Skip to content

Trusted entitlements: Remove decoding of url to verify signatures#1124

Merged
tonidero merged 1 commit into
new-trusted-entitlements-signature-formatfrom
not-decode-encoded-url
Jul 7, 2023
Merged

Trusted entitlements: Remove decoding of url to verify signatures#1124
tonidero merged 1 commit into
new-trusted-entitlements-signature-formatfrom
not-decode-encoded-url

Conversation

@tonidero

@tonidero tonidero commented Jul 7, 2023

Copy link
Copy Markdown
Contributor

Description

We made one more change to the signature verification. Now we don't need to decode the url in order to verify the signature.

@tonidero tonidero requested a review from a team July 7, 2023 07:53
@tonidero tonidero changed the title Remove decoding of url to verify signatures Trusted entitlements: Remove decoding of url to verify signatures Jul 7, 2023
@tonidero tonidero merged commit 9a6e413 into new-trusted-entitlements-signature-format Jul 7, 2023
@tonidero tonidero deleted the not-decode-encoded-url branch July 7, 2023 11:17
@tonidero tonidero mentioned this pull request Jul 7, 2023
Merged
NachoSoto
NachoSoto reviewed Jul 7, 2023
View reviewed changes

@NachoSoto NachoSoto left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍🏻

tonidero added a commit that referenced this pull request Jul 7, 2023
@tonidero
Trusted entitlements: New trusted entitlements signature format (#1117)
e8a90a0 
### Description
Integration branch for the changes in trusted entitlements. Includes
changes from:
- #1111 
- #1114 
- #1118 
- #1119 
- #1124
aboedo
aboedo reviewed Jul 7, 2023
View reviewed changes
Comment thread purchases/src/test/java/com/revenuecat/purchases/common/verification/SigningManagerTest.kt
Comment on lines +195 to +205
fun `verifyResponse with encoded url verifies correctly`() {
val rootVerifier = DefaultSignatureVerifier("yg2wZGAr8Af+Unt9RImQDbL7qA81txk+ga0I+ylmcyo=")
val signingManager = SigningManager(
SignatureVerificationMode.Informational(IntermediateSignatureHelper(rootVerifier)),
appConfig,
apiKey,
)
val verificationResult = callVerifyResponse(
signingManager,
requestPath = "/v1/subscribers/\$RCAnonymousID%3A1af512a3b9c848899fe427f39dd69f2b",
signature = "xoDYyUeHnIlSIAeOOzmvdNPOlbNSKK+xE0fE/ufS1fsAAMNQ1HiPDL34Vx0Uy74KPV5mztuk3DHBpucT/rSYVlkxIa3ModYmPfYZ20lnlbSB1UiP6oJHwAA2pXlS6AQ5eLSuAmm2UIYPrDGEEC8Lgj1sAn2fGMRMx2eaPNzDPBGTxxZROfjkI1wtsyJC0w0I7d8TkLeXjUTlWNafmc4GVMleE/tQZZGIoNrnar0HqICUnB8B",

@aboedo aboedo Jul 7, 2023

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

just double-checking, these were obtained with a signature that isn't set to expire, right? Otherwise, are we ensuring that these won't go stale when the intermediate key goes stale?

@tonidero tonidero Jul 10, 2023

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I generated these with a date very far into the future (Year 2106) so they shouldn't expire. Since we aren't using real keys for these tests, it should be ok.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@aboedo aboedo aboedo left review comments
@bisho bisho bisho approved these changes
+1 more reviewer
@NachoSoto NachoSoto NachoSoto left review comments
Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@tonidero @bisho @NachoSoto @aboedo