On November 11, 2015, the certificate (CN "Mac App Store Receipt Signing") the Mac App Store was using to sign receipts expired. It was replaced by an intermediate certificate (expires: 2017.10.23) which has subsequently been replaced by another certificate ("Mac App Store and iTunes Store Receipt Signing" - expires 2023.02.07).

Code generated by Tighten.app (standard edition) is not affected by the change.

Code generated using the V2 Mac App Store receipt signing template in Tighten Pro must be patched to properly validate the new certificate. In particular, the SHA1 fingerprint of the signing certificate has changed. The new 24-byte value must be updated in two locations:

IN FUNCTION ___MAS_VerifySigningCertificate
static const unsigned char kMASReceiptSigning_CA_SHA1_Bytes[] = {
0x27,0xE2,0x53,0xE3,0x28,0x97,0xD6,0x77,0xB9,0xC9,0xFF,0xCB,0xC2,0xE4,0x8B,0xCD,0xC3,0xFB,0x11,0x01
};

IN FUNCTION: ___MAS_VerifyTrustCertificates
static const unsigned char kLEAFFingerprintBytes[] = { 0x27,0xE2,0x53,0xE3,0x28,0x97,0xD6,0x77,0xB9,0xC9,0xFF,0xCB,0xC2,0xE4,0x8B,0xCD,0xC3,0xFB,0x11,0x01 };

The changes are straightforward and should function correctly through 2023.02.07.

I've also submitted updates to TightenPro and Tighten to the Mac App Store, but apparently the ingest pipeline is like a Rube Goldberg machine and the updates are currently stuck in a dreaded "processing" state which is code language for: don't expect it ever to make it to the next stage of the submission pipe.

Labels: mac app store receipt validation, tighten pro