Why receipt verification error: "java.security.SignatureException: Signature length not correct: got 248 but was expecting 256"?

I use Unity IAP to handle purchases on Google Play. On our server logs for receipt verification, most of the verification errors are of the form:

“java.security.SignatureException: Signature length not correct: got 248 but was expecting 256”

All of these seem to have orderIDs in the old format (123456789.12132033121), even though the purchase dates are long after Google Play’s switch to the new format (“GPA-1231-2342-…”).

Searching for the orderIds in the GooglePlay console’s order management tab returns no results for these orderIds.

So, it seems very likely that these are hacking attempts. But I couldn’t find much info about this kind of error online, so I wanted to make sure. I’m not sure why people would try to hack using the old format orderIds either.

Any idea what’s going on?

I had similar, except it was 403 rather than 248. The overwhelming evidence is that it is a fraudulent transaction by someone using a microtransaction hack app - need a rooted device and it intercepts app store requests to make it look like your microtransaction went through.

If your app only has local validation then user gets free stuff, but the apps obviously cannot fake googles actual private signature so a server side validation traps it.

See : android - Google IAP returns short purchase token for verification - Stack Overflow for a more detailed explanation