How to verify JWS (x5c chain) is signed by apple using Jose

Question

Apple store's webhook (notification api v2) signs all requests. I would like to verify that the object was indeed signed by Apple in order to be sure that the request is coming from them.

Apple provides libraries that are able to do that, but unfortunately in the environment I work on, all I can use is the library called 'Jose'.

My understanding of cryptography is very shallow but from what I understand, Apple provides their public root, and public intermediate keys. And then they send it inside the JWS's x5c array and expects us to verify that the leaf was signed by the intermediate certificate, and that the intermediate certificate was signed by the root certificate.

My goal is to achieve this verification. At the moment I have a signedPayload, and the public intermediate and root keys as env variables.

I then do that:

    try {
    // I am not sure if this is the correct way to verify apple's certification chain.
    const intermediatePublicKey = await importSPKI(env.APPLE_INTERMEDIATE_CERTIFICATION, alg);
    await jwtVerify(leafCertification, intermediatePublicKey);

    const rootPublicKey = await importSPKI(env.APPLE_ROOT_CERTIFICATION, alg);
    await jwtVerify(intermediateCertification, rootPublicKey);
}
catch {
    return new Response('Failed to verify apple certification chain.', {status: 401});
}

Basically I expect it to throw if it couldn't be validated, but I guessed the whole process so it's probably not going to work.

How do I approach this problem?