Fail to load AltStore PAL repos + GitHub based repos

[DelofJ]

So, I've done some digging with AltStore PAL repositories
Here's the AltStore PAL repository for UTM at this URL https://pal.getutm.app/config.json
(its GitHub repo is available here https://github.com/utmapp/altstore-pal-repo)
(and here's the AltStore PAL repo for Epic Games https://content-download-egs.distro.on.epicgames.com/iOS/altstore/source.json)
The "downloadURL" is "https://pal.getutm.app/adp/", however the download URL points to a folder containing a "manifest.json" and a "signature" file
What we are interested in is this URL "https://pal.getutm.app/adp/manifest.json"
As we can see, it contains 2 sections, "variants" and "deltas"
The "deltas" are not used in the UTM repo, however it is used in the Epic Games repo, idk what's the utility for it, I thing what we're interested in are the "variants"
In each variant, there is an "assetPath", it will usually be something like "variant/uuid.ipa"
So the final URL will be "https://pal.getutm.app/adp/variant/uuid.ipa"

And while searching for this, I found out that the UTM AltStore repo didn't work properly with this app https://pal.getutm.app/config.json
There is no download URL, as it uses GitHub to download the file
This repo uses "filename", "githubOwner", "githubRepository", "skipPrerelease" to download the latest release directly from GitHub releases

[therealFoxster]

Thanks for this! altsource-viewer does not officially support PAL repos atm but from the details you provided it looks doable and I definitely have plans for it in the near future. Do you happen to know what the URL for Epic Games' manifest.json is?

[DelofJ]

Well, let’s take Fall Guys 11.1.4 for example
You take the download URL, add "manifest.json" at the end, and you get https://content-download-egs.distro.on.epicgames.com/iOS/Org/o-4m3t3rbr8yw4rpfdlb6yjppdf6ztbf/d42d7101bb7a41c09a810ee418b7d3d0/4c1e51b2a65b409198e8203171aa98fd/91553473-0bc2-4133-86df-37420143dab3/manifest.json
There, you’ll see a section called "deltas" which I have no idea of what they are, each delta seems to have an attached ipa just like the variants, and each deltas are somewhat connected to a variant
Everything is a bit blurry, since there is not yet an official documentation for AltStore PAL sources
However, it appears that the ipas are encrypted, and I have no idea how they are decrypted
There is a signature file here https://content-download-egs.distro.on.epicgames.com/iOS/Org/o-4m3t3rbr8yw4rpfdlb6yjppdf6ztbf/d42d7101bb7a41c09a810ee418b7d3d0/4c1e51b2a65b409198e8203171aa98fd/91553473-0bc2-4133-86df-37420143dab3/signature
But I have no idea on how to use it

And about the sources based on GitHub repos, I think you’re able to link to the latest release with this link https://github.com/{githubOwner}/{githubRepo}/releases/latest/download/{filename}
However, with a front-end like this, maybe it’s better to use the GitHub API https://docs.github.com/en/rest/releases/releases?apiVersion=2022-11-28#get-the-latest-release

[DelofJ]

So I've done a bit more digging, and found the AltStore PAL official repository available here https://marketplace.altstore.io
After that, I was interested to see how AltStore PAL is initially installed, from this url https://altstore.io/download, and I've found the JavaScript that manages the installation of AltStore PAL https://altstore.io/js/download.js
So it seems like this url is being opened when installing AltStore PAL "marketplace-kit://install?alternativeDistributionPackage=" + adpURL + "&installVerificationToken=" + installVerificationToken + "&account=altstore"
installVerificationToken being the result of a POST request to https://api.altstore.io/install-token with the following body it seems like (I'm not so used to JavaScript) {"bundleID": "io.altstore.AltStore"}
And adpURL being the same download URL found in the official AltStore PAL source, it being "https://altstore.io/adps/altstore/2_1_2"
So now I have no idea if the installation of an app and its decryption is being handled by AltStore or iOS itself
Maybe if we knew how these ipa's were initially created and encrypted, we would have an idea on how to decrypt these ipa's
However in the meanwhile, all of this seems really complicated