The common advice I see when verifying App Store receipts is to download the Apple Root Certificate (AppleIncRootCertificate.cer) and include it in the bundle to verify the signature of receipts.
The receipt it a PKCS#7 file which already includes certificates. When I extract the certs with OpenSSL, the third cert is the exact same as the one I downloaded:
Why use the downloaded certificate when it's already included in the receipt? Is it extra security to stop people from signing a bogus receipt and bundling their own cert?
Is the included cert commonly checked (e.g. to see if it's the same as the one included in the bundle) or is it always ignored?
Are the other certs used at all (Apple WWDR and MAS/iTS Signing)
