I continue to have some major issues in trying to get an updated version of a previously working application to verify the Mac App Store receipt correctly.
I am currently building the app with Xojo 2023r1.1. I am using App Wrapper 4.5 to create the installer bundle. I install the application with sudo installer -store -pkg /Path /To/ Installer /Bundle -target /
When I then try to launch the application, it launches but gives me the “ is damaged and can’t be opened. Delete and download it again from the App Store.” message.
In tracing my code, it appears that the receipt is not valid, even though it exists.
This was all working code in a prior version and I’ve not made any changes since the last time I did this (admittedly a year ago).
Here is the code I use to validate the receipt:
SystemMessage "Creating Verifier..."
dim a as new AppReceiptVerificatorMBS
if not( a = Nil ) then
SystemMessage "Locating Receipt..."
dim f as FolderItem = app.ExecutableFile.Parent.Parent.Child( "_MASReceipt" ).Child( "receipt" )
if f = Nil then
SystemMessage "No Receipt found or Nil."
Valid = False
declare sub exit_ lib "System" alias "exit" ( code as Integer )
exit_ ( 173 )
else
if f.exists then
SystemMessage "Building Receipt..."
dim r as AppReceiptMBS = AppReceiptMBS.receiptForFile(f)
r.setAppleRootCertificate AppleIncRootCertificate
if not( r = Nil ) then
SystemMessage "Setting Bundle Metadata..."
a.bundleIdentifier = kBundleIdentifierAppStore
a.bundleVersion = App.ShortVersion
SystemMessage "Verifying Receipt..."
if a.verifyReceipt(r) then
SystemMessage "App Store receipt is valid."
Valid = True
else
SystemMessage "App Store receipt is invalid."
Valid = False
declare sub exit_ lib "System" alias "exit" ( code as Integer )
exit_ ( 173 )
end if
else
SystemMessage "No Receipt found."
Valid = False
declare sub exit_ lib "System" alias "exit" ( code as Integer )
exit_ ( 173 )
end if
else
SystemMessage "Unable to Build Receipt."
Valid = False
declare sub exit_ lib "System" alias "exit" ( code as Integer )
exit_ ( 173 )
end if
end if
else
SystemMessage "Unable to create Receipt Verifier."
Valid = False
declare sub exit_ lib "System" alias "exit" ( code as Integer )
exit_ ( 173 )
end if
SystemMessage is a global method that writes to the console, which is how I am tracing what this method is doing when trying to verify the receipt.
Does anyone have any ideas? This is the last thing keeping me from publishing an update to this app.
I know it seems like I ask questions around this a lot, but each time I do this, something different happens and I can’t ever seem to come up with a stable solution that just works.
This is the normal behaviour since some months (Apple did change something on their side), so you either have to use Testflight, if you want to test your app before submitting to the users via MAS or create a version without receiptcheck to test everything else except receiptvalidation…
if a.verifyReceipt(r) then
SystemMessage "App Store receipt is valid."
Valid = True
else
SystemMessage "App Store receipt is invalid."
Valid = False
declare sub exit_ lib "System" alias "exit" ( code as Integer )
exit_ ( 173 )
end if
a.verifyReceipt(r) always comes back as False.
As for just running the installer, I had always heard that wasn’t a valid way to test. But, if I’m wrong on that, I will give that a try.
Testing on macOS Ventura 13.3.1.
Oh, and App Wrapper says that everything completed successfully.
When you exit with code 173 that tells the system the receipt is invalid, and Finder is supposed to ask you to sign in to your Mac App Store account so that it can fetch a new receipt.
Is that not happening?
When I last worked with Mac App Store receipts, there wasn’t a way to see them ever validate in debug mode. You had to build, run the build, and sign in to an account.
It is not asking me to sign in. It simply throws up the error message in question. But, I can tell by watching the console that the code here is executing up to determining that validating the receipt is failing. I also see reference in the console to
StoreLegacy: received app-exitCode(173) for /Applications/AppName.app
which implies is getting the exit code, correct?
That said, right after the above message, the following messages also appear in the console:
tccd: IDENTITY_ATTRIBUTION: Failed to copy signing info for [pid], responsible for /Applications/AppName.app/Contents/MacOS/AppName: #-67065: Error Domain=NSOSStatusErrorDomain Code=-67065 "(null)"
storekitagent: [Client] (AppName.app) Initialized with server Sandbox bundle ID com.company.AppStore.AppName and request bundle ID com.company.AppStore.AppName]
appstoreagent: MDQuery changed app: <SoftwareItem: 0x122e7fa90>: (com.company.AppStore.AppName, 5.5.1, 0:0 md:0x122ed1400 /Applications/AppName.app)
Each of those seems related to app store shenanigans, but I have no idea if they are related or relevant.
Thats not neccessary - its only about testing an app before submitting it to review in MAS where there is a problem with receiptvalidation.
I have uploaded round about 20 updates to my apps in the MAS since Apple changed something (after enabling Testflight for macOS) in the use of sandbox accounts.
You are referring to this code, aren’t you? #if not debugBuild then
///////////////////////////////////////////////////////////////////////////////////////////
////
//// Jan 2016 App Store Receipt verification code by Sam Rowlands
//// This is mostly Thomas Templemann’s work and also based various Apple documents.
////
///////////////////////////////////////////////////////////////////////////////////////////
// — Load the bundle receipt, if it exists.
Dim receipt as appStoreReceipt = appStoreReceipt.mainBundleReciept
// — Make sure app is code signed (does not ensure an App Store cert, as there are 4 possibilities that we’re aware of).
if appStoreReceipt.appCodeSignature = “” then// receipt.reject
end if
etc. etc.
I seem to recall there was a crypto location too that needed modification:
declare function d2i_PKCS7_fp lib “/usr/lib/libcrypto.35.dylib” (fp as integer, p7 as Ptr) as Ptr
is okay, it was the libcrypto without versionnumber, Apple didn’t like any more…
There are more up-to-date versions of libcrypto available in macOS, so you can choose one that fits your needs (depends on how far back you want to support older systems)
You’re going to face increasing challenges with creating Mac App Store applications in Xojo, from both Apple and Xojo.
First
It appears that Apple have unofficially deprecated the Mac way of verifying receipts in a test environment. I have posted a solution in the following article, but I warn you now. It is API 1.0 only code and I’ve heard of several people failing to convert it to API 2.0.
Second
Apple now hide the built-in libraries and expect you to roll your own, the code above still uses existing Apple libraries, but in the future you’re going to have to look elsewhere.
Xojo actually include libCrypto within built Xojo apps, however they do not expose the functions needed for App Store receipt verification. There is a feature request for this, and I have lobbied for Xojo to implement this, but they felt we’d all like to re-write apps instead.
I wish you the best of luck, but in all honesty if your primary goal is to make Mac apps for the Mac App Store, I’d suggest you look into alternative Mac development tools for the future.
Hmm
I have been debating a Mac Store app, but they don’t allow user-generated serial numbering, do they?
Without App Store Receipt validation, does that mean people could just duplicate an app to another machine without buying?
What do you want to do? Does your app generated serial numbers or do you want to give each customer a serial number to identify them?
If you don’t verify the receipt users could delete it or copy your app without buying.
AppStore Receipt Validation is working, we are talking about problems with testing the receipt verification of an app before submitting it to MAS review. This was done with a sandbox user until last October/November, when Apple ported Testflight to macOS. Since then, the old way to have a sandbox user who got a new receipt is broken.
And it looks like you have to bring your own Libcrypto - as Apple hides theirs and Xojo currently does not expose its internal dylib - if you use Thomas Tempelmanns / Sam Rowlands receipt validation. Juerg Otter has a Xojo project to build your own LibCrypto at Github, as Beatrix Willius mentioned above.
And for those who own a MBS licence, there are StoreKit classes to verify a receipt and In-App-Purchases.
