3

So I've been using Apple's createPushPackage.php script they provide in their Configuring Safari Push Notifications guide to generate and sign my push packages (edited slightly to use an intermediate cert). It works just fine for me with the old AppleWWDRCA intermediate cert that expires in Feb 2023, but when I try to use the new AppleWWDRCAG3 intermediate cert that expires in 2030, I always get a {"logs":["Signature verification of push package failed"]} error (delivered via webhook) when a user tries to subscribe.

Here is a gist of the createPushPackage.php script I'm using

The same exact issue happens as well when I try to use this Ruby library to generate the push package zip and signature: it works just fine with the old intermediate cert, but I get the same error if I try to use the new one.

Any idea what could be going wrong here, and how to fix it??

EDIT: I noticed that the latest version of Apple's PHP script doesn't involve an intermediate cert at all! I thought this was an oversight at first, but after trying it, everything actually works just fine! I'm worried if this is a future-proof solution though, the Apple Guide explicitly states we have to sign with the intermediate cert. Or perhaps the intermediate cert is already included with the cert we download from the Apple dev center these days? Could anyone help with the commands to check that?

Mohamed Hafez
  • 8,621
  • 7
  • 41
  • 49
  • i am getting same problem but its got solved by changing below mentioned function $inter_cert = FCPATH.'AppleWWDRCAG4.pem'; openssl_pkcs7_sign("$package_dir/manifest.json", $signature_path, $cert_data, $private_key, array(), PKCS7_BINARY | PKCS7_DETACHED,$inter_cert); but strange thing its working on my stage and preprod enviorment and is not working on my production. One more thing my old integrations working fine and i am facing for the client who are doing new integrations. any help appreciated – vinit agrawal Apr 14 '22 at 13:55

0 Answers0