How can the AppStoreConnect API be used to download certificates to sign passes?

App & System Services Apple Pay
dBrewster OP
Created Aug ’23
Replies 2
Boosts 0
Views 638
Participants 2

I am sure I am missing a pretty elementary step - but - I'm at a loss. I can build a certificate using KeyChain Access, upload the CSR, download the Certificate from the developer portal website and sign Apple Wallet Passes all day long. No Problem.

So I thought I'd try to automate some processes with the AppStoreConnectAPI.

I want to download the certificate from the app store and use it to sigh passes instead of file on the disk.

So I find the right certificate from the API, and one of the token in there is a big byte stream called "certificateContent"... which I assumed would be the same binary data as what I uploaded (and whats on disc).

But it doesn't work - it "fails to sign".

I must be missing some step that is preventing me from being able to use that key. I have a feeling the a key or something is missing from the certificate I download from Apple's API.

Any ideas?

Replies  2
Boosts  0
Views  638
Participants  2
dBrewster OP
Aug ’23

The "csrContent" in the certificate downloaded is null. I would not be surprised if this was the culprit... but I am at a loss as to how to download the certificate as is, inject the CSR and then use it all in code. (Im writing c# server code by the way in case it matters).

Of course - that's assuming this csrContent is the culprit.

0
DTS Engineer OP
Apple
Aug ’23

How can the AppStoreConnect API be used to download certificates to sign passes?

I don’t know much about Wallet but the way you wrote this suggests that you’re confused about the difference between a certificate and digital identity. I explain this in some detail in Certificate Signing Requests Explained, although its focus is on code signing not signing passes.

In short:

  • To sign something you need a digital identity, that is, a certificate and the private key that matches the public key in that certificate.

  • When you use the CSR workflow, Apple never gets a copy of your private key.

  • So the thing you download is just a certificate, and you can’t sign something with just a certificate.

  • You need to match it up with the associated private key to form an digital identity and sign with that.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0
How can the AppStoreConnect API be used to download certificates to sign passes?
First post date Last post date
 
 
Q