Apple's war on their developers continues apace

It's Apple Pass Type ID Certificate Renewal Day, so let me share with you what a spectacular shitshow that is.

The DNA Lounge store sends you an Apple Wallet Pass when you buy a ticket. For the end user, it's a good system: your ticket pops up on your lock screen when you arrive at the club. I wish more businesses used it. (Looking at you, Alamo.)

But given how hard Apple makes it, I'm not at all surprised that more people don't.

If anyone sane were designing this, the API would be something like: "load this URL to put a JPEG in the special photo gallery that you can access without unlocking your phone. Done." But it's Apple, so you need to sign that JPEG with an Apple-issued certificate. And that certificate expires every 12 months. And you can't renew it, you have to create a new one every year by jumping through a set of hoops worthy of one of those "ninja warrior" shows.

Here are my notes on how to do that this year. Of course the procedure also changes slightly every year, and can't be sensibly automated.

This is insane. IN. SANE.

To create a new "dnapass.crt" file, which expires annually:

  1. / Certificates / Identifiers
  2. Rightmost menu: "Pass Type IDs"
  3. Click on "" and Remove. (This step is new for 2020: It no longer lets you create a new pass with the name of an existing one, so we have to delete the old one first. But the name has to be the same as last year! And the error message just says "invalid", not "name already used".)
  4. Click the tiny plus box.
  5. Create new "Pass Type ID".
  6. Description: type "Ticket";
  7. Identifier: type "" (beware that it tries to "help" by typing out "pass." for you, so don't type it twice.)

  8. Keychain / Menu 0 / Certificate Assistant / Request from a CA.
  9. "", "DNA Lounge Wallet Key"
  10. Checkbox "Save to disk"

  11. Back to the web site: Click on the "" pass.
  12. Choose File: "CertificateSigningRequest.certSigningRequest"
  13. Download the "pass.cer"

Now we need crt and key files that are not password protected, because we're doing this crazy thing of using these certs from a web server instead of typing in a password every time we use them. Here are the hoops for that:

  1. Open "pass.cer" in Keychain
  2. Select "My Certificates" (or else you can't select ".p12" on the Save dialog)
  3. Find the right "Pass Type ID" cert by looking for an "Expires" of today, since now there are several.
  4. Context Menu / Export / "Pass Type ID:" as "dnapass.p12" with blank password.
  5. openssl pkcs12 -in dnapass.p12 -clcerts -nokeys -passin pass: -out dnapass.crt
  6. openssl pkcs12 -in dnapass.p12 -nocerts -passin pass: -passout pass:TMPTMP -out dnapass.tmp
    (Password is required, but bullshit password "TMPTMP" must be at least 4 characters!)
  7. openssl rsa -in dnapass.tmp -out dnapass.key -passin pass:TMPTMP
  8. openssl pkcs12 -in dnapass.p12 -out dnapass.pem -nodes -clcerts
  9. rm dnapass.tmp dnapass.p12
  10. "scp -p dnapass.* www:" and install the new certs.
  11. Update your calendar reminder for this date next year: remember, the new cert expires a year from today, not a year from when it expired this year.

If it doesn't work, check:

  • Web server error_log;
  • Safari + / Search "pass";
  • Apple root cert expiration:
    openssl x509 -enddate -noout < certs/wwdr.pem
    Get a new one here, E.g. which currently expires in Feb 2023, then convert .cer to .pem with:
    openssl x509 -inform der < AppleWWDRCA.cer > wwdr.pem

Previously, previously.

Tags: , , , ,

  • Previously