androidioswalletpkpass

Consequences of the expiration of the signing certificate for a already issued PKPass file


I am currently exploring the possibility of using PKPass files to distribute some data to the users for a medium/long term time period (a few months to several years).

One of the potential issues identified is that the signing certificates issued by Apple are valid for a period of 1 year, and for technical reasons, I would rather avoid to have to update the issued passes for each new signing certificate if possible.

It's unclear to me what it means in practice for the generated PKPass files. From this answer of another post, I expected a PKPass to become invalid itself when the signing certificate expires, and be rejected in some way by the Wallet application. But after some experimentations with a generated PKPass file and setting the system date of an iPhone to a point clearly ulterior to the validity of the signing certificate, the iPhone seemingly accepted the PKPass without issue (same result when loading the PKPass after resetting the system date, or before). It's contrary to my expectations and I suspect that I missed something.

So it's short, the question is: what are the consequences of the expiration of the signing certificate for an already issued PKPass file ? Can those generated files still be loaded and updated into the Wallet (and if yes, for how long), or are they immediately invalid when the signing certificate expires ?

PS: this question is mostly targeted at the official Wallet app on iPhone, but I'm also interested in any answers about the Android counterparts.


Solution

  • The signing date is embedded in the pass signature. When a pass is ingested, the signing date is checked against the certificate date to determine whether or not the certificate was valid at the time that the pass was compiled.

    If you fail to renew your certificate, then issued passes would remain valid indefinitely, but you would lose the ability to modify or update them in any way.