Update to new App Store Receipt Signing Certificate before January 24, 2025

[StevenMasini]

Context

Starting January 24, 2025, if your app performs on-device receipt validation and doesn't support a SHA-256 algorithm, your app will fail to validate the receipt.

https://developer.apple.com/news/?id=b6tejt6f

Expectation

I could be wrong as I am not an expert, but from what I've seen in the codebase, TPInAppReceipt currently uses the SHA-1 hash to validate the receipt. https://github.com/search?q=repo%3Atikhop%2FTPInAppReceipt%20SHA-&type=code

We would need to update the code to use SHA-256 to validate the receipt.

[tikhop]

Hi @StevenMasini, thanks for bringing this up.
If I remember correctly, this has been discussed here.
In short, there is no change, as I understood in this part of verification and it only affects verification of the certificate chain of trust.
Thank you!

[StevenMasini]

Thanks for your reply @tikhop 🙌

I've read through the whole thread. If I understand correctly this change is already effective for all new apps or updates submitted to the App Store after August 14, 2023.

So, I guess if TPAppReceipt had issues to validate receipts locally, we would've heard about it since.

I will proceed to my own test in the sandbox environment to make sure it works for us.
Thanks again.

[TungVuDuc2805]

Hey guys, any updates on this ?

[tikamsingh]

I am also looking for update

[tikamsingh]

I am also looking for update

[StevenMasini]

You can already test if your app support SHA-256 algorithm by testing IAP in the Sandbox environment.

https://developer.apple.com/news/?id=smofnyhj

• June 20, 2023. Receipts in the sandbox environment will be signed with the SHA‑256 version of this certificate for devices running a minimum of iOS 16.6, iPadOS 16.6, tvOS 16.6, watchOS 9.6, or macOS Ventura 13.5.
• August 14, 2023. Receipts in new apps and app updates submitted to the App Store, as well as all apps in sandbox, will be signed with the SHA‑256 intermediate certificate.

I did test my app and found no issue whatsoever. I didn't have to update TPAppReceipt.
Hope this helps.

[vivek-mittal]

I am currently using version 3.3.4 of this lib and have recently started seeing the following message in the App store connect-

Upcoming Requirements: App Store Receipt Signing Certificate
The SHA-1 intermediate certificate used for signing App Store receipts expires on January 24, 2025. If your app performs on-device receipt validation, make sure it supports the SHA-256 algorithm; alternatively, use the AppTransaction and Transaction APIs to verify App Store transactions. Learn More

Even with 3.3.4, I/we have nothing to worry? I reviewed release notes of the two version which came after 3.3.4 and nothing pops out. We do not fall in the category of -

Determine if your app is affected
Apps that are affected by Apple’s certificate update to SHA-256 include those that do the following:

Perform on-device receipt validation, as described in Validating receipts on the device, and

Use code to verify the chain of trust that doesn’t support the SHA-256 algorithm or relies on an expectation that the certificate encryption uses only SHA-1.

[StevenMasini]

The only advice I can give is to follow Apple recommendation and to Test your app receipt validation in the sandbox environment. I am using an even older version of TPAppReceipt (3.2.1) and I didn't have to update.

[golikovartem404]

@StevenMasini Hello,

Did I understand you correctly that you are using version 3.2.1 and everything works correctly in it, taking into account the new requirements?

[franGaribay]

Following, thanks!