How to update my application's Trust Store for Apple's new root CA?

Question

Apple says: https://developer.apple.com/news/?id=09za8wzy

Apple Push Notification service server certificate update October 17, 2024

The Certification Authority (CA) for Apple Push Notification service (APNs) is changing. APNs will update the server certificates in sandbox on January 20, 2025, and in production on February 24, 2025. All developers using APNs will need to update their application’s Trust Store to include the new server certificate: SHA-2 Root : USERTrust RSA Certification Authority certificate.

To ensure a smooth transition and avoid push notification delivery failures, please make sure that both old and new server certificates are included in the Trust Store before the cut-off date for each of your application servers that connect to sandbox and production.

At this time, you don’t need to update the APNs SSL provider certificates issued to you by Apple.

What does this mean for developers? What steps do I take in XCode to update the application's Trust Store, and do I need to re-submit the application to the App Store? Do I need to add the CA to Keychain Access?

I couldn't find much information about a "Trust Store" in XCode. Is this Trust Store on the server side instead? I have seen that "FCM already takes care of it" on their end, for example.

Furthermore, what's with the APNs SSL provider certificates?

Google's Gemini says:

Managed by the OS: You typically don't need to manually manage the trust store directly in your app code, as Apple's operating system automatically includes a set of trusted root certificates.

Answer 1

I asked myself the same question, "what do I need to do for my app to continue using the Apple Push Notification service (APNs)?" For me, the answer was "nothing". Here is the the key question that led me to this conclusion:

Do you run a server that sends push notifications by POSTing directly to APNs?

• No: If you send push notifications through Firebase Cloud Messaging, you POST to Google servers, not Apple servers. So this is Google's problem.

• Yes: You need to update the OS on that server to recognize the new cert. Probably your OS already recognizes it. For instance, Ubuntu 22.04 has this new cert in the file /etc/ssl/certs/USERTrust_RSA_Certification_Authority.pem. You can inspect it with openssl x509 -in /etc/ssl/certs/USERTrust_RSA_Certification_Authority.pem -text. You can verify this is the same cert that is referenced in the Apple notification by downloading that cert and inspecting it with openssl x509 -in /tmp/SHA-2\ Root\ \ USERTrust\ RSA\ Certification\ Authority.crt -text -noout.