Apple StoreKit 2 X5C certificate expired, still verifies successfully

Hello everybody,
today I noticed that some of my customer’s StoreKit 2 JWTs wouldn’t be verifiably on my server via a Swift JWT library.
However, when pasting the same JWT in it would verify successfully. However, further investigation showed that the certificate that displays in the “Verify Signature” section is in fact expired.

So the question is: Does report false positive or is it in fact correct to not verify the certificate expiration date when validating JWT with X5C?

Hi @betaphi,

Welcome to the Auth0 Community!

I would expect to be correct and not indicate a valid token signature/certificate if it was expired.

Can you share some steps to reproduce?

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.