Since I asked this question, Apple introduced a new API, and the answer is available: Setting up a third-party server to interact with Game Center (thanks, user2949759) and in several other places.
In particular , since iOS 7 ( Apple documentation on the Wayback Machine ):
-[GKLocalPlayer generateIdentityVerificationSignatureWithCompletionHandler:]
Creates a signature that allows a third-party server to authenticate the local player.
Relevant callback block arguments include NSURL *publicKeyUrl , NSData *signature , NSData *salt , uint64_t timestamp . They, together with the players playerID and bundleID should be sent to the server as "login information".
- At this point, the server side should use
publicKeyURL to obtain the public key - serverside, make sure this public key has been signed by Apple
- serveride, combines UTF-8 encoded
playerID , bundleID , uint64 timestamp and verbatim salt - serveride, generate SHA-256 above to create
digest - serverside, verify that the
signature that was sent to the server is correct using the public key downloaded earlier, signature and digest
Here is an example in pseudo-PHP , an example of how to implement this in Objective-C (which does not make sense to use verbatim), Go implementation , Ruby implementation , and there is an assortment of implementations in other languages on the same issue.
Not surprisingly, the Go implementation seems particularly readable, but does not confirm that Apple has released the public key. The related Ruby implementation provides a pretty clear example of how to do this.
Ivan Vučica
source share