8

I get the error in the title anytime I try to install a manually packaged passbook app by pressing the 'Add' button. I can successfully install passbook apps that were packaged using the 'signpass' tool, but I now need to create dynamic packages on a unix server.

I have been trying to manually package my passbook app with various packages from the web, and each gives me the same error. Here are a couple packages I have tried: https://github.com/maater/TCSH-PKPass https://github.com/devartis/passbook https://github.com/pcperini/PyPKPass

This is the pass.json that is created and zipped (notice that teamIdentifier and passTypeIdentifier are both populated):

{
  "formatVersion" : 1,
  "passTypeIdentifier" : "pass.votizen.membership",
  "serialNumber" : "ASDF",
  "webServiceURL" : "https://www.votizen.com/passbook/",
  "authenticationToken" : "AUTH_TOKEN",
  "teamIdentifier" : "MY_TEAM_IDENTIFIER",
  "organizationName" : "Matthew Snider",
  "description" : "Your voter registration card",
  "logoText" : "VOTIZEN",
  "labelColor": "#B7B0A8",
  "foregroundColor" : "#5F6062",
  "backgroundColor" : "#FCFAF5",
  "generic" : {
    "headerFields": [
      {
        "key" : "reg_date",
        "label": "VOTER SINCE",
        "value" : "2002"
      }
    ],
    "primaryFields" : [
      {
        "key" : "party",
        "label": "REGISTERED PARTY",
        "value" : "Democrat"
      }
    ],
    "secondaryFields" : [
      {
        "key" : "election",
        "label" : "NEXT ELECTION",
        "value" : "November 6, 2012"
      },
    ],
    "auxiliaryFields" : [
      {
        "key" : "polling_place",
        "label" : "POLLING PLACE",
        "value" : "268 E Julian Street, San Jose, CA 95112",
        "textAlignment" : "PKTextAlignmentLeft"
      }
    ],
    "backFields" : [
      {
        "key" : "elections",
        "label" : "ELECTIONS YOU VOTED IN",
        "value" : "2010 General\n2008 General\n2008 Primary\n2004 General"
      },
      {
        "key" : "polling",
        "label" : "DIRECTIONS TO YOUR POLLING PLACES",
        "value" : "https://maps.apple.com/maps?q=268+E+Julian+Street,+San+Jose,+CA+95112"
      },
      {
        "key" : "website",
        "label" : "Powered by Votizen",
        "value" : "https://www.votizen.com/"
      }
    ]
  }
}

I followed the steps on apple to generate my Pass Type ID certificate, downloaded, and installed in my Keychain Access. I then exported it as "Certificates.p12" and run the following to generate certificate.pem and key.pem:

set P12 = Certificates.p12
sef PASSWORD = MY_PASSWORD
openssl pkcs12 -passin pass:$PASSWORD -in "$P12" -clcerts -nokeys -out certificate.pem 
openssl pkcs12 -passin pass:$PASSWORD -in "$P12" -nocerts -out key.pem -passout pass:$PASSWORD

After the manifest file is created I run:

openssl smime -passin pass:$PASSWORD -binary -sign -certfile wwdr.pem -signer certificate.pem -inkey key.pem -in manifest.json -out signature xs-outform DER

I created the wwdr.pem by exporting the Apple Worldwide Developer Relations Certification Authority as a Privacy Enhanced Mail file.

I read somewhere that you need to have Apple Root Certificate Authority installed (which I have), so here is a list of the certificates that I have installed:

  • Apple Application Integration Certification Authority Apple Root CA
  • Apple Root Certificate Authority Apply Worldwide Developer Relations
  • Certification Authority
  • com.apple.idms.appleid.prd.4f3756614a59746e554a36344e6b55426b64576441413d3d
  • com.apple.ubiquity.peer-uuid.207240B0-758A-4C1E-B173-D1B70FF03533
  • com.apple.ubiquity.peer-uuid.C5D1968F-8923-48E4-A09D-8C9AE485A88B
  • com.apple.ubiquity.ssl-cert.C5D1968F-8923-48E4-A09D-8C9AE485A88B
  • iPhone Developer: Matthew Snider Pass Type ID:
  • pass.votizen.membership

Obviously, there is something wrong with the certificate that I am using or how I'm packaging it. I have no idea what I'm doing wrong. I'm hoping somebody has an idea.

matt snider
  • 4,013
  • 4
  • 24
  • 39

2 Answers2

17

I figured it out. I didn't realize when creating the p12 file that you need to select both the certificate and the private key. I assumed exporting the certificate would include the private key as well, but it does not. When you export the Pass Type ID in Keychain Access, make sure it says "Export 2 Items", not "Export Pass Type ID: ...".

matt snider
  • 4,013
  • 4
  • 24
  • 39
  • Glad you figured your problem out! BTW PyPKPass only requires the Private Key for signing, from which it derives the certificate info. – Patrick Perini Oct 15 '12 at 14:38
  • I am getting below error while executing **try! PKPass.init(data: object as! Data)**. Invalid data error reading pass pass.airarabia.airarabia/62488078_003_SHJ_CGP_2388312279. The passTypeIdentifier or teamIdentifier provided may not match your certificate, or the certificate trust chain could not be verified. Fatal error: 'try!' expression unexpectedly raised an error: Error Domain=PKPassKitErrorDomain Code=1 "The pass cannot be read because it isn’t valid." The data retrieved by API call is working in Andriod. – Muhammad Maqsood Dec 05 '19 at 13:50
  • @MuhammadMaqsood have you been able to resolve this? I am getting the same error. – Stephan Walters Apr 10 '20 at 13:10
  • @Stephan, for me, the issue was with certificate expiry on our server-side that is communicating to the Apple server for PKPASS generation. I have created a new certificate and replaced it with the expired one and it starts working. – Muhammad Maqsood Apr 11 '20 at 06:47
7

I realise this is an ancient issue, but it came up again for me recently. The problem was that the "new" Apple WWDR certificate is not compatible with the pass certificate, also created by Apple.

The solution was to use the "old" WWDR certificate, expiring in 2023, when signing passes.

pipacs
  • 1,049
  • 11
  • 25