Still not sure why Signature.verify fails, but found a work around for now: decrypt the signature to check, and unpad the SHA1 hash from the decrypted hash, and compare with the data buffer digest. If the two match, then it validates the game center user credentials, otherwise it does not. See sample code below.
final MessageDigest md = MessageDigest.getInstance("SHA-1");
byte[] digest = md.digest(dataBuffer.array());
Cipher c2 = Cipher.getInstance("RSA/ECB/PKCS1Padding");
c2.init(Cipher.DECRYPT_MODE, cert.getPublicKey());
byte[] decrypted2 = c2.doFinal(sigToCheck);
final byte[] unpaddedSHA1 = Utils.unpadSHA1(decrypted2);
System.out.println("signature verifies: " + Arrays.equals(digest, unpaddedSHA1));
Where the upadSHA1 is defined as follows:
private static final String SHA1_PAD = "3021300906052b0e03021a05000414";
private static final byte[] sha1pad = DatatypeConverter.parseHexBinary(SHA1_PAD);
public static byte[] unpadSHA1(byte[] padded) throws BadPaddingException {
int k = 0;
if (padded.length < sha1pad.length) {
throw new BadPaddingException("Padding string too short");
}
while (true) {
if (padded[k] != sha1pad[k]) {
break;
}
k++;
if (k == sha1pad.length) {
break;
}
}
int n = padded.length - k;
if (n > 256) {
throw new BadPaddingException("Padding string too short");
}
byte[] data = new byte[n];
System.arraycopy(padded, padded.length - n, data, 0, n);
return data;
}