I used an Internet article How to Validate iOS In-App Purchase Receipts Locally from https://medium.com/better-programming (I am not affiliated with it in any way.) It shows how to get the receipt (I used string input to XCode console), save it and extract the file receipt.pkcs7.certs. I opened that file with an editor and there were 3 certificates there. I divided it into 3 files, then ran command openssl x509 -in receipt.pkcs7.cert1 -text -noout for each one.

Mine too - I had on-device verification of the chain to Apple Root CA. I did not check production myself, but someone wrote that one was different - it simply did not have a signature instead of expired one. So, if you did everything right and actually checked the certificates chain to root, you were stuck either way. Thank you Apple. What is the point of warning us to not depend on soon-to-be-changed intermediate certificates, if you actually did it not the way you described? :-(