/src/PKPass.php#L146
tschoffelen
commented
7 months ago You're totally right, apologies!
And I've merged PR #132 that switched to the correct default cert. Thanks everyone for your help!
Well, i did everything in order from readme, created .p12 file, which is valid. Spent 2 days to understand why i keep getting this error
Invalid data error reading pass. The passTypeIdentifier or teamIdentifier provided may not match your certificate, or the certificate trust chain could not be verified.
And suddenly i found this website https://pkpassvalidator.azurewebsites.net/ (BTW, this website worth mentionind in readme IMO)
Which says that ONLY G4 wwdr is valid for generating pkpass files. I'm not sure if i'm an idiot or not, did i miss something important or not, BUT, now it works perfectly fine.
I'm not sure, what you gonna do with this info. Just trying to save somebody from 3 days of disaster
If you face same issue, try exporting this wwdr into pem via keychain. Use it in your code for generation like this
$pass->setWwdrCertificatePath('Certificate/wwdr4.pem');it might save your day
AppleWWDRCAG4.zip