As described in many blogs and news outlets, the certificate that Apple servers were using to sign receipts for apps downloaded from the Mac App Store expired on 2015.11.11. There was an interim certificate that was used briefly for a few days. Ultimately, Apple issued a third certificate (expires 2023.02.27) which we can assume is going to be valid going forward.

For your testing purposes, I have extracted all three certificates, dumped their primary attributes with OpenSSL and bundled them into a disk image (password: 'macappstore') for your inspection and testing.

The original (SHA1) certificate:

CN=Mac App Store Receipt Signing
EXPIRES=Nov 11 21:58:01 2015 GMT
SHA1 Fingerprint=4A:7B:3A:17:00:A4:DA:4A:D4:EA:43:3A:83:61:43:2E:CF:1C:A1:AF


The interim and deprecated (SHA256) certificate:

CN=Mac App Store and iTunes Store Receipt Signing
EXPIRES: Oct 23 19:09:31 2017 GMT
SHA1 Fingerprint=15:0C:E7:C4:1F:13:8F:ED:97:3E:94:78:BD:60:29:7A:A8:CB:BC:3F


The current (SHA1) certificate:

CN=Mac App Store and iTunes Store Receipt Signing
EXPIRES= Feb 7 21:48:47 2023 GMT
SHA1 Fingerprint=27:E2:53:E3:28:97:D6:77:B9:C9:FF:CB:C2:E4:8B:CD:C3:FB:11:01


Labels: certificate, mac app store receipt validation