Apple StoreKit 2 X5C certificate expired, jwt.io still verifies successfully

betaphi · September 24, 2023, 7:21am

Hello everybody,
today I noticed that some of my customer’s StoreKit 2 JWTs wouldn’t be verifiably on my server via a Swift JWT library.
However, when pasting the same JWT in jwt.io it would verify successfully. However, further investigation showed that the certificate that jwt.io displays in the “Verify Signature” section is in fact expired.

So the question is: Does jwt.io report false positive or is it in fact correct to not verify the certificate expiration date when validating JWT with X5C?

dan.woda · September 27, 2023, 12:55pm

Hi @betaphi,

Welcome to the Auth0 Community!

I would expect JWT.io to be correct and not indicate a valid token signature/certificate if it was expired.

Can you share some steps to reproduce?

system · October 26, 2023, 2:23pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.