Great library - I found one obscure issue where I had a pkpass that had an auxiliary field with a key and label but no value. This passes your validator but fails to work on Apple devices. Oddly, Apple seems to accept missing value fields in secondary field ok. Just not the auxiliary

Hi,
Thanks for the tool. I have code to generate pass and it had been working for a year until last month when my pass certificate expired. I renewed it and now, my code still generates pass without problem, but I can no longer open it, on either my laptop or my phone.
Here are the two files. The working.pkpass is generated on Feb this year and you can open it with wallet on laptop or phone. When I validate this, it shows the expired signature on your website, which is expected. The notWorking.pkpass was generated with renewed certificate. It passes all the validation but just won't open.

Do you know what could go wrong with the new ticket?

Thanks!

There are (currently) five different versions of the "Worldwide Developer Relations" certificate listed on https://www.apple.com/certificateauthority/

• Worldwide Developer Relations - G1 (Expiring 02/07/2023 21:48:47 UTC)
• Worldwide Developer Relations - G2 (Expiring 05/06/2029 23:43:24 UTC)
• Worldwide Developer Relations - G3 (Expiring 02/20/2030 00:00:00 UTC)
• Worldwide Developer Relations - G5 (Expiring 12/10/2030 00:00:00 UTC)
• Worldwide Developer Relations - G6 (Expiring 03/19/2036 00:00:00 UTC)

Issuer name CN=Apple Root CA, OU=Apple Certification Authority, O=Apple Inc., C=US is used by:

• G1 (AppleWWDRCA.cer)
• G3 (AppleWWDRCAG3.cer)
• G5 (AppleWWDRCAG5.cer)

Issuer name C=US, O=Apple Inc., OU=Apple Certification Authority, CN=Apple Root CA - G3 is used by:

• G2 (AppleWWDRCAG2.cer)
• G6 (AppleWWDRCAG6.cer)

Validator.cs uses a hard-coded string comparison to locate the WWDR certificate inside the manifest - which means passes are only valid if signed with the G1, G3 or G5 WWDR certificates.

If all versions of the certificate are valid, we should check the cert by looking at the OU only.

If only specific versions of the certificate are valid, pkpassvalidator should notify you that the Apple WWDR certificate you're using is not valid for creating passes.

I'll do some digging and submit a PR that implements whatever's appropriate. :)

Hi，
I used jpasskit to generate a pkpass file. I can open it directly with my mac, but it cannot be verified by your program.

I want to know where there is an error, but I only get this information which is "Failed to process the pkpass file".

Can you tell me the reason？

Thank you

The newer G4 certificates use different OU values. These hasn't been updated in the validators code.

I need to overhaul the checks.

Hi Thomas!

First - thank you for this tool - has saved my sanity multiple times!

Issue:

Keys must be unique across ALL sections. (ie, even though they are in headerFields & primaryFields in the image, Apple balks at it). The Apple simulator threw an error that helped us find this

Image is file used by thenextweb/passgenerator

Actual pass.json:

Would love to see what's going on inside Apple's code to create this fuss - screams "patching legacy code" to me.

Thanks again!

Website https://pkpassvalidator.azurewebsites.net is unavailable (Error 500)

pkpassvalidator checks that the WWDR certificate subject is "CN=Apple Worldwide Developer Relations Certification Authority, OU=Apple Worldwide Developer Relations, O=Apple Inc., C=US". However this is the WWDR certificate I have, which has a different OU. Have they changed it? Or am I some sort of uninformed idiot? Your code identified another reason for my pass to not be accepted, so I'm going to fix that and see whether my pass starts working.

Certificate:
Data:
Version: 3 (0x2)
Serial Number:
7c:af:69:0a:25:b7:39:fe:7b:9b:44:7a:c1:78:c5:ee
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, O = Apple Inc., OU = Apple Certification Authority, CN = Apple Root CA
Validity
Not Before: Feb 19 18:13:47 2020 GMT
Not After : Feb 20 00:00:00 2030 GMT
Subject: CN = Apple Worldwide Developer Relations Certification Authority, OU = G3, O = Apple Inc., C = US

We were outputting the relevant date as:
2022-03-05T13:30:00 11:00

instead of:
2022-03-05T13:30:00+11:00

Passed validation but the pass was invalid.

Cheers

I just had a pkpass file not work for me in a very annoying way, and eventually I tracked it down to the colour.

My pass generation code used the Name property of a System.Drawing.Color object to set PassGeneratorRequest.BackgroundColor, LabelColor, and ForegroundColor, which worked when the Color object was a custom colour and the name property was the hex representation of the colour, but when it was the constant System.Drawing.Color.Black, and the json looked like this:

it just stopped working with the usual "Safari is unable to open this file" message.

I eventually managed to dig out of the log file the error:

Mar 7 14:19:15 iPhone MobileSafari(PassKitCore)[30760] : Invalid data error reading pass pass.com.monadticketing/b6688f74-f0ad-407f-b5f6-61a829fa7731. Unable to parse color string 'Black'.
Mar 7 14:19:15 iPhone MobileSafari(MobileSafariUI)[30760] : PassBook Pass download failed: Error Domain=PKPassKitErrorDomain Code=1 "(null)"

Would you like me to add to this tool validation of the values of the color fields, and submit a pull request?

I recently looked at a pass created by somebody and posted on Stack Overflow. They includes the necessary icon.png and [email protected] files, but the casing of the file names was incorrect (Icon vs icon).

This would be a useful check to add.

Some developers are having problems with the WWDR and overall trust chain (missing keys etc), so flagging them in the validator would be helpful.

According to the PassKit docs, authenticationToken must be at least 16 characters long. I spent a lot of time chasing my tail because FOOBAR < 16 characters.

Reference docs

For some reason the validation fails (all the "Signature" bullet points are red) but the generated pass is valid (it gets added to the Wallet just fine).

This happens when we use a newly generated Pass Type certificate. It still works fine with the old Pass Type certificate, but that one is expiring soon.

Just a note on something that will cause a pkpass to fail but your validator passes, is the date format of expirationDate (and probably relativeDate)

The date format has to be ISO format but cannot contain milliseconds. For example a coupon can contain:

         "expirationDate":"2020-08-25T15:03:03.000Z"

will fail IRL, but pass this validation script. It should be:

         "expirationDate":"2020-08-25T15:03:03Z"

I would submit a PR but I guess this is written in Csharp? Which I don't know.

I'm using the certificate downloaded from https://developer.apple.com/certificationauthority/AppleWWDRCA.cer and the subject does seem to match the wwdrCertSubject but the website is flagging this up as incorrect.

result.WWDRCertificateSubjectMatches = appleWWDRCertificate.Issuer == wwdrCertSubject;

Is this correct or should I be using a different cert?

• Support bundles
• Check each pass inside
• Check structure of bundle

I had a report from a user struggling to open a pass. Turns out that one of the hashes in the manifest.json file was incorrect. It would be useful to have the validator actually check this.