Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Apple Push Notification service server certificate update #404

Open
paul-brenner opened this issue Dec 6, 2024 · 6 comments
Open

Apple Push Notification service server certificate update #404

paul-brenner opened this issue Dec 6, 2024 · 6 comments

Comments

@paul-brenner
Copy link

Apple has sent out a few emails warning of the following about required changes for APNS. Can anyone confirm whether this impacts Sygnal and, if so, how?
@omidethica
Copy link

Would you please provide an update on this?

@paul-brenner
Copy link
Author

Personally I'm just waiting until after January 20th to see if things break in sandbox and after February 24th for production. I don't expect anyone who knows the answer to see this issue until after that.

@codemonium
Copy link

Personally I'm just waiting until after January 20th to see if things break in sandbox and after February 24th for production. I don't expect anyone who knows the answer to see this issue until after that.

Hey @paul-brenner, did anything break in your sandbox since January 20th?

@paul-brenner
Copy link
Author

Unfortunately I realized that I don't have a good way to switch over to sandbox without restarting Sygnal, which I think kills push notification for all production users until they open their app again. So I haven't been able to test.

@codemonium
Copy link

Unfortunately I realized that I don't have a good way to switch over to sandbox without restarting Sygnal, which I think kills push notification for all production users until they open their app again. So I haven't been able to test.

Thanks for the reply!

After doing a bit of digging, I think Apple just wants the server that's running Sygnal to include the "SHA-2 Root : USERTrust RSA Certification Authority" certificate wherever all the other certificates are stored.

In my case, Sygnal runs in a Docker container: matrixdotorg/sygnal:v0.12.0. If I navigate to /etc/ssl/certs, I see USERTrust_RSA_Certification_Authority.pem (which is just linked to /usr/share/ca-certificates/mozilla/USERTrust_RSA_Certification_Authority.crt).

This certificate's sha256sum is 8a3dbcb92ab1c6277647fe2ab8536b5c982abbfdb1f1df5728e01b906aba953a, which matches the one for the "SHA-2 Root : USERTrust RSA Certification Authority" root certificate that Apple references in its announcement.

Given that, I don't think I or anyone else who uses one of the official Sygnal Docker images needs to do anything.

@paul-brenner
Copy link
Author

Thanks for the digging. I see that my host (https://etke.cc/) also has the USERTrust_RSA_Certification_Authority.pem in place. I'll leave this open until start of March in case anyone else comes looking and then set a reminder to myself to close it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@paul-brenner @codemonium @omidethica