Here are the latest message from Apple:
Hello,
As part of ongoing efforts to improve security and privacy on Apple platforms, the App Store receipt signing intermediate certificate is being updated to use the SHA-256 cryptographic algorithm. This certificate is used to sign App Store receipts, which are the proof of purchase for apps and In-App Purchases.
This update is being completed in multiple phases and some existing apps on the App Store may be impacted by the next update, depending on how they verify receipts.
Starting January 24, 2025, if your app performs on-device receipt validation and doesn’t support a SHA-256 algorithm, your app will fail to validate the receipt. If your app prevents customers from accessing the app or premium content when receipt validation fails, your customers may lose access to their content.
If your app performs on-device receipt validation, update your app to support certificates that use the SHA-256 algorithm; alternatively, use the AppTransaction and Transaction APIs to verify App Store transactions.
For more details, view TN3138: Handling App Store receipt signing certificate change.
If you have implementation questions, you can request code-level support.
The Apple Developer Relations Team <
Do we need a change to the AppReceiptVerificatorMBS plugin?
Well, sounds like I may need to update my class.
Does someone have a new receipt file to test this?
Currently not, but Apple provides a way to test new certificates in a sandboxed environment:
Test your app receipt validation in the sandbox environment
Starting June 20, 2023, the sandbox environment produces app receipts that are signed using the SHA-256 intermediate certificate for apps running in iOS 16.6, tvOS 16.6, watchOS 9.6, and macOS 13.5. Follow these steps to test how your app handles the receipts:
On a test device, sign in to the App Store with your Sandbox Apple ID.
Launch the app.
Perform one or more actions that cause the App Store to send an updated receipt to your app, such as the following:
Make an in-app purchase
Call SKReceiptRefreshRequest
Call restoreCompletedTransactions() or restoreCompletedTransactions(withApplicationUsername:).
Verify that Apple signed the receipt with a SHA-256 certificate. Decode your app receipt as a PKCS #7 container, then confirm that the Receipt Creation Date string, identified as ASN.1 Field Type 12, is set to June 20, 2023 or later in the sandbox environment. (In the production environment, that date is August 16, 2023 or later.)
Ensure that your app calls its on-device receipt validation code with the new receipt.
Check that your on-device receipt validation succeeds.
If your app successfully verifies the receipt and you’ve confirmed that the new receipt uses the updated certificate in its certificate chain, your app is ready for Apple’s SHA-256 intermediate certificate update.
1 Like
Since August, this has probably been included in TestFlight and sandbox. Whether the certificate uses SHA1 or SHA256 should not matter for the calls in the plugin.