App Store Connect generated the Subscription Key
-----BEGIN PRIVATE KEY----- MIGTAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBHkwdwIBAQQgKfLl2Sldom13UQJi WdTL8aRc90qEigTA/QelysCOTiCgCgYIKoZIzj0DAQehRANCAASm29jY3KbTHtJI GkOgiXtvWnidZp5N+B/RDC9T0n/vZV/UCmbAA1wa1f5jF6E2YwzK5r/fsTAEac66 IlbfvTT4 -----END PRIVATE KEY-----
These keys work correctly and, Apphud successfully generates signatures using them.
Xcode generated Subscription Key
However, the private key that is generated in Xcode 12 is a different format key, and the algorithm described in Apple docs just doesn't work!
Subscription KeyTo find this popup window:
- Create a StoreKit configuration file as described in our previous blog post using the link above.
- With StoreKit Configuration file selected in the project navigator, go to Editor -> Subscription Offers Key.
The subscription key is a pair, which contains the public and private keys. And only a private key is displayed in the Xcode popup window. To view the full subscription key pair just open your Configuration.storekit file in any text editor, since it's just a text json file. There you will find subscriptionOffersKeyPair key. Here is an example below:
"subscriptionOffersKeyPair" : {
"id" : "AD97257D",
"privateKey" : "MF8CAQEEGNSWDVsrVXfxGfn2wvQAUUNHA/S+nqDvwqAKBggqhkjOPQMBAaE0AzIA\\nBK0s7Oq6mdN0mcimQvy+ofIpVfnZx7b/KZ7uesoNx6LwwQ3w5XyjrUN5Mx1onhl8\\nQg==",
"publicKey" : "MEkwEwYHKoZIzj0CAQYIKoZIzj0DAQEDMgAErSzs6rqZ03SZyKZC/L6h8ilV+dnH\\ntv8pnu56yg3HovDBDfDlfKOtQ3kzHWieGXxC"
}The bug
The bug is that the private key downloaded from App Store Connect uses a P-256 curve whereas the one provided by StoreKit Testing in Xcode uses a P-192 curve (OpenSSL identifies it as prime192v1). So generating a signature is not working, because OpenSSL unable to read the file. It throws "Unable to load key" or "Could not parse PKey: no start line" errors.
We contacted Apple Premium DTS Support, they confirmed that it is Xcode 12 bug. The issue persists in Xcode 12.4 (12D4e) and Xcode 12.5 beta (12E5220o).
The workaround
By default, OpenSSL is unable to parse the key with the header & footer that Xcode displays. You can workaround this issue by modifying the header and footer of the PEM format.
The header should be:
``` -----BEGIN EC PRIVATE KEY----- ``` and the footer should be: `-----END EC PRIVATE KEY-----`
We continue to communicate with Apple Premium Support and will update the article, once the issue is resolved. Hope it will be fixed in the next Xcode 12 release.
To get more insights regarding subscription app revenue growth read the Apphud Blog.
