How do I verify Android In-app Billing with a server with Ruby?

I just figured this out.

Basically the way it works is that when a purchase succeeds the android market sends back a message (formatted in JSON) with the order details and a cryptographic signature. In the Security.java class the verify function is making sure that the message really did come from the Android market application by verifying the signature using your public key.

If you want to use your own server in the mix, you simply need to pass the signature and json payload to your server and verify the json payload on your server. If you can verify that the json data came from the market application, you can use it to create your server side order objects. Then you can respond to your client application that the order was processed and update your UI.

What I did in my app is just add in the server communication stuff in the Security class' verify function in place of the existing verify function.

The real trick is writing signature verification code in ruby. Here's what works:

base64_encoded_public_key is your key in your user profilesig is the signature property being passed into the Dungeons security exampledata is the json string sent back by the market.

require 'rubygems'require 'openssl'require 'base64'base64_encoded_public_key = "YOUR KEY HERE"data = "JSON_DATA_HERE"sig = "SIGNATURE HERE"key = OpenSSL::PKey::RSA.new(Base64.decode64(base64_encoded_public_key))verified = key.verify( OpenSSL::Digest::SHA1.new, Base64.decode64(sig), data )

This worked for me only after double Base64 decoding of signature.

  public_key = Base64.decode64(public_key_b64)  signature = Base64.decode64(Base64.decode64(signature_b64))  signed_data = Base64.decode64(signed_data_b64)  key = OpenSSL::PKey::RSA.new(public_key)  verified = key.verify(OpenSSL::Digest::SHA1.new, signature, signed_data)