Implement Local Receipt Validation as recommended by Apple

Question

Implement Local Receipt Validation as recommended by Apple

bizz84 opened this issue 8 years ago · comments

Andrea Bizzotto commented 8 years ago

As recommended by Apple, local receipt validation can be performed with a number of steps:

To validate the receipt, perform the following tests, in order:

Locate the receipt.
If no receipt is present, validation fails.
Verify that the receipt is properly signed by Apple.
If it is not signed by Apple, validation fails.
Verify that the bundle identifier in the receipt matches a hard-coded constant containing the CFBundleIdentifier value you expect in the Info.plist file.
If they do not match, validation fails.
Verify that the version identifier string in the receipt matches a hard-coded constant containing the CFBundleShortVersionString value you expect in the Info.plist file.
If they do not match, validation fails.
Compute the hash of the GUID as described in Compute the Hash of the GUID.
If the result does not match the hash in the receipt, validation fails.

If all of the tests pass, validation passes.

A discussion on how this has been implemented by RMStore is here:
http://stackoverflow.com/questions/19943183/a-complete-solution-to-locally-validate-an-in-app-receipts-and-bundle-receipts-o

Also this series was recently published with some guidelines on how to implement local receipt validation. This links to the SwiftyLocalReceiptValidator project on GitHub, which you can already use independently of SwiftyStoreKit.

Ongoing discussion about how SwiftyStoreKit and SwiftyLocalReceiptValidator may fit together:
andrewcbancroft/SwiftyLocalReceiptValidator#1

Kymer · Answer 1 · Fri Jan 13 2017 07:10:01 GMT+0800 (China Standard Time)

Have there been any developments in regards to this issue? I was planning on writing a gist / small library for doing local receipt validation myself. I might contribute if there is still a need for this.

Andrea Bizzotto · Answer 2 · Sun Feb 05 2017 05:57:51 GMT+0800 (China Standard Time)

I don't expect to have time to implement this unfortunately.

Recently we have introduced a ReceiptValidator protocol and an AppleReceiptValidator class to implement validation with the Apple server.

@Kymer If you are planning to write this yourself, I would advise to create a new class that conforms to the ReceiptValidator protocol. This way the new code can be used directly in SwiftyStoreKit without changing existing interfaces.

Andrea Bizzotto · Answer 3 · Tue Feb 21 2017 07:34:13 GMT+0800 (China Standard Time)

Closed linked issue as duplicate: #75

Abhijit Joshi · Answer 4 · Wed Aug 23 2017 04:01:18 GMT+0800 (China Standard Time)

Hello, is there a way to clear all data associated with the in app purchase on a device? In particular, can we erase the "localReceiptData"? I see this is a read only property.

Michael Samoylov · Answer 5 · Tue Oct 10 2017 00:57:08 GMT+0800 (China Standard Time)

Yes, can you please make SwiftyStoreKit.localReceiptData swappable?

I'm experiencing issues with testing my receipt when running my macOS from Xcode because it doesn't have a receipt. I have to read Contents/_MASReceipt/receipt from the copy installed from the App Store.

I need the receipt to be able to read original_application_version.

Thanks!

Stan Mots · Answer 6 · Sun Jan 28 2018 04:44:21 GMT+0800 (China Standard Time)

@hanming223 But the author said he has no time to implement local receipt validation.

Julian Kahnert · Answer 7 · Mon May 06 2019 14:04:34 GMT+0800 (China Standard Time)

Hey,
first of all: thank you @bizz84 for maintaining this awesome project! It makes it so much easier to implement StoreKit functionality in any app.
I just found the MerchantKit framework from @benjaminmayo who skipped the OpenSSL implementation by writing a seperate ASN1 parser in Swift. This might be a great starting point, when adding a LocalReceiptValidator ( which implements the ReceiptValidator protocol).
I just wanted to save this thought for later, since I am quite busy in the next few weeks. But I definitely will have a look at it later on. 🙂

tikhop · Answer 8 · Thu Jun 27 2019 10:06:55 GMT+0800 (China Standard Time)

Hi,
A while ago I wrote a library to read and verify in app receipt locally. It has been decoding pkcs7 (and asn1 objects) into a sweet swift structure, validating hash and signature using OpenSSL.
A week ago I decided to substitute openssl with own decoder and validator. So far, all functionality, but signature validation work well.

Here is the lib: https://github.com/tikhop/TPInAppReceipt

Personally, I use SwiftyStoreKit for every project where I need to make in app purchase and I use my lib to validate and read receipt. (thank you @bizz84 for simplifying our lives)

If it's really an issue, we can try to combine both projects.

P.

Andrey Teologov · Answer 9 · Mon Jul 08 2019 15:25:28 GMT+0800 (China Standard Time)

Hi @tikhop, is there a demo available using your TPInAppReceipt lib with SwiftyStoreKit?

Christian Giordano · Answer 10 · Wed Jul 10 2019 14:58:32 GMT+0800 (China Standard Time)

@teologov they are kind of independent. That's how I check a subscription:

public static func isSubscribed() -> Bool {
        do {
            let receipt = try InAppReceipt.localReceipt()
            if let _ = receipt.activeAutoRenewableSubscriptionPurchases(ofProductIdentifier: subscriptionProductID, forDate: Date()){
                return true
            }
        } catch {
            print(error)
        }
        return false
    }

What's missing here is the logic to load from the Apple server if expired.

Andrey Teologov · Answer 11 · Thu Jul 11 2019 04:00:06 GMT+0800 (China Standard Time)

@nuthinking I tried to conform to ReceiptValidator protocol first, but it's not that convenient. So I just did the same way as you proposed. Thanks!

gerchicov-bp · Answer 12 · Tue Sep 24 2019 17:17:02 GMT+0800 (China Standard Time)

@bizz84 it is not enhancement. It is a bug