Is the Apple root certificate in the App Store Server API response always 'Apple Root CA - G3'?
When isn't it?
What criteria should I set for the 'performRevocationChecking' parameter value of the verifyChain method of the ChainVerifier class in the App Store Server Library?
I am implementing the 'App Store Server API' call myself. Do you include the root certificate in the certificate chain verification process? Can root certificates be forged?
Hello, I recommend watching https://developer.apple.com/videos/play/wwdc2023/10143/, this covers the process for using the App Store Server Library, and for things like when to enable performRevocationChecking.
TLDR, use all Apple Root CAs, performRevocationChecking should be true unless you are re-verifying data that was received a long time ago in the past. The SignedDataVerifier class takes an entire JWS, whether you implement the API call yourself or not, we recommend using the SignedDataVerifier class to verify the signed data.