New Website Push Certificate - Signature verification of push package failed.

We have recently created a new Website Push Certificate to support our implementation of Safari Push notifications as our current certificate was nearing expiry.

When we have tested with the new certificate we keep getting "Signature verification of push package failed." logged to our log endpoint and the user is not shown the Opting In dialog. I can see in the safari console that permission has been denied. I have checked to ensure that the new website push id has been updated in our code.

This page https://developer.apple.com/support/expiration/ indicates that the intermediary certificate for Website Push Id was changed to the G4 certificate on the 27th January 2022. We had this intermediary certificate installed when generating the certificate.

I suspect the new G4 certificate in the chain is causing an issue but I'm not sure how resolve it. I have tested the push package created with the companion files in the official documentation and we get the same error using the supplied scripts. Can anyone help?

I'm experiencing the same issue. Our push package with our previous certificate was able to register users, but it expired and the new certificate signed with the new intermediate certificate consistently gives us the "Signature verification of push package failed" message.

I work at the same company as DNAship, we still don't have a solution to this problem ourselves. We resorted to using the companion file php script that apple provides on https://developer.apple.com/library/archive/documentation/NetworkingInternet/Conceptual/NotificationProgrammingGuideForWebsites/PushNotifications/PushNotifications.html, but even using that with a new cert results in the "Signature verification of push package failed." error.

andylith - do you guys ever get this figured out?

Same here. Old cert works, new cert doesn't. Please help

We didn't get it sorted unfortunately. I contacted Apple support a couple of times but they just pointed me at documentation I had already followed. It's very frustrating. At the moment we have just had to leave it.

Hi recently faced this issue and after a long time research, I found that this is happening because of apple's intermediate G4 certificate. The script, provided by apple, to build the push package is not up-to-date according to new G4 intermediate requirements. So here are steps that you anyone could try to solve the issue.

  1. Download AppleWWDRCAG4.cer from Certificate Authority page
  2. Add this AppleWWDRCAG4.cer to your keychain
  3. Create a .pem file using above .cer by running
openssl x509 -inform der -in AppleWWDRCAG4.cer -out AppleWWDRCAG4.pem
  1. Now open the php script in an editor, which you had downloaded from here

  2. Find create_signature function in the script and edit openssl_pkcs7_sign by

openssl_pkcs7_sign("$package_dir/manifest.json", $signature_path, $cert_data, $private_key, array(), PKCS7_BINARY | PKCS7_DETACHED, "AppleWWDRCAG4.pem");
  1. By adding .pem file path in the last of openssl_pkcs7_sign function will create correct signature hence correct push package will be generated.
  2. Run the php script again and enjoy the safari notification.
New Website Push Certificate - Signature verification of push package failed.
 
 
Q