I can easily decode the JWS using node-jose j.JWS.createVerify().verify(jwsString, {allowEmbeddedKey: true}).then(r => obj = r) which gives me an object like: { protected: [ 'alg', 'x5c' ], header: { alg: 'ES256', x5c: [ 'MIIEMDueU3...', 'MII..., 'MIICQzCCAcmgAwIBAgIILcX8iNLFS5UwCgYIKoZIzj0EAwMwZzEbMBkGA1UEAwwSQXBwbGUgUm9vdCBDQSAtIEczMSYwJAYDVQQLDB1BcHBsZSBDZXJ0aWZpY2F0...' ] }, payload: <Buffer 7b 22 74 72 61 6e 73 61 63 74 69 6f 6e 49 64 22 3a 22 31 30 30 30 30 30 30 38 38 36 39 31 32 38 39 30 22 2c 22 6f 72 69 67 69 6e 61 6c 54 72 61 6e 73 ... 420 more bytes>, signature: <Buffer f8 85 65 79 a1 dc 74 dd 90 80 0a a4 08 85 30 e7 22 80 4c 20 66 09 0b 84 fc f4 e5 57 53 da d5 6f 13 c6 8f 56 e8 29 67 5c 95 a6 27 33 47 1e fe e9 6e 41 ... 14 more bytes>, key: JWKBaseKeyObject { keystore: JWKStore {}, length: 256, kty: 'EC', kid: 'Prod ECC Mac App Store and iTunes Store Receipt Signing', use: '', alg: '' } } And its easy to JSON.parse the payload and get the data I want. But, how can i verify that its authentic using the certificate chain in the x5c field

Ok, turns out until apple publishes there public keys, which evidently they have not yet done, there is no way to verify these JWS tokens.

I gave up and just went ahead with local hombrew. Its not great, but feel free to grab my ci_post_clone.sh script. Note that this overwrites .xcode.env so if you have anything in there besides your NODE_BINARY path you'll need to adjust accordingly. #!/bin/zsh set -e export CI_SCRIPTS_DIR=${PWD} export RN_DIR=${PWD}/../../ export RN_IOS_DIR=${PWD}/../ export BREW_DIR=${CI_DERIVED_DATA_PATH}/opt/hombrew echo "*** Date: $(date)" echo "*** Running post clone script in: ${PWD}. RootDir = ${ROOT_DIR}" echo "*** Running RN_DIR ${RN_DIR}" echo "*** Running RN_IOS_DIR ${RN_IOS_DIR}" echo "*** Running BREW_DIR ${BREW_DIR}" mkdir -p ${BREW_DIR} export PATH=${BREW_DIR}/bin:${PATH} cd ${BREW_DIR} if [[ ! -e "${BREW_DIR}/bin/homebrew" ]] then echo "*** Installing home brew" curl -L https://github.com/Homebrew/brew/tarball/master | tar xz --strip 1 else echo "*** Brew already installed. using $(command -v brew)" fi echo "*** PATH: ${PATH}" cd ${ROOT_DIR} which brew # Install CocoaPods using Homebrew. brew install cocoapods node@16 yarn --quiet brew link --overwrite node@16 --quiet ls /Users/local/Homebrew/bin NODE_BINARY="${NODE_BINARY:-$(command -v node || true)}" echo "### AUTOMATICALLY GENERATED FILE FOR LOCAL HOMEBREW" > ${RN_IOS_DIR}/.xcode.env echo "export NODE_BINARY=${NODE_BINARY}" >> ${RN_IOS_DIR}/.xcode.env echo "*** ${RN_IOS_DIR}/.xcode.env: " cat "${RN_IOS_DIR}/.xcode.env" # Install dependencies you manage with CocoaPods. pod install echo "*** Finish Date: $(date)"