Do we really need signerCert.pem and signerKey.pem files to generate the apple pass ?

[itsAkash12]

@alexandercerutti I’ve been using the passkit-generator library to create Apple Passes, and I wanted to clarify a specific aspect of the signing process. In the official Apple documentation, it outlines the steps to sign the pass, including generating a manifest.json, creating a PKCS#7 detached signature, and adding it to the .pkpass bundle. However, it doesn’t explicitly mention the use of signerCert.pem and signerKey.pem files.

I noticed that passkit-generator appears to rely on these files for generating the signature. Could you confirm if these files are absolutely necessary for creating a valid Apple Pass using the library?
Additionally, if possible, could you share any documentation or additional resources that clarify why these files are required or how they relate to the signing process?

Thank you for your guidance!

[alexandercerutti]

Hi @itsAkash12, thanks for using passkit-generator!

I had to look up for a few things in order to answer you. Some things might be wrong, but I think all the elements are here.

The signature file is a file that is compliant with the S-MIME (IETF RFC 8851). This standard requires a public key (which I suspect it to be the WWDR.pem file), a body (which is manifest.json) and I think everything is wrapped in an ESS (RFC 2634), which is a secure layer.

I think this because the ESS specifies that some of its attributes are signingCertificate and signingTime, which is something passkit-generator provides.

And I think that in order to read the signerCertificate, you need a key.

In fact, you can use openssl smime to obtain signerCertificate details (including passTypeIdentifier and teamId) but not the private key.

I hope this answers to your question!
Let me know!

[itsAkash12]

Hi @alexandercerutti ,

Thank you for your detailed explanation! Your insights into the S-MIME compliance and how the signerCert.pem and signerKey.pem are used in generating the signature for the Apple Pass were very helpful.

I have a follow-up question:

1. Are the signerCert.pem and signerKey.pem files strictly required to generate a valid Apple Pass, or are there alternative ways to manage the signing process?

2. Do you happen to know if Apple explicitly documents the necessity of these files, or is it an inferred requirement based on the S-MIME standard? If possible, could you share any pointers to official Apple documentation or resources that explain this process?

I appreciate your time and help in clarifying this further!

Thank you again!

[alexandercerutti]

1. They are required. Apple Wallet seems to perform (maybe through the network as well) some validation checks when the pass is opened. And if passTypeIdentifier and teamIdentifier inside pass.json do not match with those from the signature, validation fails and it doesn't let you import the pass.
   They state, in the documentation, that you should create a PKCS#7 detached signature, which is exactly a file compliant with S-MIME.
   I seriously doubt you can create one without providing such details. Furthermore, without those, you'd probably be able to create a pass without being part of the Apple Developer Program, which is a requirement.
   What are the other alternative ways you hope could be used?

2. They say a pass.pkpass file should be compliant with a specific structure and the building process outcome should be compliant with the one resulting from the suggested steps

---

If you can share a broader view that describes what you are trying to do, I can maybe focus on that and help you in that direction.

Let me know!

[alexandercerutti]

Oh, just to clarify, signerCert and signerKey are names I created to let them have a more semantic name. Apple doesn't call such files in that way. signerCert is the PEM of what they export, which is cert.cer, while signerKey is the PEM of the private key you had to create.

[itsAkash12]

Hi @alexandercerutti Thank you for the detailed explanation regarding the necessity of signerCert and signerKey. I completely understand their role in ensuring compliance with Apple's validation requirements and signing process.

However, I’ve noticed a concerning issue: when generating the .pkpass file, the signerCert and signerKey files are being included in the bundle. This means that when the .pkpass file is unzipped, these sensitive files are visible. As these files are critical for signing and verifying the pass, their exposure could lead to serious security risks, including misuse by unauthorized parties.

Is this an expected behavior of the library, or could it be a misconfiguration on my end? If it’s a known issue, do you have any recommendations for preventing these files from being included in the .pkpass bundle?

[alexandercerutti]

@itsAkash12 If you see signerCert.pem and signerKey.pem inside the .pkpass, it means that you saved them in the model folder you are providing to passkit-generator, which is not a suggested behavior at all.

In fact, the files should be saved elsewhere. This location shouldn't be accessible neither from your users or malicious actors (e.g. env variables when you use self hosted or cloud services).

passkit-generator assumes the model folder contains all the required files that should be bundled and takes care of pruning only .-prefixed files (like .DS_Store) and nothing else, because dotted files are hidden by default and might not be seen by who created such model.

---

Take this as a valid rule to follow: your pass is public.

All the details you put in a .pkpass are publicly available to be read by users.

If you use the sharingProhibited: true in your pass.json, you are making it more complicated to extract the .pkpass from a device, but it still can be extracted.

Hence, passTypeIdentifier, teamIdentifier, signerCert.pem and all the data you put inside the bundle, are accessible by default from anyone who has a bit of knowledge (signerCert.pem can be accessed by reading the signature file). What is not accessible by default is the signerKey.pem.

Hope this helps.
Let me know!