README.md in apple_receipt-0.2.1 vs README.md in apple_receipt-0.2.2
- old
+ new
@@ -5,11 +5,11 @@
[](https://beta.gemnasium.com/projects/github.com/koenrh/apple_receipt)
This gem allows you to read and verify Apple receipts. It was originally built
to locally (server-side) verify the validity of receipts that are embedded in
[Status Update Notifications](https://developer.apple.com/library/content/documentation/NetworkingInternet/Conceptual/StoreKitGuide/Chapters/Subscriptions.html#//apple_ref/doc/uid/TP40008267-CH7-SW13).
-These receipts have a different format than [documented](https://developer.apple.com/library/content/releasenotes/General/ValidateAppStoreReceipt/Chapters/ValidateLocally.html#//apple_ref/doc/uid/TP40010573-CH1-SW2)
+These receipts have a different format than the [documented](https://developer.apple.com/library/content/releasenotes/General/ValidateAppStoreReceipt/Chapters/ValidateLocally.html#//apple_ref/doc/uid/TP40010573-CH1-SW2)
App Store receipts you might be familiar with, which are [PKCS #7](https://tools.ietf.org/html/rfc2315)
containers with a payload (receipt data) encoded using [ASN.1](https://www.itu.int/itu-t/recommendations/rec.aspx?rec=X.690).
:warning: Note that this only covers the receipt data (signed data). You should
not rely on (local) verification for data that is in the notification object, but
@@ -44,25 +44,25 @@
# Read receipt's data (data in example shortened for brevity)
receipt.purchase_info
# => {
# "quantity"=>"1",
-# "expires-date-formatted"=>"2018-01-23 17:03:44 Etc/GMT",
-# "is-in-intro-offer-period"=>"false",
-# "is-trial-period"=>"false",
-# "item-id"=>"1190360447",
-# "app-item-id"=>"947936149",
-# "transaction-id"=>"160000408504141",
-# "web-order-line-item-id"=>"160000011000001",
+# "expires_date_formatted"=>"2018-01-23 17:03:44 Etc/GMT",
+# "is_in_intro_offer_period"=>"false",
+# "is_trial_period"=>"false",
+# "item_id"=>"1190360447",
+# "app_item_id"=>"947936149",
+# "transaction_id"=>"160000408504141",
+# "web_order_line_item_id"=>"160000011000001",
# "bid"=>"com.foo.bar",
-# "product-id"=>"com.foo.bar.monthly",
-# "purchase-date"=>"2017-12-23 17:03:44 Etc/GMT",
-# "original-purchase-date"=>"2017-12-23 17:03:53 Etc/GMT"
+# "product_id"=>"com.foo.bar.monthly",
+# "purchase_date"=>"2017-12-23 17:03:44 Etc/GMT",
+# "original_purchase_date"=>"2017_12_23 17:03:53 Etc/GMT"
# }
```
-## Apple receipts
+## Receipts
A receipt is encoded as base64, and is formatted as a [NeXTSTEP](https://en.wikipedia.org/wiki/Property_list#NeXTSTEP)
dictionary:
```
@@ -101,9 +101,20 @@
### Purchase info
The `purchase-info` entry contains a base64-encoded NeXTSTEP dictionary that contains
the actual receipt data (purchase info).
+
+## Validation
+
+First, the signing certificate is parsed from the signature binary data. The
+validation of the receipt works as follows.
+
+1. Verify that the signing certificate is valid, i.e. it is not expired, and
+ it chains up to either of the bundled Apple root certificates.
+2. Verify that the signature over the signed data (version number and receipt
+ data) is signed by the private key that correspond to the public key that is
+ in the signing certificate.
## Contributing
Bug reports and pull requests are welcome on [GitHub](https://github.com/koenrh/apple_receipt).
This project is intended to be a safe, welcoming space for collaboration, and