I've tested in-app purchases in Windows Phone 8 application using MockIAP library - and everything was ok. Also I've tested receipt signature verification code (based on xmlseclibs by Robert Richards) on my server with test Microsoft manifest from here and it passes verification. I've heard that in beta mode in-apps are free and do not give you signed receipts, but when I've created a beta app and tried to make a purchase from it, I've got a signed receipt and it had version 2.0 (msft sample has 1.0)!
I've traced verify and have found that both receipts (msft sample and one I've got) have the same CanonicalizationMethod, SignatureMethod, Transforms and DigestMethod, and everything is ok with msft sample, but digest value (Signature/SignedInfo/Reference/DigestValue) in my receipt was wrong.
Also I've found that if I comment only the digest verification, the signature verification succeeds. So the root of an evil is in this wrong digest value.
Maybe it is made intentionally? I mean maybe I should not pay attention to digest check when working with beta app? Or there is something undocumented digest method MSFT uses?
update: tried to check returned receipt with MSFT verification example, verification fails. Does anybody has experience of WP8 inapp purchase receipt validation? It looks like after they has changed format to version 2.0 app developers should have validation issues as now receipt do not pass validation.
I've removed all unwanted chars and my code works both with sample WP8 and Windows Store receipts, but to check these new WP8 receipts one must skip digest check. I'll try this on production.
